Understanding the New EU Cybersecurity Landscape and Who Will Be Affected by It: Introducing Nixu’s new compliance whitepaper

A wave of cybersecurity regulation is about to hit Europe, and many organizations are still unprepared. To assist your organization along the road to compliance, we have summarized the core elements of the Network and Information Systems Directive (NIS2), the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) and the proposed Cyber Resilience Act (CRA) below. 

At the end of this text, you will find a link to our whitepaper, where we dig deeper into the four laws accounted for in this blog post.

The NIS2 directive strengthens cybersecurity across critical sectors

What is it?

In our previous blog posts, we have discussed the required first actions for NIS2 compliance and the role of an effective information security and management system (ISMS) and running a 24/7 Security Operations Center (SOC) in NIS2 compliance. In short, NIS2 aims to achieve a common high level of cybersecurity across the European Union, and thus, it affects a range of sectors, including healthcare, finance, and energy.

Who will be affected?

As a main rule, NIS2 applies to medium or large organizations that operate in certain sectors. NIS2 further specifies the kinds of businesses it applies to in each sector. For example, in manufacturing, it covers organizations identified using specific statistical classifications. In addition, NIS2 applies to entities deemed critical under CER (see below). To a certain extent, national legislators may expand the application of NIS2 or exempt certain organizations from it.

What are some of its key implications?

NIS2 includes cybersecurity risk management and deadline-bound incident and threat reporting obligations. The risk management obligations include, for example, ensuring supply chain continuity and maintaining policies and procedures for assessing the effectiveness of the chosen risk management measures.

DORA aims to ensure operational resilience for the financial sector

What is it?

DORA, also known as the NIS2 of the financial sector, sets forth cybersecurity obligations for organizations operating in the financial sector. It includes a set of requirements that are stricter and more detailed than the corresponding NIS2-obligations.

Who will be affected?

DORA applies to a wide range of financial entities, including for example payment institutions, investment firms and insurance intermediaries. In addition, certain parts of DORA apply to financial entities’ critical ICT third-party service providers and includes separate provisions on contracts with financial entities’ ICT service providers.

What are some of its key implications?

The requirements set forth in DORA build upon existing regulation and guidance by supervisory authorities. Organizations will face requirements relating to ICT risk management, incident classification and reporting, digital operational resilience testing, third-party risk management and information and intelligence sharing.

CER works to fortify the resilience of critical entities

What is it?

CER addresses not only cyber but also other threats, such as terrorist attacks or sabotage. Its aim is to strengthen the resilience of critical infrastructure against such threats.

Who will be affected?

CER applies to entities that are critical due to their essential role in providing services that are crucial for the maintenance of vital societal functions or economic activities. These entities will be pointed out by EU member states, who will notify the organizations that are in scope.

What are some of its key implications?

Entities included in the CER scope will be obliged to, among other things, regularly conduct risk assessments to identify all kinds of potentially service-disrupting risks, implement appropriate and proportionate technical, security and organisational measures to ensure resilience and notify incidents to authorities.

CRA aims at product cybersecurity

What is it?

The CRA proposal introduces a common set of cybersecurity standards for products with digital elements. It proposes harmonized rules for products with digital components, including their potential remote data processing solution.

Who will be affected?

Unlike the laws introduced above, the CRA applies to products instead of organizations. Most obligations will be imposed on manufacturers of products with digital elements, but also importers and distributors of such products will be affected, as well as other economic operators relating to them. The exact scope of products is, at the time of writing this blog post, not set in stone, but expected to be broad. The scope will include devices like smart appliances, hard drives, industrial IoT products, and different types of network management tools and systems, among others.

What are some of its key implications?

The proposed CRA introduces standardized security requirements and obliges organizations to perform conformity assessments and ensure the security of products after having put them on the market, among other things.

How should organizations prepare for the upcoming legislation?

The new compliance requirements provide an opportunity for organizations to elevate their cybersecurity practices, gaining a competitive advantage. Non-compliant organizations will find it difficult to sell their products and services and might face the risk of sanctions. In the upcoming months, you should assess whether your organization is in scope and what implications being in scope has for your organization. You need to start preparing for the new laws and develop your capabilities to meet the new requirements. 

For more information on the laws accounted for above, including details on who is in scope and what that means, as well as relevant deadlines, download our whitepaper: European Cybersecurity Laws and Compliance