EU Regulations for Resilience and Cybersecurity

DORA defines cybersecurity measures specifically designed for the financial sector, serving as a sectoral framework separate from the NIS 2 Directive. As such, it is important to note that provisions under NIS 2 regarding cybersecurity risk management, reporting obligations, supervision, and enforcement do not apply to financial entities, as they are covered by DORA. 

The aim of DORA is to provide a comprehensive framework to ensure that all financial entities under its scope can withstand, respond to, and recover from technology-related disruptions. The obligations imposed by the DORA are defined under five pillars that aim to strengthen ICT risk management and resilience testing, streamline incident reporting and third-party risk management, while also encouraging the sharing of threat intelligence data among financial entities, to foster a collaborative approach to cybersecurity.

Its obligations became fully applicable as of 17 January 2025, after an implementation period of 24 months which started on 16 January 2023. From 2025 onwards, national authorities begin oversight activities in order to ensure compliance.

Although the Regulation is in effect, the European Supervisory Authorities (ESA) have developed detailed sets of regulatory documentation and implementing technical standards (RTS/ITS). These standards provide further guidance for financial entities, ensuring that they meet the necessary cybersecurity requirements and contribute to a more resilient financial ecosystem.

Read more about DORA

The Cyber Resilience Act (CRA) is a legislative framework that addresses security requirements for products with digital elements, which includes both software and hardware products, as well as their remote data processing solutions.

The Act aims to strengthen cybersecurity by mandating a set of standards for digital product manufacturers, developers and distributors. Besides this, the Act also introduces obligations for these entities to assess and mitigate risks throughout the lifecycle of the product and report significant cyber incidents and vulnerabilities. This will enhance transparency of security properties and bolster security of products with digital elements. 

All products that fall under the scope of the CRA will be divided into four categories. Depending on under which category the product falls, different sets of measures in terms of compliance will have to be taken.

The CRA entered into force on 10 December 2024. Most of its provisions will become fully applicable as of 11 December 2027, giving organisations time to adjust and meet the requirements gradually. However, manufacturers will be required to fulfill vulnerability reporting obligations already starting 11 December 2026.

Read more about the CRA

Introduced alongside the NIS 2 Directive, the CER Directive aims to enhance resilience to threats and risks that could impact the provision of essential services. To this end, it takes an all-hazards approach, addressing threats irrespective of their nature. Depending on the designation by competent authorities, entities under NIS 2 could also be subject to the wider resilience obligations set out by the CER Directive. The primary objective of it is to reduce vulnerabilities and strengthen the physical resilience of the entities that are crucial for vital societal functions, economic activities, public health & safety, and the environment. 

EU Member States have until July 2026 to designate these 'critical entities'. The entities in scope must adopt stringent measures, including risk assessments, business continuity and crisis management plans, and robust incident notification processes in order to increase overall resilience.

Read more about the CERD

The Cybersecurity Act (CSA) establishes a regulatory framework for the creation of European cybersecurity certification schemes meant to promote the development of adequate cybersecurity requirements for ICT products, services, and processes in the EU. These schemes may also be promoted as a way to showcase adherence to their requirements or even potentially prescribed through other legislation. One such piece of legislation is the Cyber Resilience Act, which adds cybersecurity to the criteria for obtaining a CE marking.

Three certification schemes are currently under development: the recently adopted European Cybersecurity Certification Scheme on Common Criteria (EUCC), targeting ICT products including hardware, software and components products, the scheme for Cloud Services (EUCS) and the scheme for 5G (EU5G). The recent amendment to the CSA also adds managed (security) services to its scope, enabling the future adoption of certification schemes dedicated to them.

The Cyber Solidarity Act aims to strengthen the EU’s cybersecurity ecosystem and its capability to detect, prepare for and respond to cybersecurity threats and incidents. The proposed Regulation establishes a framework based on three pillars: a platform of national and cross-border security operation centres (Cybersecurity Alert System); a Cybersecurity Emergency Mechanism to enhance preparedness, response and mutual assistance actions among Member States; and a Cybersecurity Incident Review Mechanism to assess and review the effectiveness of the measures taken after a significant incident.

The strive for preparedness under the Cybersecurity Emergency Mechanism envisages a system of coordinated (voluntary) testing of entities who operate in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities. This would include, for example, penetration testing of all the identified critical entities (public and private) in order to identify vulnerabilities. For these activities, private companies appointed as ‘trusted providers’ under the Cybersecurity Reserve will conduct these activities under the present Regulation.

This Regulation establishes a framework of harmonised measures to effectively anticipate, prepare for and respond to the impact of various crises such as natural disaster, public health emergencies, economic shocks and security concerns on the internal market.​ It focuses on critical dependencies, supply chain disruptions, and continuity of essential services, providing a coordinated EU response to crises that threaten market stability.

IMERA ensures ongoing surveillance for potential crises, enables the activation of a vigilance or emergency mode when needed, and sets up governance for coordinated responses among Member States. It establishes an advisory group, comprising the Commission and Member States, to evaluate situations and recommend actions. Important to note is the fact that, in extreme cases, IMERA allows for emergency measures like specific information requests from private companies, prioritisation of crisis-related products, expedited market entry for certain goods, and waivers of specific regulations.