{"id":7551,"date":"2024-12-12T10:00:00","date_gmt":"2024-12-12T10:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-5123\/"},"modified":"2026-04-04T18:18:26","modified_gmt":"2026-04-04T18:18:26","slug":"cybersecurity-regulation-in-europe-nis2-dora-cra-and-ai-act-overview","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2024\/12\/12\/cybersecurity-regulation-in-europe-nis2-dora-cra-and-ai-act-overview\/","title":{"rendered":"Cybersecurity Regulation in Europe: NIS2, DORA, CRA, and AI Act Overview"},"content":{"rendered":"<p><strong>The EU has enacted more cybersecurity regulations in the past three years than in the previous twenty. NIS2, DORA, the Cyber Resilience Act, and the AI Act form a regulatory web that affects virtually every digital company in Europe. The overview that decision-makers need  &#8211;  without legal jargon.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li>NIS2: Cross-industry cybersecurity obligations for 18 sectors<\/li>\n<li>DORA: Specific IT resilience requirements for the financial sector<\/li>\n<li>CRA: Product security for all digital products (hardware and software)<\/li>\n<li>AI Act: Risk-based regulation of AI systems  &#8211;  with security implications<\/li>\n<\/ul>\n<h2>NIS2: The Broad Regulation<\/h2>\n<p>NIS2 is the foundation: 18 sectors, an estimated 30,000+ companies in Germany. Core obligations: risk management, incident response, supply-chain security, and executive liability. For most companies, NIS2 is their first encounter with binding cybersecurity requirements.<\/p>\n<p>Who\u2019s affected: Medium and large companies in energy, transport, health, water, digital services, manufacturing, chemicals, food, postal services, waste management, aerospace, and public administration. Even companies below the size thresholds may fall under NIS2 via the supply-chain clause.<\/p>\n<h2>DORA: Financial Sector in Focus<\/h2>\n<p>DORA took effect in January 2025 and targets the financial sector specifically: banks, insurers, securities firms, payment service providers  &#8211;  and, for the first time, their critical ICT third-party providers. DORA goes further than NIS2: it mandates threat-led penetration testing (TLPT), grants regulators direct oversight of cloud providers, and imposes granular incident reporting duties.<\/p>\n<p>For financial institutions: DORA acts as <em>lex specialis<\/em> to NIS2  &#8211;  not a replacement, but a sector-specific enhancement. Both frameworks apply concurrently and must be implemented in parallel.<\/p>\n<h2>Cyber Resilience Act: Product Security<\/h2>\n<p>Starting in 2027, the CRA will require manufacturers of digital products  &#8211;  from IoT devices and software to cloud services  &#8211;  to embed security by design, provide software bills of materials (SBOMs), manage vulnerabilities across the full product lifecycle, and report actively exploited vulnerabilities.<\/p>\n<p>The CRA applies to any company selling software or digital products in the EU. Open-source software is exempt  &#8211;  unless distributed commercially. For German software SMEs and IoT hardware makers, the CRA represents the single most impactful regulation on their horizon.<\/p>\n<h2>AI Act and Security<\/h2>\n<p>The AI Act primarily governs AI-related risks like discrimination and manipulation  &#8211;  yet its security implications are substantial: high-risk AI systems must withstand adversarial attacks, training data must be safeguarded against tampering, and AI-powered security tools  &#8211;  such as anomaly detection or fraud prevention systems  &#8211;  fall squarely under transparency and documentation mandates.<\/p>\n<p>For security teams: AI assistants deployed in the SOC  &#8211;  including Security Copilot and Charlotte AI  &#8211;  qualify as regulated AI systems. The AI Act\u2019s documentation burden could ripple directly into day-to-day security operations.<\/p>\n<h2>Key Facts<\/h2>\n<p><strong>NIS2:<\/strong> 18 sectors, 30,000+ companies in Germany, fines up to \u20ac10 million<\/p>\n<p><strong>DORA:<\/strong> 22,000+ financial firms, mandatory TLPT, direct oversight of critical ICT providers<\/p>\n<p><strong>CRA:<\/strong> Applies to all digital products from 2027, SBOM requirement, CE marking for cybersecurity<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>Which regulation affects me?<\/h3>\n<p>General rule of thumb: Financial sector = DORA + NIS2. Product or software vendors = CRA. AI developers and deployers = AI Act. All other sectors listed in the NIS2 scope = NIS2. In practice, many organizations fall under multiple regulations simultaneously.<\/p>\n<h3>Can I consolidate compliance efforts?<\/h3>\n<p>Yes  &#8211;  partially. NIS2, DORA, and CRA share foundational requirements around risk management, incident response, and supply-chain due diligence. An integrated information security management system (ISO 27001) can satisfy many overlapping controls. However, sector-specific mandates  &#8211;  like DORA\u2019s TLPT or CRA\u2019s SBOM obligation  &#8211;  demand dedicated attention and implementation.<\/p>\n<h3>How much does implementation cost?<\/h3>\n<p>Costs vary widely depending on maturity. Organizations with an established ISMS typically spend \u20ac50,000-\u20ac150,000 on gap analysis and targeted enhancements. Those building from scratch may invest \u20ac200,000-\u20ac500,000+ to establish a fully compliant framework. Fines  &#8211;  which scale with revenue and severity  &#8211;  make noncompliance far more expensive.<\/p>\n<h2>Related Articles<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2024\/03\/14\/post_id-5062\/\">KRITIS Umbrella Act: What operators of critical infrastructures need to know besides NIS2<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2022\/10\/20\/post_id-5035\/\">DORA: Why the Digital Operational Resilience Act is turning the financial sector upside down<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/03\/06\/post_id-3837\/\">Cybersecurity Trends 2026: The 7 developments that security decision-makers need to know<\/a><\/li>\n<\/ul>\n<h2>More from the MBF Media Network<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/03\/03\/aiops-wie-ki-den-cloud-betrieb-automatisiert-und-ausfaelle-verhindert\/\" target=\"_blank\" rel=\"noopener\">Cloud Magazin<\/a>  &#8211;  Cloud, SaaS &amp; IT-Infrastruktur<\/li>\n<li><a href=\"https:\/\/mybusinessfuture.com\/ki-made-in-germany-935-startups-oekosystem\/\" target=\"_blank\" rel=\"noopener\">myBusinessFuture<\/a>  &#8211;  Digitalisierung, KI &amp; Business<\/li>\n<li><a href=\"https:\/\/www.digital-chiefs.de\/149-000-offene-it-stellen-wie-cios-ki-copiloten-als-fachkraeftersatz-nutzen\/\" target=\"_blank\" rel=\"noopener\">Digital Chiefs<\/a>  &#8211;  C-Level Thought Leadership<\/li>\n<\/ul>\n<p><em>Header Image Source: Pexels \/ Artur Roman<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"The EU has enacted more cybersecurity regulations in the past three years than in the previous twenty. NIS2, DORA, the Cyber Resilience Act, and the AI Act form a regulatory web that affects virtually every digital company in Europe. The overview that decision-makers need &#8211; without legal jargon. TL;DR NIS2: Cross-industry cybersecurity obligations for 18 [&hellip;]","protected":false},"author":55,"featured_media":5122,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"cybersecurity regulation","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"Cybersecurity regulation in Europe: Stay compliant with NIS2, DORA, CRA & AI Act. Avoid fines\u2014act now to secure your business.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":"","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":"","footnotes":""},"categories":[217,3],"tags":[245,230],"class_list":["post-7551","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-innovation","category-uncategorized-en","tag-compliance","tag-nis2"],"wpml_language":"en","wpml_translation_of":5123,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7551"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7551\/revisions"}],"predecessor-version":[{"id":10135,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7551\/revisions\/10135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/5122"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}