Understanding key EU cybersecurity legislative acts: NIS2, CER, and CRA

As the landscape of cybersecurity continues to evolve rapidly, the European Union (EU) has enacted several legislative acts designed to strengthen resilience and security across various sectors. This article provides a snapshot of three key developments shaping the cybersecurity landscape: the NIS2 Directive, the Critical Entities Resilience (CER) Directive, and the Cyber Resilience Act (CRA), each playing a pivotal role in fortifying cybersecurity within the EU.

NIS2 Directive

The NIS2 Directive is a significant update to the original NIS Directive, aiming to bolster cybersecurity across essential and important entities within the EU. The directive applies to entities operating in sectors listed in the Directive’s annexes (including data center and cloud computing service providers as well as providers of public electronic communications networks), provided they meet certain company size thresholds and carry out their activities or provide their services within the EU. Additionally, it covers inter alia entities providing domain name registration services and those identified as critical under the CER Directive.

Key obligations

Entities falling under the NIS2 Directive's scope are required to adhere to specific cybersecurity mandates, including governance and cybersecurity risk-management requirements, and reporting obligations. The Directive adopts a minimum harmonisation approach, enabling Member States to implement provisions that ensure a higher level of cybersecurity. Businesses must vigilantly track national implementations to ensure compliance with the appropriate regulations.

Implementation timeline

The NIS2 Directive became effective in January 2023. Member States were obliged to adopt and publish the necessary measures to comply with the Directive by 17 October 2024. The local transposition process is still ongoing.

Sanctions

Failure to comply with the NIS2 Directive may result in substantial administrative penalties. Essential entities could face fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher. The management body can be also held personally liable.

For more information access our flyer here.

CER Directive

The CER Directive is focused on enhancing the physical resilience of critical entities delivering essential services across 11 key sectors, including energy, transport, and healthcare. It came into force in mid-January 2023.

Key obligations

Critical entities are mandated to conduct risk assessments, implement resilience strategies, and comply with incident reporting requirements. Member States are tasked with establishing penalties for non-compliance, ensuring they are effective, proportionate, and dissuasive.

Implementation timeline

The CER came into force on 16 January 2023, alongside the NIS2 Directive. The critical entities will need to gradually comply with the CER obligations as transposed into local laws. By 17 July 2026, each Member State must identify the critical entities within the sectors and subsectors outlined in the CER Directive.

For more information access our flyer here.

CRA

The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products containing digital elements, obligating manufacturers and retailers to adhere to security standards. The CRA applies to connected software and hardware products, with exceptions for products governed by specific regulations.

Key obligations

Manufacturers, distributors, and importers are in particular required to ensure their products meet cybersecurity standards and report vulnerabilities and incidents.

Implementation timeline

The CRA came into force on 10 December 2024, with main provisions expected to take effect from 11 December 2027. Reporting obligations for manufacturers will apply from 11 September 2026.

Sanctions

The administrative fines under the CRA Directive vary based on the severity of the infringement. For non-compliance with essential cybersecurity requirements, fines can reach up to 15 million euros or 2.5% of the offender's worldwide annual turnover, whichever is higher. Other infringements, such as failing to appoint an authorised representative or violating technical documentation and CE-marking requirements, may result in fines up to 10 million euros or 2% of turnover. Providing incorrect, incomplete, or misleading information to notified bodies and market surveillance authorities can incur fines up to 5 million euros or 1% of turnover.

For more information access our flyer here.

Conclusion

The NIS2 and CER Directives, and the CRA represent significant steps in enhancing cybersecurity and resilience across the EU. Businesses are strongly advised to stay informed and comply with these regulations to maintain robust cybersecurity practices.

Do you have questions about NIS2, CER or CRA a as well as the impact of these acts on your business? Bird & Bird is ready to help you to carry out an assessment of the impact of the upcoming legislation on your business and assist in preparing your compliance plan.

For more information, please contact Mona Saadi (Business Development Manager, LLB) & Dr. Natallia Karniyevich.