Sign up for a free recipe e-book →

TrustForge.pub

, ,

NIS2 and the Cyber Resilience Act (CRA): What Europe’s New Cyber Rules Mean for Compliance

Published by

itsALK

on

NIS2 and the Cyber Resilience Act (CRA): What Europe’s New Cyber Rules Mean for Compliance

Think of this scenario: a network operator discovers that overly broad permissions in its internal systems allowed a misconfigured process to access critical data. Soon after, password policy gaps and inconsistent access reviews expose the organization to escalating risks. These are no longer isolated operational oversights; they are examples of how internal vulnerabilities can ripple across essential services.

It’s also exactly the kind of domino effect the EU’s NIS2 Directive and the Cyber Resilience Act (CRA) are designed to prevent. Together, they create a dual framework: one governing the operations of essential services (such as telecom and finance) and the other governing the security of products with digital elements (hardware and software).

The message from Brussels is clear: compliance is not about box-ticking; it’s about resilience at scale. And for CII operators, these rules redefine how risk, supply chains, and product security must be managed.

 

Why NIS2 and the CRA Matter Now 

The stakes couldn’t be clearer. Critical infrastructure (from telecom backbones to energy grids) has become the frontline of modern cyber conflict. Ransomware groups, state-linked actors, and opportunistic attackers are no longer targeting just data; they’re disrupting entire services. And when a supply chain compromise cascades across multiple providers, the impact isn’t measured in lost files but in blackouts, outages, and broken trust.

That’s exactly why the EU doubled down with NIS2 and the Cyber Resilience Act (CRA).

  • NIS2 entered into force on January 16, 2023, with Member States required to transpose it into national law by October 17, 2024. As of October 18, 2024, NIS1 is gone; replaced by a tougher, broader directive. Essential and important entities must now implement proportionate risk-management measures and, critically, report significant incidents within strict timeframes:
    • an early warning within 24 hours,
    • a follow-up report within 72 hours, and
    • a final assessment within one month (Article 23).
  • The CRA raises the bar for the other side of the equation: the digital products and software running inside those critical systems. It forces manufacturers to embed security-by-design into their hardware and software, maintain robust vulnerability handling, and provide long-term support. While most obligations bite from December 11, 2027, reporting duties start much earlier: on September 11, 2026.

Put simply, NIS2 governs how operators run their services, and the CRA governs how vendors build their products. The greater challenge often lies with operators who lack the internal controls, training, or monitoring to respond effectively to emerging threats. Weak access management, delayed patching, and limited incident response planning can turn minor software flaws into major disruptions for customers and critical systems.

And the threat environment is only intensifying. ENISA’s Threat Landscape 2023 names supply-chain compromises and ransomware as top systemic risks for Europe’s essential services. If your organization depends on CII (and who doesn’t?), these aren’t abstract risks; they’re tomorrow’s headlines.

The urgency is real: compliance isn’t just about avoiding fines. It’s about keeping Europe’s lights on, networks running, and trust intact.

 

NIS2 + CRA: The Two-Part Solution, in Plain Language

NIS2 + CRA: The Two-Part Solution, in Plain Language

To simplify:

  • NIS2 is the operating rulebook. It tells CII, such as telecoms, finance, energy operators, and other essential entities how to manage cyber risk, oversee suppliers, and coordinate incident response with national CSIRTs and the EU’s cyber crisis network. (EU-CyCLONe).
  • The CRA is the product rulebook. It tells manufacturers and vendors how to build and maintain secure products, from routers and substations to IoT and enterprise software. Vendors must also report exploited vulnerabilities to ENISA’s single reporting platform within 24 hours (early warning), 72 hours (follow-up), and one month (final report).

Think of it this way: NIS2 governs operations, CRA governs products, and telecom and energy sit in the overlap, where both sets of duties apply.

 

How NIS2 Works, at a Glance

NIS2 significantly broadens its scope, extending obligations to telecom providers, energy operators, cloud services, and digital platforms.

Key obligations include:

  • A risk-management program covering both IT and OT and is designed to provide transparency for customer inspections. This approach ensures clear risk visibility and aligns with best practices for compliance.
  • Business continuity and disaster recovery plans, rehearsed and documented.
  • Crisis management playbooks for national and cross-border events.
  • Supply-chain security integrated into procurement, not bolted on after the fact.
  • 24h/72h/30d reporting workflows that escalate incidents quickly but allow structured analysis.

The Commission’s Implementing Regulation 2024/2690 further defines what counts as a “significant incident,” especially for digital providers like cloud, managed services, and data centers. That means telecom and energy can no longer rely on self-interpretation, and supervision is harmonized across the EU.

 

CRA Requirements for Telecom and Energy

While NIS2 sets operational obligations, the CRA is about product security across the lifecycle.

  • Entry into force: December 2024.
  • Reporting obligations: September 2026.
  • Full compliance obligations: December 2027.

The CRA requires:

  • Secure design and development of hardware and software.
  • Updates and patch management throughout the lifecycle.
  • Coordinated vulnerability disclosure with vendors, customers, and ENISA.
  • Mandatory reporting of exploited vulnerabilities via ENISA’s platform, feeding into a European vulnerability database aligned with NIS2.

The CRA also allows the Commission to require European cybersecurity certification (e.g., EUCC for Common Criteria assurance) for certain high-risk product categories.

 

France’s PAS and the “20 Security Objectives” for NIS2 Compliance

PAS as a Supply-Chain Security Lever for NIS2

In France, the Plan d’Assurance Sécurité (PAS) is more than paperwork; it’s a contractual tool many operators already use to spell out security expectations for their suppliers. Under NIS2, especially Article 21 on supply-chain security, PAS can serve as the vehicle for embedding vendor security requirements and for collecting evidence of compliance. In other words, PAS can become the practical bridge between regulation and supplier oversight.

The 20 Security Objectives: France’s NIS2 Compliance Framework

The 20 Security Objectives: France’s NIS2 Compliance Framework

ANSSI, France’s national cybersecurity authority, has translated NIS2 into a set of roughly twenty concrete security objectives. These objectives cover four big buckets:

  • Governance – leadership, accountability, and board oversight.
  • Protection – hardening systems and managing risks.
  • Defense – monitoring, detection, and incident response.
  • Resilience – recovery, continuity, and crisis planning.

This grid isn’t just guidance; it’s becoming the de facto national reference for how entities, including boards, must demonstrate compliance with Articles 20 and 21.

How PAS Works in Practice: Supplier Compliance and Evidence Collection

If you’re a supplier, say, a telecom equipment vendor, you should expect your French customers to point you to their PAS and expect mapped evidence against these 20 objectives. ISO/IEC 27001 and 27002 certifications are useful references, but they’re not a free pass:

  • ISO evidence can map to many objectives.
  • But NIS2 compliance is judged against legal measures in the directive and its national transposition, not against certification status alone.
  • ANSSI explicitly notes that European and international standards are encouraged, but do not replace the directive’s requirements.

Takeaway: In France, treat the PAS as your compliance handshake with customers, and align your ISO/IEC controls with the 20 objectives; but remember, certification ≠ compliance.

 

Implications of NIS2 and CRA for Telecom Operators

For telecom, compliance shifts from audits to always-on governance.

  • Incident reporting: Early warning in 24h, full notification in 72h, and a final report in 30 days. That means process automation and vendor integration are no longer optional.
Incident reporting timeline

 

  • Supply-chain governance: NIS2 Article 21 duties now mean every procurement and lifecycle contract must embed security obligations. Use the different tools available to evaluate vendor risk, and start asking for CRA-conformant product evidence or EUCC certificates for critical categories.
supply chain flowchart
  • Cross-border coordination: Telecom operators must actively participate in the CSIRTs network and EU-CyCLONe to manage incidents that span multiple Member States.

 

Implications of NIS2 and CRA for Energy Companies

For energy, the stakes are higher because of OT and SCADA environments.

  • OT security: NIS2 controls must extend into substations and control centers, covering asset inventories, segmentation, secure remote access, and vendor vulnerability channels.
  • Alignment with Network Code on Cybersecurity: This delegated regulation sets minimum cross-border cybersecurity requirements for the electricity sector, dovetailing with NIS2.
  • Resilience: It’s not a binder on a shelf. Both the Network Code and NIS2 demand regular crisis exercises, recovery testing, and coordination with national authorities.
  • Products and field equipment: Require CRA compliance evidence in tenders. Where assurance must be high, consider EUCC certification, since CRA opens the door to mandatory certification for some categories.

 

Monday Morning Checklist: Actionable NIS2 & CRA Compliance Steps for your Teams

Monday Morning Checklist: Actionable NIS2 & CRA Compliance Steps for Telecom and Energy Teams

It’s easy to get lost in the 200-page directives and annexes. But compliance doesn’t have to start with a mountain of paperwork. Here’s how you can turn regulatory theory into action, starting Monday morning.

Step 1: Assign a Compliance Owner

Don’t let NIS2 and CRA live in a policy binder. Assign a senior leader who owns cybersecurity compliance across operations and product lines. This signals accountability at the top and ensures that board-level duties, like oversight, training, and liability, are taken seriously from day one.

Step 2: Run a NIS2 + CRA Gap Analysis

Run a focused sprint: map your current controls against NIS2 Article 21, CRA Annex I requirements, and any national add-ons (like France’s PAS). Identify overlaps with your existing ISO/IEC 27001 or sector frameworks. The goal isn’t perfection in four weeks; it’s visibility. You need to know where your blind spots are before regulators do.

Step 3: Update Supplier Contracts With CRA Obligations

Your vendors are part of your attack surface. Update procurement requirements so suppliers provide secure update SLAs, vulnerability disclosure processes, and evidence of CRA readiness. For software that includes substantial open-source components, consider requesting a software bill of materials (SBOM), keeping in mind that SBOMs are not suitable for all software, particularly embedded software on small devices, and that sharing them indiscriminately could introduce security risks. For telecoms, link this directly to the EU 5G MCKB. For energy, align it with the Network Code on Cybersecurity.

Step 4: Test Incident Reporting Workflows

Don’t wait for the first breach to figure out how 24-hour early warnings or 72-hour notifications actually move through your org. Run a tabletop or live drill with your CSIRT, legal, PR, and vendors. The key metric isn’t how fast you can hit “send”; it’s how coordinated your team is under pressure.

Step 5: Rehearse Joint Crisis Exercises

Cross-border disruptions won’t be solved in silos. Invite your suppliers and national regulators into a crisis exercise. Rehearse a realistic scenario: a supply-chain exploit that knocks out both telecom nodes and energy substations, and walk through the NIS2 and CRA reporting flow together. You’ll expose gaps, build trust, and prove you’re serious about resilience.

 

The Bigger Picture: Building Cyber Resilience in Europe

The EU’s new rules are not about bureaucracy; they’re about resilience in the face of systemic cyber risk. CII operators now stand at the center of Europe’s cybersecurity defense.

Those who treat NIS2 and the CRA as opportunities, not burdens, will launch faster, recover stronger, and earn customer trust. Those who lag will face not just penalties, but reputational damage in a market where resilience is the ultimate differentiator.

This is more than compliance. It’s Europe future-proofing its critical infrastructure, and your organization’s chance to lead.

Black and white portrait of Romain Muguet, a cybersecurity certification expert with over 15 years of experience, accompanied by a brief description of his background and expertise.

Leave a Reply

Hello,

I’m Trustforge.

Welcome to Trustforge.pub. Here, we collaborate with our ecosystem partners and are dedicated to sharing insights into European cybersecurity legislation, trends, and standards, and to sharing best practices in cybersecurity and digital trust from vendors and customers. We aim to inspire you through insights and practices, and we welcome your subscription and participation. Let’s get crafty!

Let’s connect

Join the community

Stay updated with our latest articles and ideas by joining our newsletter.

Recent posts

error: Content is protected !!

Discover more from TrustForge.pub

Subscribe now to keep reading and get access to the full archive.

Continue reading