Upcoming Webinar | AI Meets ISO: What Makes ISO 42001 Different from ISO 27001 & 27701 on August 14th @ 1:00 PM ET

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

An Update on European Compliance: NIS2, CRA, DORA

Cybersecurity Assessments | Compliance and Certification

Published: Jul 23, 2025

As the EU's digital landscape evolves, so does its regulatory environment. With the NIS2 Directive, the Cyber Resilience Act (CRA), and the Digital Operational Resilience Act (DORA) all advancing on different timelines, organizations must prepare for a complex yet increasingly harmonized set of cybersecurity and resilience expectations. 

In this blog, we’ll provide an update on the current status, practical implications, and key compliance strategies related to each regulation. We’ll also offer clarity on how to navigate delayed national implementations, prepare for product-level security obligations, and meet new operational resilience standards in the financial sector. 

NIS2: Navigating Delayed Transpositions and Divergent National Implementations 

The NIS2 Directive, aimed at enhancing cybersecurity across the EU, required Member States to transpose its provisions into national law by October 17, 2024. However, as of June 30, 2025, only 14 EU Member States have fully transposed NIS2 into national law, while the European Commission continues infringement proceedings against 13 Member States, including Germany, France, Spain, and Poland, for failing to complete their transposition obligations on time.  

Navigating Divergent National Implementations 

Given the varying interpretations and implementations of NIS2 across Member States, organizations operating in multiple jurisdictions should consider the following strategies: 

  • Adopt the Strictest Common Denominator Approach: Implement cybersecurity measures that meet or exceed the most stringent requirements among the applicable national laws. This approach ensures compliance across all jurisdictions and prepares the organization for future regulatory developments. 
  • Monitor National Developments: Stay informed about the transposition status and specific requirements in each country of operation. Regularly consult official sources and engage with national authorities to gain clarity on compliance expectations.
  • Implement Flexible Compliance Frameworks: Develop adaptable cybersecurity programs that can accommodate varying national requirements. Utilize modular policies and procedures that can be tailored to specific jurisdictions as needed.
  • Engage with National Authorities: Establish communication with relevant national cybersecurity authorities to gain clarity on compliance expectations and to stay ahead of any changes in regulatory requirements. 

Key Considerations for Organizations Seeking NIS2 Compliance 

  • Scope of Application: NIS2 expands the scope of its predecessor, covering a broader range of sectors and entities. Organizations must assess whether they fall under the categories of "essential" or "important" entities as defined by the directive and the member states in which they conduct business.
  • Mapping to Existing Frameworks: Entities will benefit from determining the overlap with existing compliance obligations to focus efforts and streamlined compliance. Take it a step further by mapping variances in member state transcriptions to ensure adoption of the strictest requirements.
  • Comply Now: Noncompliance with NIS2 can lead to significant penalties, including fines and other enforcement actions. While waiting for Member States on the final transcriptions, interpret and comply with the original text to avoid potential sanctions. 

Preparing for Product-Level Cybersecurity Obligations with the Cyber Resilience Act (CRA) 

Complementing NIS2, the Cyber Resilience Act (CRA) aims to improve security for products with digital elements through mandatory cybersecurity requirements. While first introduced in 2021, it was adopted in October of 2024 and will see reporting obligations for security incidents in 2026 with full requirements being enforced in 2027. 

Scope of CRA Applicability 

The CRA applies to nearly all products with digital elements, excluding: 

  • Open-source software offered non-commercially 
  • Medical devices already covered under MDR/IVDR 
  • Automotive components covered by type-approval rules 

However, commercialized open-source products, including those embedded in enterprise or OEM offerings, are within scope—a detail sparking considerable debate. 

CRA Product Categories: 

  • Default Category: Subject to internal checks (self-assessment) 
  • Important Class I and II Products: Must undergo third-party certification by a Notified Body due to the elevated cybersecurity risk 
  • Critical Products (Annex IV): Includes products like operating systems, credential managers, industrial firewalls, and VPN clients. 

By mid-December 2025, the European Commission will adopt detailed technical descriptions for product categories with digital elements under Classes I and II (Annex III) and those in Annex IV. 

CRA Security Requirements & Obligations 

Manufacturers (and in some cases importers and distributors) will be responsible for: 

  • Conducting risk assessments 
  • Implementing security-by-design and secure development practices 
  • Providing a Software Bill of Materials (SBOM) 
  • Ensuring vulnerability reporting and patching for 5+ years or throughout the expected product life
  • Reporting actively exploited vulnerabilities and incidents to ENISA within 24 hours 

Industry Reactions and Ongoing CRA Developments 

  • ENISA is preparing to serve as the central coordinating authority for incident and vulnerability reporting. As part of the Expert Group for the CRA, it works alongside organizations and member state authorities alike to ensure alignment. 
  • The open-source community has warned of unintended consequences. While non-commercial OSS is exempt, blurred lines in hybrid models raise compliance questions and have been a source of debate. 
  • Certification infrastructure (Notified Bodies) is not yet fully developed, although the CE marking will indicate compliance. Industry associations are urging the EU to ensure sufficient capacity ahead of the 2027 deadline. 

Navigating the New Regulatory Landscape of the Digital Operational Resilience Act (DORA) 

The Digital Operational Resilience Act (DORA), which came into effect on January 17, 2025, marks a significant shift in the European Union's approach to digital resilience in the financial sector. Aimed at ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions, DORA introduces a harmonized framework across EU Member. 

Key DORA Milestones and Implementation Timeline 

  • December 14, 2022: DORA was formally adopted by the European Parliament and Council. 
  • January 16, 2023: DORA entered into force, initiating a two-year implementation period. 
  • January 17, 2025: Full application of DORA was implemented. Financial entities are required to comply with all provisions. 

This timeline provided financial institutions with a structured period to assess and enhance their digital operational resilience frameworks in line with DORA's requirements. 

DORA Scope and Applicability 

DORA applies to a broad range of financial entities, including banks and credit institutions, insurance and reinsurance companies, investment firms, payment institutions, crypto-asset service providers, and ICT third-party service providers.  

The regulation ensures that these entities, regardless of size, implement robust ICT risk management practices. Proportionality is a key principle, meaning that requirements are scaled based on the entity's size, nature, and complexity. 

Core Pillars of DORA 

DORA compliance includes the following core pillars that form the foundation of its regulatory framework, each addressing a key component of digital operational resilience: 

  1. ICT Risk Management: Entities must establish comprehensive frameworks to identify, protect against, detect, respond to, and recover from ICT-related incidents. 

  2. Incident Reporting: Significant ICT-related incidents must be reported to competent authorities within strict timelines, including initial notification within 24 hours, followed by intermediate and final reports. 

  3. Digital Operational Resilience Testing: Regular testing, including threat-led penetration testing, is mandated to assess the effectiveness of ICT risk management frameworks. 

  4. Third-Party Risk Management: Enhanced oversight of ICT third-party service providers is mandated, with requirements for contractual arrangements, risk assessments, and monitoring. 

  5. Information Sharing: Voluntary sharing of cyber threat information among financial entities is encouraged to bolster collective resilience. 

These DORA pillars define regulatory expectations that strengthen the financial sector's ability to withstand and recover from ICT disruptions. 

Recent DORA Developments 

  • February 18, 2025: The European Supervisory Authorities (ESAs) provided a roadmap towards the designation of Critical Third-Party Providers (CTPPs). Criticality assessments will be performed, and those deemed critical will be notified of their classification by July 2025. 
  • April 30, 2025: Deadline for financial entities to submit the Register of Information, detailing all ICT third-party service providers and associated contractual arrangements. 

From Compliance Planning to Execution: Embracing EU Cyber Resilience 

As the enforcement timelines for NIS2, DORA, and the Cyber Resilience Act (CRA) unfold in parallel, one thing is clear: the EU is forging a tightly interwoven cybersecurity regulatory framework that spans operational resilience, product security, and governance accountability. For organizations operating within or serving the EU market, these are no longer isolated compliance efforts—they represent a systemic shift in how digital risk must be managed across ecosystems. 

Where NIS2 demands stronger governance and incident response at the organizational level, DORA formalizes operational resilience in the financial sector, while CRA drives security-by-design across the entire product lifecycle. The overlapping requirements signal a growing emphasis on harmonized, proactive, and transparent cyber practices. 

With enforcement timelines approaching or already underway, organizations must now pivot from planning to execution. That means harmonizing controls, operationalizing governance structures, and above all, building a culture of continuous digital resilience. To learn more about NIS2, DORA, or CRA compliance, contact us today. 

In the meantime, discover additional insights on European compliance in these helpful resources:  

About Kate Weber

Kate Weber is a Senior Manager over New Services with Schellman based in Chicago, IL. Prior to joining Schellman in 2023, Kate worked in consulting for 5+ years in the IT security and data analytics spaces. While focused on IT security, Kate specialized in Sarbanes-Oxley (SOX) 404 internal audits, ISO 27001 internal audits, HITRUST readiness, and SOC reporting. Kate is a Certified Information Systems Auditor (CISA), ISO 27001 Lead Implementer, and ISO 9001 Lead Implementer. She also previously held the HITRUST Certified CSF Practitioner (CCSFP) and Certified HITRUST Quality Professional (CHQP) certifications.