The Role of the EU Cyber Resilience Act and NIS2 Directive

Feb 2, 2026 | blog

The importance of cybersecurity has never been greater, especially in light of the evolving digital landscape and escalating cyber risks. Two major EU regulatory frameworks – the Cyber Resilience Act (CRA) and the NIS2 (Network and Information Security) Directive – epitomize the growing commitment to securing the digital ecosystem, both by setting rigorous cybersecurity standards and by fostering cooperation among member states.

The Cybersecurity Landscape

According to the Global Cybersecurity Outlook 2025, cyber threats continue to escalate worldwide. Around 72% of organizations surveyed have reported a rise in cyber risks, largely fueled by ransomware, AI-powered tools, and increasingly sophisticated attacks. Examining how organizations measure up, it was found: 

  • Amongst large corporations the average cybersecurity maturity level stands at 54%, showing a slight yearly improvement but indicating a need for growth. A 56% average protection rate against ransomware attack vectors among large companies indicates that without improved defences, major breaches can still occur. Small and mid-sized businesses also lag behind, with 36% considered in a critical cybersecurity state, despite an 18% improvement from 2024. (Source)
  • The financial sector leads with a 62.5% maturity score, motivated by regulatory pressure and investments.  (Source)
  • Information security spending is rising, now at 9% of IT budgets in the EU, reflecting increasing investment but also recruitment challenges, as cybersecurity staffing ratios have declined despite the rising demand. 90% of organizations expect a surge in cyberattacks next year, emphasizing the urgency for preparedness. (Source)

Why the Cyber Resilience Act is Crucial for Digital Products 

The Cyber Resilience Act (CRA) addresses the challenges of managing vulnerabilities and preventing cyber incidents by establishing uniform cybersecurity criteria for digital products available on the EU market. Around two-thirds of incidents reported under the Network and Information Security (NIS) framework result from exploited vulnerabilities, showing that managing hardware and software security throughout the entire product lifecycle – from design, to development, and through to decommissioning – is essential. (Source)

The CRA focuses on: 

  • Cybersecurity rules and essential requirements for connected products with digital elements, including hard- and software, in both consumer and OT contexts.
  • Obligations spanning the entire supply chain, to be addressed by manufacturers, importers and distributors.
  • Lifecycle security, market surveillance, and enforcement to ensure ongoing compliance.

Notably, the CRA excludes cloud-based services or SaaS products, which fall under the scope of the NIS2 Directive, and other special categories such as medical or automotive devices, which are already covered by existing legislation. 

The Role of NIS2 in Strengthening Cyber Resilience 

The revised NIS2 Directive builds on its predecessor by addressing fragmented resilience across member states and sectors. It promotes: 

  • A high level of cybersecurity across the EU, with mandatory measures such as incident handling, supply chain security and vulnerability management.
  • Enhanced cooperative structures, including a dedicated Cooperation Group to facilitate sharing of cyber threat intelligence and best practices, as well as a network of national Computer Security Incident Response Teams (CSIRTs) to coordinate operational response efforts.

The NIS2 directive raises the bar on cybersecurity governance, risk management, and compliance especially amongst the sectors newly included within its scope. Despite ongoing efforts, many organizations currently fail to fully comply with NIS2 standards, with significant gaps remaining in areas such as third-party risk evaluation and asset management.

Furthermore, while cybersecurity budgets and manpower have generally risen due to NIS2, many entities (particularly SMEs) face difficulties in securing adequate resources to meet these demands.

What These Developments Mean

The CRA and NIS2 together set EU-wide stringent cybersecurity standards that impact businesses operating in the EU, and also help to elevate security practices globally due to the market’s size and influence. The regulations encourage adoption of secure-by-design principles and robust risk management processes across digital product and service lifecycles.

These regulations incentivize greater investment in cybersecurity technologies and human capital, though persistent workforce shortages pose ongoing challenges. With cyberattacks growing in frequency and complexity, compliance with CRA and NIS2 provisions is critical to mitigating breaches, protecting sensitive data, and maintaining confidence in digital applications and products.

The emphasis on cross-border cooperation also strengthens the EU’s collective capabilities in incident detection, response, and recovery, thereby enhancing the overall resilience of the union against cyber threats.

While this overview only scratches the surface of the Cyber Resilience Act and NIS2 Directive, it is clear that cybersecurity remains a foundational element for the safety and reliability of digital products and services. The EU’s evolving regulatory landscape continues to make decisive progress in enforcing security from the earliest stages of product development, and unifying efforts to counteract rising cyber threats. To navigate the complex cyber risk landscape effectively, organizations must commit to compliance and allocate appropriate resources toward cybersecurity initiatives.

CRACoWi project at the CRA Webinar for Dutch SMEs

Nov 13, 2025 | All events, blog, CRACoWi project, news

We are delighted that CRACoWi projectwas invited to participate in the Cyber Resilience Act (CRA) Webinar on 11 November, organized by the Dutch Ministry of Economic Affairs and the National Cybersecurity Center of the Netherlands (NCC NL).

The webinar aimed to help Dutch SMEs understand the Cyber Resilience Act and prepare for compliance with the upcoming regulation. Two EU-funded projects, CRACoWi and SECURE, were featured during the session,

Eleftheria Marini (ITML) as Project Coordinator of CRACoWi, provided an overview of the the project’s goals and impact in supporting European SMEs toward CRA compliance, with a special focus on how CRACoWi can benefit end users, particularly SMEs developing or deploying digital products.

Pablo Endres (SevenShift) presented the technical perspective, offering a high-level overview of the technologies and tools being developed, including the Cyber Resilience Act Compliance Wizard, an AI-supported framework for automated cybersecurity assessment, documentation and certification support.

The event was an important step in raising awareness and enhancing collaboration around CRA implementation across Europe, showcasing how initiatives like CRACoWi and SECURE contribute to empowering SMEs toward a more secure digital future.

Lessons from Asia-Pacific VPN Exploits

Nov 5, 2025 | blog, Cyber resilience act

Ransomware operators are getting faster, stealthier, and more aggressive – and the cost of delayed action is growing.

The recent article from CySecurity News highlights a troubling surge in ransomware and data exfiltration attacks across the Asia-Pacific region. Let`s outline how ransomware groups like Akira are systematically targeting vulnerable VPN configurations and unpatched systems. The manufacturing sector, critical infrastructure, and telecommunications are particularly hard hit, revealing how outdated technologies and weak credential management expose organizations to severe risks.

What’s concerning is not just the scale of the intrusions – but the shift in tactics:

  • Exploiting known VPN vulnerabilities (like CVE-2024-40766) within days of disclosure
  • Bypassing multi-factor authentication using stolen session tokens
  • Monetizing breaches through access sales, data theft, and non-encrypting extortion

These attacks aren’t just technical – they’re strategic. They aim to destabilize operations, erode trust, and extract long-term value from compromised environments.

This alarming trend underscores a universal truth – cyber resilience is no longer optional – it is a business imperative. The evolving sophistication of ransomware actors, coupled with the rise of non-encrypting extortion schemes, demands a paradigm shift from reactive patching to proactive, intelligence-driven defence.

What does this mean for Europe?

While the attacks are currently concentrated in APAC, the tactics are global – and the vulnerabilities they exploit exist in EU-based networks and products. That’s why the European Cyber Resilience Act (CRA) is not just timely – it’s necessary.

The CRA sets a clear baseline – if a product is digital, connected, and sold in the EU, it must be secure-by-design and secure-by-default. This means embedding cybersecurity principles from the earliest stages of product conception, rather than adding fixes later. Its goal is to shift the burden away from consumers and reactive IT teams and toward manufacturers and developers – ensuring that digital products are designed with security in mind from day one, and supported throughout their lifecycle.

Specifically, the CRA requires:

  • Mandatory risk management throughout the product lifecycle
  • Post-market support and timely software updates
  • Built-in mechanisms for vulnerability handling and reporting

However, legislation alone isn’t enough. Compliance must be supported by guidance, tools, and practical frameworks -especially for SMEs that lack extensive cybersecurity resources (as well as money, time and knowledge).

The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.

This is precisely where the European Union’s projects like the CRACoWi project(Cyber Resilience Act Compliance Wizard Tool) play a crucial role. CRACoWi is a digital assistant that helps companies (particularly SMEs) understand what CRA means for them, assess their cybersecurity risks, and take concrete compliance actions early in the product design process. It promotes a “secure-by-design” approach, which is essential to prevent vulnerabilities like those exploited in these APAC VPN attacks.

The EU’s Cyber Resilience Act and initiatives like CRACoWi champion embedding cybersecurity into digital products -including VPNs and network devices – to reduce risks before they become incidents. While patch management, credential hygiene, and account lockout policies remain critical, they are reactive measures. The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.

Moreover, the APAC ransomware crisis reflects broader global challenges – supply chains dependent on legacy technology, complex operational networks vulnerable to breach, and the human factor as the primary entry vector exploited via social engineering. These challenges emphasize why the EU’s holistic approach – combining regulation, innovative compliance tools like CRACoWi, and continuous awareness campaigns – is critical to enhancing digital trust and resilience.

As ransomware actors sharpen their tactics with automation, credential theft, and stealthy persistence, Europe’s emphasis on a multilayered defense posture and intelligence-led security frameworks becomes a model for global cybersecurity strategies.

Cybersecurity is an enabler of business continuity and trust, not just compliance.

Funded under the Digital Europe Programme, CRACoWi is not only building the CRA Compliance Wizard but also providing awareness materials, FAQs, and support resources to bridge the gap between regulation and implementation for European businesses.

The APAC ransomware wave and VPN exploit trends serve as a critical reminder – cybersecurity is an enabler of business continuity and trust, not just compliance. By embedding security from design to deployment, European initiatives like CRACoWi are paving the way toward a safer digital future for all.

Because cyber resilience is not just about patching systems after the fact – it’s about building products, businesses, and ecosystems capable of resisting, recovering, and adapting to threats that continue to evolve.

If ransomware actors are moving faster, so must we. Security-by-design is not a feature – it’s a requirement.

Transatlantic Cooperation for Cybersecurity and a Safer Future for IoT Products

Feb 27, 2025 | blog, news

In an era of growing cyber threats, the European Union and the United States have taken a major step toward enhancing global cybersecurity. On January 30, 2024, both sides signed an Administrative Arrangement on a Joint CyberSafe Products Action Plan, reinforcing their commitment to securing consumer IoT products. This collaboration aims to advance technical cooperation and work toward mutual recognition of cybersecurity requirements for IoT hardware and software, ultimately strengthening consumer protection while easing compliance for businesses.

This agreement builds on existing cybersecurity frameworks. In the EU, the Cyber Resilience Act (CRA) establishes security requirements for digital products, while in the U.S., the Cyber Trust Mark Program serves as a labeling system to help consumers identify secure IoT products. By aligning regulatory approaches, the EU and U.S. are working toward a seamless transatlantic market for trusted digital products, making it easier for companies to comply with consistent security standards while enhancing global cybersecurity.

As part of this initiative, both sides are committed to developing a shared cybersecurity lexicon and taxonomy, improving coordination in standards development, and exploring potential alignment of certification processes. The Action Plan highlights the importance of fostering collaboration between governments and industry players, ensuring that regulations remain effective and practical. European Commissioner Thierry Breton emphasized that this agreement brings “concrete benefits for consumers and businesses” and reinforces the shared commitment to strengthening cybersecurity across borders.

The CRACoWi project (Cyber Resilience Act Compliance Wizard) plays an essential role in supporting businesses – particularly SMEs – by helping them navigate cybersecurity regulations, assess compliance under the Cyber Resilience Act, and integrate security-by-design principles into IoT product development. By providing clear guidance on certification processes, CRACoWi ensures that companies can meet regulatory requirements without being overwhelmed by complexity.

With this agreement in place, the EU and U.S. are setting the stage for stronger cybersecurity cooperation. Their focus on harmonizing security standards, promoting international best practices, and fostering industry engagement will help shape a more resilient digital ecosystem. As the world becomes increasingly interconnected, initiatives like these are vital to ensuring the safety and trustworthiness of digital products.

Australia’s Landmark Cyber Security Bill 2024

Jan 24, 2025 | blog, news

On November 25, 2024, Australia passed the Cyber Security Bill 2024, ushering in a significant step forward in its efforts to enhance cybersecurity. At its core, this legislation sets mandatory security standards for “relevant connectable products,” or smart devices, that connect to the internet. This landmark move reflects a global trend toward stricter regulations on consumer technologies to safeguard against the increasing risks of cyber threats. Let’s take a look at what the Cyber Security Bill 2024 is all about.

What Does the Cyber Security Bill 2024 Do? 

One of the defining features of the Bill focuses specifically on security standards for connectable products such as smart home devices, wearables, and IoT systems. The legislation mandates that manufacturers, suppliers, and importers of these products comply with strict security measures to ensure their safety and reliability. 

The Cyber Security Bill 2024 introduces robust measures to enhance the security of internet-connected devices, aiming to protect consumers and businesses from the growing risks of cyberattacks.  

Mandatory Security Standards 

At the heart of the legislation is the requirement for manufacturersto comply with mandatory cybersecurity standards set out by the Australian Minister for Home Affairs. These standards are defined through Ministerial rules, providing a flexible framework that can adapt to evolving cybersecurity challenges and emerging threats. By ensuring that all “relevant connectable products” meet these security benchmarks, the legislation establishes a baseline for device safety, making it harder for vulnerabilities to be exploited. 

Definition Alignment 

To streamline compliance for international manufacturers, the legislation aligns its definitions with those found in the UK’s Product Security and Telecommunications Infrastructure Act 2022. This alignment not only reduces complexity for global companies but also encourages a harmonized approach to IoT security across jurisdictions. For manufacturers operating in multiple markets, this consistency minimizes administrative burdens and supports the development of secure products that meet global standards.

Consumer Focus 

One of the Cyber Security Bill’s primary objectives is to prioritize consumer safety and trustin the ever-expanding market of smart devices. As smart home appliances, wearable technologies, and IoT-enabled systems become ubiquitous, the risks of cyberattacks increase exponentially. This legislation ensures that products are designed with security as a core feature, protecting end-users from threats such as unauthorized access, data breaches, and system hijacking. 

The focus on consumer protection reflects a broader commitment to fostering trust in technology, ensuring that users feel confident adopting smart devices without compromising their security or privacy. 

Addressing Vulnerabilities in Smart Devices 

Smart devices have become an integral part of daily life, from wearables and home assistants to industrial IoT applications. However, their rapid adoption has also made them prime targets for cyberattacks. These attacks can result in devastating consequences, including data breaches, unauthorized surveillance, and disruptions to critical systems. 

By mandating robust security standards, the Cyber Security Bill 2024 aims to reduce these vulnerabilities, ensuring that manufacturers adopt secure-by-design principles. This not only safeguards consumers but also mitigates risks for businesses and critical infrastructures relying on IoT solutions. 

In combination with its focus on adaptability and global alignment, this legislation positions Australia as a leader in IoT security, setting a standard that other nations may follow. As cybersecurity becomes an essential feature rather than an afterthought, this legislation paves the way for a more secure and resilient digital future. 

Why the Cyber Security Bill Matters 

The introduction of the Cyber Security Bill 2024 reflects Australia’s commitment to staying ahead in the cybersecurity landscape, particularly in the rapidly expanding market of smart devices. Its alignment with international standards underscores a coordinated global approach to managing cyber risks. 

This move is particularly timely, given the growing number of smart devices in homes and workplaces. From connected thermostats to industrial IoT devices, these technologies introduce convenience but also create potential security vulnerabilities. By requiring manufacturers to incorporate robust security measures, the Bill ensures a safer environment for consumers and businesses alike. 

Setting the Global Standard 

Both Australia’s Cyber Security Bill and the EU’s Cyber Resilience Act (CRA) highlight the increasing focus on IoT and digital product security. These regulations signal to manufacturers worldwide that cybersecurity can no longer be an afterthought. Instead, secure-by-design principles and ongoing compliance will be critical for market access. 

These laws contribute to streamlined global standards, simplifying compliance for global manufacturers, enabling them to design products that meet multiple regulatory frameworks. At the same time, these regulations elevate consumer expectations, as end-users increasingly demand robust security features in digital products. In turn, this puts pressure on companies to innovate and prioritize safety in their offerings, and open up new opportunities for innovation in cybersecurity, particularly for companies specializing in tools and solutions that assist manufacturers in meeting stringent security requirements.  

Together, these trends are reshaping the digital product landscape, driving progress toward a more secure and resilient global ecosystem. 

What Businesses Should Do Now 

Whether targeting the Australian, European, or global market, businesses must

  1. Understand Regional Regulations: Stay updated on cybersecurity laws in key markets. 
  2. Adopt Secure-by-Design Principles: Integrate security into product development from the outset. 
  3. Collaborate Globally: Engage with initiatives like CRACoWi to stay ahead of regulatory trends. 

CRACoWi Project is here to help 

The Cyber Resilience Act Compliance Wizard (CRACoWi) project recently aligned with these regulations as it addresses: 

  • Awareness Building: Educating manufacturers and users on security risks and compliance requirements. 
  • Support for SMEs: Providing resources to help small businesses navigate complex global regulations. 
  • Promoting Secure-by-Design: Encouraging innovation in device security to meet evolving standards. 

Highlighting these regulations on the CRACoWi platform emphasizes the project’s role in fostering a resilient global IoT ecosystem.

💡 Stay Connected:

CRACoWi White Paper

Dec 11, 2024 | blog, CRACoWi project, Cyber resilience act, news

The digitalization of the global economy is driving a massive shift in consumer and business behaviors, creating an interconnected ecosystem of billions of devices and millions of applications. This exponential growth amplifies the importance of robust cybersecurity measures, especially as critical infrastructures like energy, healthcare, and financial services become increasingly reliant on digital technologies.

Recognizing these challenges, the EU has introduced the Cyber Resilience Act (CRA) to establish mandatory cybersecurity requirements for products with digital elements. To support organizations in meeting these stringent standards, the CRACoWi project has developed an innovative solution – the Cyber Resilience Act Compliance Wizard. This white paper explores the critical role of CRACoWi in helping SMEs navigate the complexities of CRA compliance.

A few topics from the document:

  • The emerging cybersecurity risks for critical infrastructures and IoT ecosystems.How the CRA establishes a secure framework for digital products through lifecycle management and vulnerability reduction.
  • The role of the CRACoWi Compliance Wizard in automating compliance, documentation, and certification processes for SMEs.
  • Real-world applications of CRACoWi tools, showcasing their adaptability across industries and product categories.
  • The strategic importance of collaboration between regulatory bodies, industry leaders, and innovative SMEs to ensure a resilient digital future.

SMEs play a vital role in the EU’s digital economy but often face challenges in meeting complex regulatory requirements. This white paper outlines practical solutions provided by CRACoWi, including automated compliance assessments, AI-powered self-assessment tools, and lifecycle security management methodologies. It highlights how CRACoWi enables SMEs to strengthen product security, reduce compliance burdens, and maintain a competitive edge in a rapidly evolving market.

Gain comprehensive insights about CRACoWi:

Download the CRACoWi White Paper

Cyber Resilience Act Published as Regulation in the Official Journal

Nov 22, 2024 | blog, Cyber resilience act, news

The Cyber Resilience Act (CRA) has officially been adopted, marking a major step towards enhancing cybersecurity standards across the EU. Its publication in the Official Journal of the European Union (EUR-Lex) as Regulation 2024/2847was the final step in the legislative process for the CRA. The act establishes horizontal cybersecurity requirements for products with digital elements, addressing widespread vulnerabilities and inconsistent security update practices, with the aim of improving the security and resilience of digital products throughout their lifecycle​.

This final step defines the deadlines as follows:

  • December 10, 2024: Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA will enter into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.
  • September 11, 2026: Reporting obligations for stakeholders take effect.
  • December 11, 2027: Full application of the regulation.

The CRA introduces horizontal cybersecurity standards applicable to hardware, software, and digital services. The goal is to address widespread vulnerabilities and ensure that manufacturers prioritize security throughout a product’s lifecycle.

The regulation requires manufacturers to adopt vulnerability management processes and ensure timely security updates. It emphasizes transparency in the product lifecycle, obligating manufacturers to clearly communicate the duration of support for security updates.

The act also includes provisions to support microenterprises and small businesses, particularly in understanding and complying with the cybersecurity standards required by the regulation.

The Scope and Specific Provisions of the Cyber Resilience Act (CRA) require that all products with digital elements meet mandatory cybersecurity standards before being sold in the EU. Products must also display the CE marking, indicating compliance with EU safety regulations. Additionally, the CRA distinguishes between “important” and “critical” products, with stricter assessments applied to higher-risk products to ensure greater security.

Furthermore, the CRA ensures consumers are better informed about the security features of digital products, providing them with tools to choose secure devices and ensuring a safer digital environment for end-users, including children.

Overall, the Cyber Resilience Act sets the foundation for a more resilient digital landscape in Europe by mandating essential cybersecurity measures for all digital products. Emphasizing transparency, the CRA requires from manufacturers to prioritize cybersecurity at every stage – from design to end-of-life – while ensuring users are informed about security support periods. By harmonizing requirements across the EU, the act aims to foster a secure digital market while minimizing risks for consumers and businesses alike.

For more details, see the full regulation on EUR-Lex.