The European Union (EU) has long recognized the growing need to enhance cybersecurity within its borders, particularly as digitalization accelerates across industries. As part of its ongoing efforts to safeguard the digital economy, the EU has introduced two significant frameworks: the Network and Information Security Directive II (NIS2) and the Cyber Resilience Act (CRA). These frameworks are designed to bolster cybersecurity standards and protect critical sectors from increasing cyber threats.
NIS2 Directive
The NIS2 Directive, which officially came into effect on October 17, 2024, marks a significant revision of its predecessor, the original Network and Information Security Directive adopted in 2016. The primary goal of NIS2 is to extend the scope of the EU’s cybersecurity regulations to a broader range of organizations, ensuring stronger protection of essential and important services in the digital landscape.
NIS2 focuses on critical sectors that impact the EU economy, including banking, healthcare, transportation, energy, and digital services like cloud providers and data centers. The directive requires these organizations to adopt robust cybersecurity risk management measures. Some of the key provisions include the development of incident response protocols, risk analysis strategies, cybersecurity training programs, and backup management systems. Additionally, these organizations must implement security measures such as multifactor authentication (MFA) and encryption to secure sensitive data.
One of the most notable requirements is that organizations must notify national cybersecurity authorities of significant incidents within 24 hours of becoming aware of them. A significant incident is defined as any cyber event that causes operational disruptions, financial losses, or other severe consequences for the company or its clients.
Also Read: Poland’s Cyber Security Department: Responsibilities and Strategic Initiatives
Non-compliance with NIS2 can result in heavy fines. Organizations found in violation may face penalties of up to EUR 7 million or 1.4% of their global annual revenue, depending on which amount is higher. For essential entities, penalties can reach EUR 10 million or 2% of global yearly revenue, highlighting the EU’s commitment to securing its digital ecosystem.
The Cyber Resilience Act
The Cyber Resilience Act (CRA), which will fully come into effect by December, 2027, introduces mandatory cybersecurity requirements for the entire lifecycle of digital products, including software and hardware with digital elements. This groundbreaking legislation places significant responsibility on manufacturers, importers, and distributors of such products, ensuring that they meet stringent security standards before these products can enter the EU market.
Under the CRA, manufacturers must implement cybersecurity protocols during the design and development phases of their digital products. Before these products are introduced to the EU marketplace, manufacturers are required to perform conformity assessments and document the security measures taken throughout the product’s lifecycle. The goal is to ensure that these products are free from known exploitable vulnerabilities and come with a secure default configuration.
Importers are tasked with ensuring that the products they distribute meet the CRA’s cybersecurity requirements, and distributors must ensure that only products that carry the CE marking—indicating compliance with EU regulations—are sold in the market.
Penalties for non-compliance with the CRA can be severe. Manufacturers, importers, or distributors found in violation may face fines of up to EUR 15 million or 2.5% of their global annual revenue, depending on the nature of the violation. These measures ensure that manufacturers prioritize cybersecurity and are held accountable for any vulnerabilities in their products that could compromise user safety.
A Unified Vision for Cybersecurity
While the NIS2 Directive and Cyber Resilience Act operate in slightly different realms, both share common goals of improving cybersecurity in the EU. NIS2 applies primarily to critical infrastructure sectors and essential services, while the CRA targets digital products sold in the market. Despite these differences, the two frameworks are closely aligned in their pursuit of enhancing the overall security posture of the EU’s digital economy.
Read About the Cybersecurity Strategy for Europe: Key Considerations for Security Vendors in a Dynamic Market
Both frameworks emphasize the need for security-by-design and security-by-default practices. They also promote the sharing of information between stakeholders, from national authorities to private entities, to improve cybersecurity intelligence across the EU.
Moreover, the NIS2 Directive must be transposed into national law by each EU member state, giving them some flexibility in implementation. In contrast, the CRA is a regulation which directly applies across all EU member states without the need for national transposition, ensuring a more uniform application.
Companies should begin by conducting an applicability assessment to determine whether they need to comply with the NIS2 Directive, the CRA, or both. Once the scope of compliance is determined, companies should perform a gap analysis to identify areas where their current cybersecurity practices fall short of the new requirements. This analysis can help organizations create a detailed project plan to implement necessary changes. Ensuring compliance with these frameworks will not only help avoid fines but will also contribute to enhancing the overall cybersecurity resilience of the EU marketplace.
