The digitalisation of society is advancing relentlessly. There is almost no area left that is unaffected in some way. However, the digital space also poses a security risk. In order to mitigate risks, the EU has introduced or is introducing a wide range of cyber security laws, leaving businesses subject to a difficult and sometimes confusing regulatory framework.
This article provides a brief overview of the central EU regulations concerning cyber security compliance.
NIS2 Directive
Directive (EU) 2022/2555 or the NIS2 Directive (NIS2) standardises new obligations for critical infrastructure entities. NIS2 lays down measures that aim to achieve a high common level of cyber security across the Union. It defines two groups of entities that provide critical services in eighteen sectors in the EU which are regulated according to size. Essential entities are large enterprises from Annex 1 sectors of NIS2 (eg energy, health). Important entities are medium enterprises from all Annex I and Annex II sectors as well as large enterprises from Annex II (eg postal and courier services). What constitutes medium-sized and large companies is regulated in accordance with 2003/361/EC. The essential and important entities must take cyber security risk management measures. The minimum requirements for risk management measures include, for example, (see the full list of requirements in Article 21 paragraph 2):
- policies on risk analysis and information system security
- incident handling
- business continuity, such as backup management and disaster recovery, and crisis management
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- policies and procedures to assess the effectiveness of cyber security risk management measures.
NIS2 contains for the first time coordinated risk assessments relating to the security of critical supply chains at Union level. Another key element is compliance with reporting obligations.
NIS2 sets up broad oversight requirements and national authorities to govern entities in member states.
NIS2 had to be implemented into national law by Member States by 17 October 2024.
Cyber Resilience Act
Regulation (EU) 2024/2847 or the Cyber Resilience Act (CRA) creates a horizontal legal framework that regulates comprehensive and cross-sector cyber security for all products with digital elements. It aims to ensure the physical security of the digital products it covers. Obligations are placed on manufacturers, importers and distributors. The CRA distinguishes between three different types of products: non-critical products with digital elements; important products and critical products. Essential safety requirements apply to all digital products. Even stricter requirements apply to important and critical products.
Manufacturers are obliged under Article 6 in conjunction with Article 13, to comply with the essential safety requirements set out in Annex I to the CRA. Products with digital elements must be designed, developed and produced in such a way that they ensure an appropriate level of cyber security based on risks. On the basis of cyber security risk assessment and where applicable, products with digital elements must fulfil several essential cyber security requirements (eg be made available on the market without known exploitable vulnerabilities). The manufacturers must document the vulnerabilities in accordance with part two of Annex 2 of CRA.
The CRA will apply from 11 December 2027. Article 14 (reporting obligations of manufacturers) will apply from 11 September 2026. Chapter IV (Articles 35 to 51), provisions relating to notification of conformity assessment bodies will apply from 11 June 2026.
Critical Entities Resilience Directive
Directive (EU) 2022/2557 or the Critical Entities Resilience Directive (CER) regulates resilience in critical infrastructures in the EU through measures in companies and state supervision. The aim of CER is to ensure physical security. For this purpose, it requires operators of critical infrastructure to comply with a wide range of measures. Central to the scope of the CER is the concept of a "critical entity". "Critical entity" means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex. Critical entities are identified in accordance with Article 6 CER on the basis of the following criteria:
- the entity provides one or more essential services (read the full list of the sectors and subsectors here)
- the entity operates, and its critical infrastructure is located, on the territory of that Member State, and
- an incident would have significant disruptive effects, as determined in accordance with Article 7 paragraph 1, on the provision by the entity of one or more essential services or on the provision of other essential services in the sectors set out in the Annex that depend on that or those essential services.
Operators of critical entities must identify and assess their failure risks within nine months of receiving notification that they have been classified as a critical entity. The risk analysis must then be repeated as necessary, but at least every four years. Critical entities must take appropriate and proportionate technical, security and organisational measures to ensure their resilience. This includes a wide range of measures, which are set out in more detail in Article 13 of the CER. This is supported by a strict reporting system.
The CER also sets up broad oversight requirements and national authorities to govern entities in Member States. In this respect, the supervisory authorities at EU country level sometimes perform different tasks that may fall under either NIS2 or the CER.
The CER had to be implemented into Member State law by 17 October 2024. Member States must identify critical entities by 17 July 2026.
Digital Operational Resilience Act
Regulation (EU) 2022/2554 or the Digital Operational Resilience Act (DORA) sets out uniform requirements across the EU for the creation and maintenance of the digital resilience of financial enterprises. DORA applies specifically to the financial sector. Under Article 2 paragraph 1 DORA, a large number of financial entities are affected, including credit institutions, payment service providers, investment firms, but also certain providers of crypto currencies. Special provisions apply to microenterprises, small enterprises, and medium-sized enterprises which are not required to comply with all the requirements.
DORA requires in-scope financial companies to comply with a variety of requirements for the security of network and information systems (ICT systems) that support the business processes of financial entities. The financial entities are obliged to set up a risk management system to handle, classify and report ICT-related incidents and to test digital operational resilience. There are also obligations with regard to managing third-party risk.
As a European Regulation, DORA has applied in all Member States since 17 January 2025.
General Data Protection Regulation
Regulation (EU) 2016/679 or the General Data Protection Regulation (GPDR) sets up compliance requirements for cyber security. Affected entities must take appropriate technical and organisational measures to protect personal data from unauthorised access or loss.
Artificial Intelligence Act
Regulation (EU) 2024/1789 or the Artificial Intelligence Act (AI Act) also sets up specific cyber security requirements for high-risk AI systems. High-risk AI systems must be designed and developed in such a way that they ensure an appropriate level of accuracy, robustness and cyber security throughout their life cycle with regard to their intended purpose.
The AI Act will apply mostly from 2 August 2026. Chapters I (general provisions) and II (prohibited AI practices) have applied since 2 February 2025. Other provisions will apply from 2 August 2027.
What matters for companies now?
The days when cyber security was a niche issue are finally over. Cyber security has become a central component of business and organisation compliance requirements. This requires the establishment of a large number of new processes. IT risk management systems must be reviewed or implemented and there are extensive documentation requirements. Even the EU legal acts concerning cyber security that do not directly affect companies, such as the Cyber Security Act or the draft Cyber Solidary Act, illustrate the complexity of the issue.
An increasing amount of cyber security legislation is also being introduced at local level, In the UK, for example, the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) has applied to the security of certain connected products since April 2024, and In Germany, the Gesetz zur Beschleunigung der Digitalisierung des Gesundheitswesens or Digital Gesetz (Digital Act) should be noted.
In this increasingly complex landscape and given many of these laws are newly in force, proper legal advice is essential to help streamline compliance. Please let us know if we can help.
