Two important pieces of EU legislation that aim to enhance the cybersecurity of products and services in the digital single market: the NIS2 Directive and the Cyber Resilience Act (CRA). Both regulations aim to achieve a high common level of cybersecurity across the EU by imposing security requirements on various entities and products with digital elements.
NIS2 Directive
The NIS2 Directive revises and replaces its predecessor Network and Information Systems (NIS) Directive, which was adopted in 2016 as the first EU-wide cybersecurity law. The NIS Directive established a set of common security and reporting obligations for operators of essential services (OES) and digital service providers (DSPs) in sectors such as energy, transport, health, banking, finance, and online platforms. The NIS Directive also created a cooperation mechanism among Member States to exchange information and best practices on cybersecurity incidents and risks.
The NIS2 Directive aims to address some of the shortcomings and limitations of the NIS Directive, such as the lack of harmonization, consistency, and enforcement across Member States; the insufficient coverage of sectors and entities that are critical for the economy and society; the low level of cybersecurity capabilities and preparedness among Member States; and the insufficient information sharing and cooperation at the EU level.
Some of the main changes introduced by the NIS2 Directive are:
Expanding the scope of sectors and entities that are subject to security and reporting obligations, including public administrations, postal and courier services, waste management, chemicals, food, manufacturing, digital infrastructure providers, cloud computing services, social networks, online marketplaces, online search engines, etc. For example, under the NIS2 Directive, a public administration that provides online services to citizens or businesses would have to ensure that its network and information systems are secure and resilient against cyberattacks and report any significant or substantial incident that affects its service delivery.
Introducing a harmonized framework for identifying entities that provide essential or important services based on common criteria such as their dependency on network and information systems, their impact on public safety or economic security, their cross-border dimension, etc. For example, under the NIS2 Directive, an online marketplace that operates in several Member States and has a large number of users would be considered as providing an important service and would have to comply with higher security requirements than a smaller or more local online platform.
Increasing the level of security requirements for entities that provide essential or important services, based on a risk-based approach and taking into account relevant standards and guidelines. For example, under the NIS2 Directive, an energy provider that operates critical infrastructure would have to implement state-of-the-art security measures to protect its network and information systems from cyber threats, such as encryption, authentication, backup systems, etc.
Enhancing the reporting obligations for entities that provide essential or important services, requiring them to notify competent authorities or CSIRTs (Computer Security Incident Response Teams) of any incident that has a significant or substantial impact on the continuity or provision of their services. For example, under the NIS2 Directive, a transport operator that suffers a cyberattack that disrupts its operations or endangers its passengers would have to inform the relevant authorities or CSIRTs as soon as possible and provide them with relevant information about the incident.
Strengthening the enforcement and sanctions regime for non-compliance with security and reporting obligations, ensuring that Member States impose effective, proportionate, and dissuasive penalties. For example, under the NIS2 Directive, a health provider that fails to secure its network and information systems or reports a serious incident that affects its patients could face fines or other sanctions imposed by national authorities.
Improving the cybersecurity capabilities and preparedness of Member States, requiring them to adopt national cybersecurity strategies and designate national competent authorities, single points of contact, and CSIRTs with adequate resources and powers. For example, under the NIS2 Directive, each Member State would have to develop a strategic vision and objectives for enhancing its cybersecurity resilience; appoint a national authority responsible for overseeing the implementation of the directive; designate a single point of contact to facilitate cross-border cooperation; and establish a CSIRT to handle incidents and provide support to affected entities.
Increasing the information sharing and cooperation at the EU level, establishing a Cooperation Group to support strategic cooperation and policy coordination among Member States; a network of CSIRTs to facilitate operational cooperation and information exchange; an EU-wide crisis management framework to address large-scale cross-border incidents; and an information-sharing platform to enable secure and timely exchange of information among Member States. For example, under the NIS2 Directive, Member States would have to cooperate with each other through regular meetings of the Cooperation Group; share information about incidents and risks through a network of CSIRTs; participate in joint exercises and simulations to test their readiness for crisis situations; and use an online platform to exchange data on threats, vulnerabilities, incidents, etc.
Cyber Resilience Act
The Cyber Resilience Act (CRA) is a proposal regulation to introduce horizontal cybersecurity requirements for products with digital elements that are placed on the EU market. The CRA covers a wide range of hardware and software products such as smart speakers, games, operating systems, routers, cameras, etc. The CRA aims to address some of the main challenges related to product cybersecurity in the EU market, such as:
The low level of cybersecurity of products with digital elements, which often suffer from widespread vulnerabilities and insufficient or inconsistent provision of security updates. For example, many products with digital elements are shipped with default or weak passwords, outdated software versions, or unpatched security flaws that make them easy targets for hackers. Moreover, many manufacturers or service providers do not provide regular or timely security updates to fix known vulnerabilities or address new threats, leaving users exposed to cyber risks.
The lack of transparency and information for users about the cybersecurity properties of products with digital elements, which prevents them from making informed choices or using them in a secure manner. For example, many users are unaware of the security features or limitations of the products they buy or use, such as the duration of security updates, the data protection measures, the vulnerability disclosure policy, etc. Moreover, many users do not know how to configure or update their products to ensure their optimal security level, or how to react in case of a security incident.
The fragmentation and inconsistency of national rules and initiatives on product cybersecurity, which create legal uncertainty and barriers for manufacturers and service providers. For example, different Member States may have different requirements or standards for product cybersecurity, or different certification schemes or labels to indicate the security level of products. This may create confusion for users and difficulties for manufacturers and service providers to comply with multiple and diverging rules across the EU market.
Some of the main features of the CRA are:
Establishing a common set of cybersecurity requirements for products with digital elements based on a risk-based approach. The requirements include: For example, under the CRA, a smart speaker that has a microphone and a camera would have to be designed with security features such as encryption, authentication, firewall, etc.; receive security updates for at least five years; prevent unauthorized access or modification by third parties; protect the personal data collected by the device; inform users about the security features and how to use them; alert users about any detected vulnerability and how to fix it; etc.
ensuring that products are designed with security by default;
providing security updates for a reasonable period;
implementing measures to prevent unauthorized access or tampering;
ensuring data protection by design;
o providing clear information about product security features;
notifying users about known vulnerabilities; etc.
Creating an EU cybersecurity certification scheme for products with digital elements based on existing standards and best practices. The scheme will provide different levels of assurance depending on the risk profile of products. The scheme will be voluntary but may become mandatory for certain categories of products in the future. For example, under the CRA, a router that connects multiple devices to the internet would be eligible for certification under the EU scheme. Depending on its risk level, it could obtain a basic, substantial or high level of assurance that indicates its compliance with the relevant cybersecurity requirements. The certification would be valid for a certain period and subject to regular audits and reviews.
Introducing an EU cybersecurity label for products with digital elements that have been certified under the EU scheme. The label will indicate the level of assurance (basic, substantial or high) as well as other relevant information such as security updates duration or data protection features. The label will help users identify products with adequate cybersecurity properties and use them in a secure manner. For example, under the CRA, a game that runs on a computer or a console would display an EU cybersecurity label if it has been certified under the EU scheme. The label would show the level of assurance (e.g., basic) as well as other information (e.g., security updates for two years). The label would help users choose a game that meets their security expectations and use it safely.
Strengthening market surveillance and enforcement mechanisms to ensure compliance with cybersecurity requirements. The CRA will amend the existing Regulation (EU) 2019/1020 on market surveillance and compliance of products to empower market surveillance authorities to check the cybersecurity of products with digital elements and take appropriate measures in case of non-compliance. The CRA will also establish a network of national cybersecurity authorities to coordinate and cooperate on product cybersecurity issues. For example, under the CRA, market surveillance authorities would have the power to inspect products with digital elements that are sold or used in their territory and verify their compliance with the cybersecurity requirements. If they find any non-compliance, they could take measures such as ordering corrective actions, imposing fines, withdrawing products from the market, etc. They would also cooperate with other authorities through a network to exchange information and coordinate actions.
Summary
Both the NIS2 Directive and the Cyber Resilience Act share some common objectives and principles. They both aim to:
Increase the level of cybersecurity and cyber resilience in the EU by ensuring that entities and products with digital elements are secure by design and by default.
Protect consumers and businesses from cyber threats that could disrupt society or the economy, undermine security, or endanger lives.
Harmonize the rules and standards across the EU to create a level playing field and avoid fragmentation in the internal market.
Promote cooperation and information sharing among stakeholders at national and EU levels, including authorities, entities, manufacturers, retailers, users, and experts.
Foster innovation and competitiveness in the digital sector by creating trust and confidence in digital products and services.
| NIS 2 Directive | Cyber Resilience Act (CRA) |
Scope | Critical Infrastructure | IoT, OT, Smart Devices and Applications |
Applicability | ICT Organizations, supporting organizations | Manufacturers, Licensors, Distributors, Importers |
Impact | EU and member states | Data subjects in EU |
Exceptions | No such exceptions |
|
Enforcement | Member states translate the directive into legislation by October 18, 2024 | Proposed regulation, when passed will be enforced at EU level |
Effective Date | October 18, 2024 | 36 months from the day the Act is entered into force |
Reporting Obligations | CSIRTs in each member state with a representation at Corporation Group at EU Level | CSIRTs and Market Surveillance Authorities |
Approach | Risk based approach capturing risks to the EU critical infrastructure | Risk based approach to capture cybersecurity risks within the hardware and software impacting EU data subjects |
The main differences between the NIS2 Directive and the Cyber Resilience Act are:
The NIS2 Directive covers network and information systems used to provide essential and important services in key sectors, while the Cyber Resilience Act covers products and software with digital elements placed on the market.
The NIS2 Directive imposes obligations on service providers, while the Cyber Resilience Act imposes obligations on manufacturers and retailers.
The NIS2 Directive requires risk management measures, incident reporting, cooperation and supervision, while the Cyber Resilience Act requires cyber risk assessments, security updates, CE marking and external audits.
The NIS2 Directive is a directive that needs to be transposed into national law by Member States, while the Cyber Resilience Act is a regulation that is directly applicable across the EU.
Conclusion
The NIS2 Directive and the CRA are complementary initiatives that aim to enhance the cybersecurity of products and services in the EU market. While the NIS2 Directive focuses on the security and resilience of networks and systems used by entities that provide essential or important services, the CRA focuses on the security and certification of products with digital elements placed on the market. Both proposals are part of the EU's cybersecurity strategy and complement other directives and laws, such as the Critical Entity Resilience (CER) directive, which covers the physical security of critical infrastructures, or the General Data Protection Regulation (GDPR), which covers the protection of personal data.
The NIS2 Directive and the CRA are currently under negotiation by the European Parliament and the Council of the EU. Once adopted, they will have a significant impact on the cybersecurity landscape in the EU and beyond. Therefore, it is important for stakeholders to follow their developments and prepare for their implementation.
The CRA and NIS2 regulations affect almost every organization that operates in the EU or handles EU data. If you need to comply with one or more of these regulations, get in touch with us to find out how we can help you achieve compliance.