NIS2, DORA and the Cyber Resilience Act: what do you need to do with them?

What are NIS2, DORA, and the CRA?

What is NIS2 (Cybersecurity Act)?

NIS2 is a European directive. That means: each country must transpose this directive into national legislation. In the Netherlands, this is done through the Cybersecurity Act (Cbw). The EU deadline to transpose NIS2 was October 17, 2024. Many countries (including the Netherlands) are still working on translating it into national regulations. The government itself expects the Cbw to come into effect by the end of Q2 2026.

What is DORA?

DORA (Digital Operational Resilience Act) is a European regulation that applies directly throughout the EU. DORA focuses on the financial sector (banks, insurers, investment firms, and more) and has been applicable since January 17, 2025.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is a European regulation focused on products with digital elements (hardware, software, and associated services). The CRA has been in effect since December 10, 2024. Reporting obligations start on September 11, 2026, and main requirements apply from December 11, 2027.

Why is the EU setting these rules?

The simple reason: we are more digitally dependent than ever, and that dependency is in chains.

• One incident at a supplier can affect dozens of organizations.
• Disruptions and attacks do not stop at national borders.
• The impact is no longer "just IT": it affects production, healthcare, payments, logistics, public services.

Focus areas within NIS2

NIS2 is about "controlled security" for essential and important organizations. Three pillars:

• Duty of care: taking appropriate measures based on risks, aimed at continuity and protection of information.
• Registration obligation: organizations in scope must register mandatorily.
• Reporting obligation (significant incidents): within 24 hours early warning, within 72 hours follow-up report, no later than 1 month after the first report a final report.

Focus areas within DORA

DORA is made for one scenario: the financial sector must keep running, even when ICT is under pressure. The focus is on:

• ICT risk management: policy, controls, monitoring, ownership.
• Incident management and reporting.
• Testing resilience: structural and demonstrable.
• Third parties/suppliers: control over outsourcing, contracts, exit scenarios.

Focus areas within the CRA

The CRA brings cybersecurity into the product: secure by design becomes a requirement to sell in the EU. The core revolves around:

• Safe design and secure default settings.
• Managing vulnerabilities: finding, fixing, communicating.
• Updates and support: how long does a product remain safe?
• Reporting problems: reporting obligations start in 2026.

How do you start without drowning in rules?

• Determine scope: do you fall under NIS2/Cbw, DORA, CRA, or multiple?
• Expose your critical chain: which suppliers are single points of failure?
• Make incident reporting feasible: can you report within 24/72 hours?
• Start collecting evidence: not just policy, but also logs, tests, exercises, and follow-up.
• For product teams: develop processes for vulnerability handling, update processes, and support agreements in your lifecycle.

(This blog is intended as an informative overview and not legal advice.)