Network and Information Security Directive (NIS2)

What is it: The Network and Information Security Directive (NIS2) replaces the original NIS. It aims to improve cyber security & resilience within the EU.

When will it apply: Each organization within scope of NIS2 must adhere to its requirements by Q4 2024.

Who is in scope: All operators of critical infrastructure and essential services in the EU. NIS2 has 15 sectors of business & industry in scope.

NIS2 details:

• Given its focus on critical infrastructure and essential services, many public organizations are in scope of NIS2.
• There are four main areas impacted by NIS2: Risk Management, Corporate Accountability, Reporting and Business Continuity & Crisis Management.
• There are other areas with impact and requirements, such as policies & procedures, and technical measures such as Multi-Factor Authentication (MFA), encryption, asset inventory, etc.
• NIS2 fines can reach €10 million or 2% of total worldwide turnover.

Digital Operational Reslience Act (DORA)

What is it: The Digital Operational Resilience Act (DORA) strengthens IT security of financial organizations.

When will it apply: Each organization within scope of DORA must adhere to its requirements by January 17, 2025.

Who is in scope: Financial entities in the EU such as banks, insurance companies, investment companies, and their third-party (IT) service providers.

DORA details:

• Defines a strong minimum set of security requirements which apply to all financial organizations across the EU, and thus creating a widely adopted standard.
• (IT) Third parties that provide services to financial organizations must also adhere to stricter security requirements, which increases the effective reach of DORA.
• Higher testing requirements for effective measurement of IT & business resilience.
• DORA fines for financial organizations can reach 2% of total worldwide turnover. Critical third parties could be fined up to €5 million. Individuals can face fines up to €1 million.

Cyber Reslience Act (CRA)

What is it: The Cyber Resilience Act (CRA) applies security requirements for hardware and software products with a digital element.

When will it apply: Products within scope of CRA must adhere to its requirements by ~2027.

Who is in scope: All producers and manufacturers of digital software and hardware products that are based in the EU or sell into the EU.

CRA details:

• Producers and manufacturers of digital goods must ensure security within the entire lifecycle of their product.
• More emphasis on secure by design and secure by default products and being able to prove this is the case.
• Examples of product types in scope: mobile devices, routers & switches, mobile apps, desktop applications, IoT devices, laptops and digital toys.
• CRA fines can reach €15 million or 2.5% of total worldwide turnover.  

Artificial Intelligence Act (AI Act)

What is it: The Artificial Intelligence (AI) Act applies risk-based rules & requirements to AI systems and their usage.

When will it apply: AI systems must adhere to to the requirements by around August 2, 2026, depending on the classification.

Who is in scope: All providers and operators of AI systems in the EU or providing services (using AI) within the EU.

AI Act details:

• It uses a risk-based approach. AI systems, and their usage is classified according to one of four levels: Unacceptable Risk, High Risk, Limited Risk and Minimal Risk. The requirements applied depend on the risk classification.
• Unacceptable Risk AI systems are prohibited.
• High Risk AI systems are subject to the most regulation (i.e., require a quality management system, impact assessments, logging & monitoring,central registration, etc.).
• AI act fines can reach €35 million or 7% of total worldwide turnover. The maximum fines are related to the risk classification.