Written by Maxim Baele

The NIS2 Directive and Cyber Resilience Act (CRA), how will it impact your organization?

The EU is making significant progress in addressing cybersecurity concerns through the implementation of the cybersecurity strategy published by the European Commission in 2020. Among the legislative initiatives proposed or enforced, the Network and Information Security (NIS2) directive and the Cyber Resilience Act (CRA) hold particular importance for entrepreneurs and organizations operating in the EU. These initiatives aim to strengthen cybersecurity practices and enhance resilience across sectors. In this longread, Toreonites Maxim Baele and Leander Karuranga dive into the intricacies of the EU’s latest cybersecurity initiatives.

The NIS2 Directive and Cyber Resilience Act (CRA) Explained

The NIS2 directive primarily targets organizations in critical infrastructure and essential services sectors. It ensures a higher level of cybersecurity by introducing obligations for these organizations to protect their networks and systems, establish governance structures, comply with breach reporting requirements, and monitor supply chains for cybersecurity risks.

Where NIS2 focuses on enhancing the security posture of companies themselves, the CRA requires companies to prioritize the security of the products they manufacture or sell.

The CRA’s primary objective is to address the issue of inadequate cybersecurity measures in a wide range of products available in the EU market. As a secondary objective, the CRA aims to provide consumers and organizations with a clear understanding of the level of cyber protection offered by products prior to purchase and guidelines for configuring products securely post-purchase.

To achieve this, the CRA establishes a comprehensive framework for cybersecurity requirements across “products with digital elements.” It defines cybersecurity obligations for various hardware and software products, including IoT and smart appliances, games, operating systems, and more. The CRA mandates security assessments, vulnerability handling procedures, and communication of security-relevant information to users. Additionally, organizations must provide timely security updates throughout the expected product lifecycle.

How the NIS2 directive and Cyber Resilience Act will affect cybersecurity in Europe

The Center of Cybersecurity in Belgium published an overview of the criteria which determine if your organization is affected by NIS2. There you can check and anticipate at which NIS2 level your organization will be. The regulation targets organizations that reach a certain size and belong to critical or highly critical sectors, exempting small and medium enterprises. Even though the list of organizations that are directly affected by NIS2 is limited, we foresee a ripple effect on organizations in their extended supply chain. Suppliers will be met with increased scrutiny and assurance requirements from organizations that fall directly under NIS2. As a secondary ripple effect, this will raise the bar for security assurance across industries, providing a competitive advantage for companies that have a mature security program.

While NIS2 will realize its biggest impact through the ripple effect, the CRA will directly affect a wide range of companies. As of the time of writing, the proposal encompasses software and hardware connected to the Internet, related software required for the operation of connected products, and components intended for integration into such products. The regulation applies to products placed on the European market, regardless of their place of manufacture, covering the entire supply chain, including importers and distributors. Only products already covered by industry-specific regulations, such as medical devices or automotive technologies, are exempt.

The proposed classification scheme categorizes products as non-critical or critical based on perceived risk levels. The non-critical category covers approximately 90% of products with digital elements, including hard drives, smart home assistants, and connected toys. Manufacturers in this category must conduct self-assessments to ensure their products meet the CRA’s security requirements. The critical products category further divides into low-risk class I (e.g., routers, virtual private networks) and higher-risk class II products (e.g., operating systems or smart meters). Class I products may require additional standards or certification schemes but could still be self-assessed in some cases. Class II products will undergo assessments conducted by independent third parties known as Conformity Assessment Bodies (CAB).

What if you're not compliant?

Under the NIS2 directive, violations can result in administrative fines of up to €10M or at least 2% of the total annual worldwide turnover for “essential” companies, and €7M or at least 1.4% for “important” entities.

Regarding the CRA, non-compliance with “essential cybersecurity requirements” can lead to fines of up to €15M or 2.5% of worldwide annual turnover. Other breaches of regulatory obligations carry a maximum sanction of €10M or 2% of turnover. The NIS2 directive came into effect in January 2023 and must be incorporated into national law by October 2024. The CRA is currently under development and is expected to take force in 2024, with its measures becoming effective in 2025-2026.

How to prepare your organization

We recommend companies familiarize themselves with the scope of both NIS2 and the CRA to determine applicability and understand the specific requirements and obligations that will be imposed.

Contact industry associations or networks for valuable resources and insights on regulatory developments, compliance best practices, and industry standards. As the CRA is still in development, many industry associations are publishing position papers and addressing any issues they identify with the proposal.

Seek advice from legal professionals specializing in cybersecurity and data protection regulations. They can provide expert guidance on the regulations’ applicability to your business and help you understand the implications and requirements.

Conduct an internal assessment of your cybersecurity practices, product security, and compliance measures. Evaluate your current cybersecurity measures, identify gaps or areas for improvement, and align your practices with the imposed requirements, even if you are not directly impacted.

How Toreon can help

With our portfolio of products and proven track record in helping organizations of all sizes with their information security and product security assurance programs, we guide you in navigating these regulations. Our experts are here to guide you along the way.