NIS2 and the Cyber Resilience Act (CRA) [The Industrial Security Podcast]

Key Points

• NIS2 is an EU directive focusing on cybersecurity for entities in critical sectors, requiring member states to transpose it into national laws, leading to a mix of implementations with varying additional obligations.
• The Cyber Resilience Act (CRA) is an EU regulation targeting cybersecurity for products with digital elements, imposing obligations on manufacturers, importers, and distributors globally if selling in the EU market.
• Incident reporting under NIS2 requires notifying national authorities of severe security incidents, with reports generally not public, though companies must also inform affected consumers; compliance is encouraged to avoid high sanctions.
• Implementation of NIS2 across EU member states is inconsistent, with some countries adding sectors like culture (Italy) or education (France), creating challenges for multinational companies to navigate different national laws.
• The CRA is considered a strict, globally impactful regulation similar to GDPR, potentially setting a worldwide standard for product cybersecurity, though it excludes products like automobiles that are covered by other sector-specific safety laws.

Summary

The discussion centers on two major EU cybersecurity regulations: the NIS2 Directive and the Cyber Resilience Act (CRA). NIS2, enacted in January 2023, mandates that EU member states transpose its cybersecurity requirements for entities in critical sectors into national law by October 2024. However, implementation is uneven, with only 10 countries fully transposing it as of the recording, while others are in draft stages or lagging, prompting infringement proceedings by the EU Commission. This has resulted in a fragmented regulatory landscape, where countries like Italy and France have expanded scope to include additional sectors such as culture and education, respectively, creating compliance challenges for international companies that must navigate varying national laws and reporting portals.

NIS2 requires entities to report severe security incidents to national authorities, with reports typically not made public, though companies may also need to inform consumers. The goal is to foster cooperation between authorities and businesses, with high sanctions incentivizing compliance. In contrast, the CRA focuses on products with digital elements, imposing cybersecurity obligations on manufacturers, importers, and distributors globally if their products are sold in the EU. As an EU regulation, it applies directly across member states without need for national transposition. While excluding products like automobiles covered by other safety laws, the CRA is seen as a stringent, GDPR-like regulation that may set a global benchmark for product cybersecurity due to its broad extraterritorial impact. Both frameworks aim to strengthen EU cybersecurity, but their differing approaches—NIS2 for entities and CRA for products—highlight the complexity of regulatory compliance in the digital age.