As part of its overarching Cybersecurity Strategy, the EU has rolled out two significant frameworks to promote and strengthen cybersecurity standards within the EU marketplace: the Network and Information Security Directive II and the Cyber Resilience Act.
According to the European Commission, the CRA is intended to complement the NIS2 cybersecurity framework and is part of a broader "series of comprehensive measures" being deployed in the EU to enhance cybersecurity standards.
The NIS2 Directive
As of 17 Oct. 2024, EU countries are required to transpose new rules established under the NIS2 Directive. For context, the NIS2 Directive revises and replaces the Network and Information Security Directive, which was adopted in 2016. The original NIS Directive created a set of common security and reporting obligations for operators of essential services and digital service providers in sectors such as banking, finance and digital platforms.
The newly established NIS2 Directive applies to a broader range of organizations operating in the EU marketplace, including essential and important organizations providing specific services within the EU marketplace. Organizations impacted by the directive include those deemed to be critical to the EU economy and active in such areas as digital services — including cloud services and data center providers — airlines, banks and medical device manufacturers.
Organizations that fall under its jurisdiction are required to implement an array of cybersecurity risk management measures, including the adoption of various policies — for example, incident response protocol, risk analysis and information system security procedures — routine cybersecurity training, implementation of a backup management and disaster recovery process, and the deployment of encryption and multifactor authentication, when appropriate and necessary.
In addition, covered organizations are required to notify their designated cybersecurity incident response teams of significant cybersecurity incidents within 24 hours of becoming aware of them.
Under the NIS2 Directive, a significant incident refers to any cyber-related event that causes, or has potential to cause, severe operational disruption of the service or financial losses for a concerned company. In addition, an incident affecting, or having the potential to affect, other natural or legal persons by causing considerable material or nonmaterial losses is deemed to be significant under the directive.
Failure to comply with the NIS2 Directive can result in significant fines and penalties, the scope of which varies between essential and important entities. For example, member states are authorized to impose financial penalties on noncompliant organizations of up to either 7 million euros or 1.4% of the annual global revenue, whichever amount is higher. For essential entities, noncompliance can result in penalties of up to either 10 million euros or 2% of global yearly revenue, whichever is higher.
The EU Cyber Resilience Act
The EU's Cyber Resilience Act, which goes into full effect in December 2027, imposes mandatory cybersecurity requirements for manufacturers, importers and distributors of "products with digital elements," defined to include software or hardware products and associated remote data processing solutions.
Manufacturers of PDEs will be subject to a litany of security requirements covering the entire life cycle of a digital product. For example, according to Articles 13 and 14 of the CRA, PDE manufacturers must establish and implement cybersecurity standards at the product development stage and perform CRA conformity assessments before the PDE can be made available to the EU marketplace.
In addition, PDE manufacturers must develop required documentation, including technical documentation as well as information and instructions for users. PDE manufacturers must also implement protocols to ensure their products are delivered without any known exploitable vulnerabilities and with a secure by default configuration.
Importers of PDEs will be obligated to ensure covered digital products comply with the CRA's cybersecurity requirements and vulnerability handling processes. Importers also must verify that PDE manufacturers have satisfied the CRA's compliance requirements, such as the performance of a conformity assessment or the existence of adequate technical documentation.
PDE distributors will be required to verify that digital products feature the "CE" marking before the product can be made available to the EU market, according to Article 20(2)(a) of the CRA.
Much like the NIS2 Directive, penalties for noncompliance with the CRA can be significant and are expected to vary based upon the nature of the alleged violation. For example, if an organization is found to be noncompliant with the CRA's essential cybersecurity requirements, manufacturers' obligations and/or reporting obligations, then a member state could levy a fine of up to 15 million euros or up to 2.5% of global revenue, whichever is higher. Failure to comply with other provisions of the CRA could result in a fine of up to 10 million euros or up to 2% of global revenue, whichever is higher.
Interplay between NIS2 and the EU CRA
With the NIS2 Directive in effect and the CRA going into full effect in just a few years, it is important for organizations manufacturing or delivering digital products in the EU marketplace to assess their compliance obligations and effectively navigate the new cybersecurity standards and obligations set forth under both frameworks. As discussed, both the NIS2 Directive and CRA carry significant potential penalties if an organization is found to be in violation, so developing an effective compliance strategy is important.
For context, the NIS2 Directive and the CRA share common objectives and principles. They both require covered organizations to implement protocols and procedures to help enhance overall cybersecurity in the EU. Both frameworks require organizations to adopt secure by design and secure by default as governing standards. Both frameworks also promote information sharing among key stakeholders at national and EU levels — authorities, entities, manufacturers and retailers, for example.
Despite many similarities, there are notable distinctions between the NIS2 Directive and the CRA. For example, the NIS2 Directive is focused on cybersecurity standards for network and information systems used for essential and important services in specific sectors of the EU economy. In contrast, the CRA is more focused on cybersecurity standards for manufacturers, importers and distributors of digital products and software made available on the open market.
The NIS2 Directive sets forth risk management measures and incident reporting for essential and important organizations operating in specific sectors of the EU marketplace, while the CRA establishes compliance requirements for the developers of digital products through mandatory cybersecurity risk assessments, security updates, CE markings and other measures.
It is also important to note the NIS2 Directive must be transposed into national law by member states, while the CRA is a regulation that directly applies across the EU. The difference in scope and implementation are relevant factors for organizations seeking to develop an effective compliance program for one, or both, of these frameworks.
Compliance with NIS2 and CRA
Organizations active in the EU marketplace that are involved in the production and distribution of hardware or software products will be impacted by the requirements imposed by the CRA, the NIS2 Directive or both. As a result, organizations should consider taking proactive steps to strengthen their compliance posture with both cybersecurity frameworks.
For example, organizations should consider conducting an applicability assessment to determine whether they need to comply with one or both frameworks. This assessment should include creating an inventory and classification protocol for products to help determine which products trigger compliance obligations under these cybersecurity frameworks.
Following an applicability assessment, organizations should conduct a gap analysis to help identify what protocols and procedures need to be established or enhanced to meet the new security standards set forth in the NIS2 Directive and/or CRA.
After a gap analysis is completed, organizations should consider creating an in-depth project plan to govern the development and implementation of new compliance protocols. If feasible, compliance with the NIS2 Directive and CRA should be integrated into existing product conformity assessment procedures.
Organizations should also consider their situations and product offerings to further refine what steps will be needed to strengthen their compliance with the NIS2 Directive and/or CRA.
Patrick Austin, CIPP/E, CIPP/US, CIPM, FIP, PLS, is an attorney in the cybersecurity and data privacy practice group of Woods Rogers.
