Overview of NIS 2, the Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA): scope, objectives and the connections between the EU's main cyber rules.
NIS 2 directive protection of critical infrastructure
The NIS 2 directive (Network and Information Security Directive 2) is the successor to the original NIS directive from 2016. It aims to improve cybersecurity in critical sectors. Its scope covers essential and important entities in sectors such as energy, transport, banking, healthcare and digital infrastructure. The main objectives of the NIS 2 directive are the introduction of stricter cybersecurity measures, reporting obligations for cyber incidents and improved cooperation between EU member states.
An important aspect of NIS 2 is the potential obligation to use certified ICT products, services and processes. Under Article 24, member states may require companies to use certain certified products that have been certified under European cybersecurity certification schemes pursuant to the Cybersecurity Act.
Cyber Resilience Act (CRA) security of connected products
The Cyber Resilience Act (CRA) is a new regulation that focuses on the cybersecurity of products with digital elements. Its scope extends to all connected devices and software, including the Internet of Things (IoT) as well as hardware and software products. The CRA aims to introduce cybersecurity requirements for products, obliging manufacturers to consider security throughout the entire product lifecycle and to create a unified legal framework for product cybersecurity in the EU.
The CRA introduces a conformity assessment system that expands the existing rules for CE marking, including the possibility of certification under the Cybersecurity Act. In this context, Article 27 provides that for products for which an EU declaration of conformity or a certificate has been issued under a European cybersecurity certification scheme, it is to be assumed that they meet the essential requirements of the CRA insofar as the declaration or certificate covers those requirements.
Moreover, Article 8 empowers the Commission to adopt delegated acts to determine which critical products with digital elements must receive a European cybersecurity certificate under the Cybersecurity Act with at least the 'substantial' level of assurance.
Cybersecurity Act (CSA) EU-wide certification
The Cybersecurity Act (CSA) strengthens the role of the EU Agency for Cybersecurity (ENISA) and establishes a framework for European cybersecurity certifications. It applies to ICT products, services and processes and provides for both voluntary and, in some cases, mandatory certifications.
The main goals of the CSA are to create an EU-wide certification framework for cybersecurity, strengthen trust in certified products and services, and promote a higher level of cybersecurity across the EU.
The CSA plays a central role in the implementation of both the NIS 2 directive and the CRA. The certification schemes developed under the CSA can be used by competent authorities to verify and confirm compliance with the requirements of both sets of rules.
relationships and differences between NIS 2, CRA and CSA
While NIS 2 focuses on the security of critical infrastructures and sectors, the CRA targets the security of products with digital elements. The CSA, in turn, creates an overarching framework for certifications that can be relevant for both NIS 2 and the CRA.
All three frameworks complement each other: NIS 2 strengthens cybersecurity at the organizational level in critical sectors, the CRA ensures the security of the products used, and the CSA provides a framework for reviewing and certifying security measures.
outlook and conclusion
NIS 2, CRA and CSA together form a comprehensive regulatory framework to strengthen cybersecurity in the EU. While their scopes overlap in places, they address different aspects of cybersecurity. Companies and organizations should monitor all three frameworks to develop and implement a holistic cybersecurity approach.
support for implementing NIS 2, CRA and CSA
The overlaps and interactions between NIS 2, CRA and CSA create a complex regulatory environment for companies. The challenge lies not only in understanding the individual requirements but also in developing a coordinated compliance strategy.
Secuvi supports companies in navigating this layered regulatory framework and in developing efficient implementation strategies. Whether assessments of applicability, integrated compliance concepts or certification planning, we help identify synergies and avoid duplicate efforts.
If you would like to implement the requirements of NIS 2, CRA and CSA systematically and cost-efficiently, we offer our expertise.
More information: secuvi.com