Cyber security regulation is expanding rapidly in many different forms, and organisations across industries are currently assessing what these new requirements mean in practice.
Organisations need to determine which requirements should be prioritised, on what timescale, and with what level of resources. For many, the challenge is not simply understanding an individual regulation, but managing the growing number of regulations and standards emerging simultaneously, often with overlapping requirements. It is therefore essential to build a comprehensive understanding of what regulation means within your operating environment, where requirements overlap, and how implementation can be integrated systematically into products, processes, governance structures and accountability models.
New obligations and expectations are emerging simultaneously through frameworks and legislation such as the Cyber Resilience Act (CRA), NIS2, the Radio Equipment Directive (RED), cyber security additions to the Machinery Directive, cyber security requirements for medical devices, the maritime industry’s UR E26 and E27 requirements, as well as regulations and frameworks such as the AI Act and the Space Act. Within this landscape, CRA and NIS2 represent two key starting points for many organisations.
The EU Cyber Resilience Act (CRA) introduces mandatory cyber security requirements for digital products throughout their entire lifecycle, while NIS2 strengthens organisational obligations relating to cyber security governance, risk management and business continuity. What these regulations have in common is that they are not merely technical requirements; they affect governance, operating models, processes and responsibilities across the entire organisation.
What is CRA?
The Cyber Resilience Act (CRA) is an EU-wide regulation designed to improve the cyber security of products with digital elements. It applies to both hardware and software products that contain digital components.
In practice, this means organisations must consider cyber security from the earliest stages of product design and maintain it throughout the product lifecycle. Compliance is not optional: if a company fails to meet the requirements by the applicable deadlines, the product may not be placed on the EU market or could be withdrawn from it. You can read more about the CRA timeline and key dates from my previus blog post.
What is NIS2 and how does it differ from CRA?
NIS2 is the updated version of the EU Network and Information Security Directive. It focuses on organisational cyber security management, risk management, incident reporting and operational resilience.
While CRA focuses on the cyber security of products with digital elements, NIS2 concentrates on an organisation’s ability to manage cyber risks and protect critical operations. Put simply, CRA asks how secure a product is, whereas NIS2 asks how effectively an organisation manages its cyber security. Read more about the NIS2 Directive here.
Who do these regulations apply to?
CRA applies to manufacturers, importers and distributors of products containing digital elements. In practice, this covers a wide range of products if they communicate digitally or form part of a connected environment.
NIS2, meanwhile, applies to selected sectors and organisations that play a significant role in society or the economy. For many businesses, the key question is no longer whether the regulation applies to them, but how extensively it impacts their products, processes, supply chain and governance.
Why should organisations act now?
The implementation timeline is moving quickly, and many organisations are discovering that the required changes are more extensive than initially anticipated. For CRA, two key dates are 11 September 2026, when vulnerability reporting obligations become applicable, and 11 December 2027, when compliance with the essential cyber security requirements becomes mandatory.
Organisations also need time to assess their current state, identify gaps, develop the necessary documentation, clarify roles and responsibilities, and embed practical operating models into day-to-day operations. The later this work begins, the more likely it is to become a rushed compliance exercise rather than a controlled business transformation initiative.
What does compliance mean in practice?
In practice, organisations must be able to interpret regulatory requirements, assess their current maturity, identify gaps and decide how cyber security should be integrated into products, operations and decision-making processes. This requires collaboration between business units, IT, OT, product development, quality management, procurement and executive leadership.
The work extends far beyond technical implementation. It includes establishing governance models, managing risks, defining responsibilities, maintaining documentation, reporting progress and monitoring compliance over time.
Who is responsible for cyber security compliance?
Responsibility does not sit with a single team. While cyber security and compliance specialists play a critical role, successful implementation requires executive ownership, business commitment and clearly defined responsibilities across different functions.
Regulation should not be treated as a standalone legal obligation, but as an integral part of risk management, product development, operational resilience and business decision-making.
What kind of support do organisations typically need?
In many cases, the greatest challenge is translating complex regulatory requirements into practical actions. Organisations often require support with regulatory interpretation, gap analysis, programme and project management, stakeholder coordination, and the governance and monitoring of compliance initiatives at leadership level.
The greatest value is achieved when regulatory work is transformed into structured progress: moving from isolated actions to coordinated change programmes, and from assessments to measurable readiness and capability.
What is a good first step?
A good first step is to establish a shared understanding of the current situation. This means assessing what the regulation actually means for your organisation, which products, services or operations are affected, where the current gaps lie and what actions need to be taken next.
Once the overall picture is clear, it becomes possible to develop a realistic roadmap, prioritise activities and ensure that compliance efforts support both regulatory requirements and broader business objectives.
Cyber security regulation is not simply another compliance obligation; it is also an opportunity to strengthen product security, operational resilience and customer trust. When approached in a structured and business-driven way, CRA and NIS2 can become more than compliance projects—they can serve as catalysts for improved risk management, stronger governance and more sustainable digital business operations.
