Home Addressing the Cybersecurity Regulations Impacting the European Market: NIS2, CRA, and DORA

Addressing the Cybersecurity Regulations Impacting the European Market: NIS2, CRA, and DORA

TL;DR

European cybersecurity regulations like NIS2, CRA, and DORA are being introduced to strengthen defenses in the digital world. NIS2 broadens the scope of critical sectors, the CRA focuses on securing digital products from design, and DORA enhances the operational resilience of the financial sector.

With new regulations like the Digital Operational Resilience Act (DORA), the revised Network and Information Systems Directive (NIS2), and the proposed Cyber Resilience Act (CRA), Europe continues to strengthen its cybersecurity frameworks. Understanding these regulations is crucial for cybersecurity professionals and leaders to ensure compliance and protect their organizations from emerging threats.

A Decade of Evolution in European Cybersecurity Regulations

Over the past ten years, the digital world has seen exponential growth, bringing new opportunities and, unfortunately, new vulnerabilities. In response, the European Union has continuously adapted its regulatory frameworks to better protect critical infrastructures and maintain public trust in digital services. These efforts have culminated in the introduction and revision of several key legislations, including NIS2, CRA, and DORA, each addressing specific aspects of cybersecurity and operational resilience.

NIS2 Directive

The original Network and Information Systems (NIS) Directive was the first piece of EU-wide legislation on cybersecurity and was adopted in 2016. Its primary focus was to boost the overall level of cybersecurity across the EU. However, with the rapid technological advancements and increasing cyber threats, the EU saw a need to revise this directive.

What is NIS2?

NIS2 is an update to the original NIS directive that significantly broadens its scope and adds more stringent requirements for companies in critical sectors, like energy, transport, banking, healthcare, and digital service providers.

Key Requirements of NIS2

Implement risk management practices that cover both security and business continuity.
Notify national authorities immediately about any significant cyber incidents.
Secure network and information systems, including those managed by third-party suppliers.
Ensure basic security elements such as system integrity, data confidentiality, and availability are in place.
Enhance cooperation and information sharing between EU member states to bolster collective cybersecurity resilience.

Current Status and Implementation of NIS2

NIS2 was adopted by the European Parliament in 2022, and member states are currently in the process of incorporating its directives into national law, with full implementation expected across the EU by 2024.

EU Cyber Resilience Act (CRA)

What Is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is a new regulation by the European Commission aimed at strengthening the cybersecurity of products with digital elements as part of the European Union's strategy to secure the interconnected digital environment.

The CRA seeks to ensure that both hardware and software products are secure from the design stage throughout their entire lifecycle. Its primary purpose is to enhance the security of connected devices and critical software, which are increasingly integral to daily life. This encompasses a wide array of products including smartphones, smart appliances, and other devices that incorporate connectivity-enabling software.

Key Requirements of the EU CRA

Integrate security features right from the design phase for products with digital elements.
Conduct regular scans to identify and remediate vulnerabilities throughout the product's lifecycle.
Provide mandatory updates regularly to address security vulnerabilities for a defined period after the product's release.
Assess product compliance with CRA requirements before market release, which may include third-party testing.
Document efforts towards compliance and report significant cyber incidents to authorities.

Current Status of the EU CRA

On March 12, 2024, the European Parliament approved the CRA. Following its formal adoption by the Council, it will be published in the Official Journal of the European Union and will take effect 20 days after publication. The majority of the CRA provisions will become applicable within 36 months from this effective date.

Digital Operational Resilience Act (DORA)

What is DORA?

DORA is a regulation specifically targeting the financial sector to enhance the operational resilience of financial entities against ICT (Information and Communication Technology) disruptions and threats. It sets out requirements to ensure these entities can withstand, respond to, and recover from ICT-related disruptions. DORA is a key component of the EU's strategy to strengthen financial sector stability by improving ICT risk management, enhancing incident reporting controls, and establishing robust resilience testing.

Who Does DORA Apply To?

DORA applies to a broad range of entities within the financial sector, including banks, financial institutions, critical suppliers to the financial sector, and IT service providers.

Key Requirements of DORA

Establish a comprehensive ICT risk management framework and review and test it regularly.
Report significant cyber incidents to regulatory authorities promptly.
Test systems regularly to ensure they can withstand cyber incidents and continue to operate effectively.
Manage and mitigate risks associated with outsourcing and third-party service providers.
Promote information sharing about ICT-related incidents and threats within the financial sector to improve defenses.

Current Status of DORA

Adopted in December 2022, DORA is set to be fully applicable by January 2025, giving financial entities sufficient time to comply with its comprehensive requirements.

Conclusion

For cybersecurity professionals and leaders in Europe and beyond, understanding and preparing for the implementation of NIS2, CRA, and DORA is more than a regulatory requirement—it's a strategic imperative. Each regulation brings specific mandates and broad implications, emphasizing the need for an integrated approach to cybersecurity and operational resilience.

Stay ahead of the curve by keeping up-to-date with the latest developments in European cybersecurity regulations. Sign up for our monthly Insights newsletter today.

About ArmorPoint

ArmorPoint, LLC is a managed cybersecurity solution that combines the three pillars of a robust cybersecurity program — people, processes, and technology — into a single solution. Designed by cybersecurity experts, ArmorPoint’s cloud-hosted SIEM technology and extended detection and response capabilities enable businesses to implement a highly-effective, scalable cybersecurity program. With customizable pricing available, every ArmorPoint plan offers a dynamic level of managed security services that support the risk management initiatives of all companies, regardless of available budget, talent, or time. ArmorPoint is developed and powered by Trapp Technology, Inc., a Phoenix-based IT managed services provider. To learn more about ArmorPoint, visit armorpoint.com.

About the Author

Ashlyn Burgett

aburgett@trapptechnology.com

Content Manager

Related Insights

Articles

MXDR vs XDR vs MDR: What’s the Difference and Which Do You Need?

What is the Difference Between MXDR, XDR, and MDR? At a glance, MXDR, XDR, and MDR can seem like variations of the same idea. They all focus on detecting and responding to threats. But the difference comes down to scope, ownership, and outcomes. XDR is designed to give you better…

Articles

Top Cybersecurity Threats in the Oil and Gas Industry

The Oil and Gas Industry is Operating in a High-Stakes Threat Environment Oil and gas organizations are facing a fundamentally different cybersecurity reality than they were even a few years ago. This is not just about protecting data anymore. It is about protecting operations that power economies, supply energy to…

Articles

Optimizing Syslog Collection: Best Practices for High-Volume Environments

Why is Syslog Still Critical in Modern Security Operations? Syslog remains one of the most widely used and essential methods for collecting event data from network devices such as firewalls, routers, switches, and other infrastructure components. While modern environments increasingly rely on APIs and endpoint agents, syslog continues to serve…

Subscribe to Our Insights

Receive exclusive updates, industry news, and advice for future-proofing your business delivered straight to your inbox every month.