The importance of cybersecurity has never been greater, especially in light of the evolving digital landscape and escalating cyber risks. Two major EU regulatory frameworks – the Cyber Resilience Act (CRA) and the NIS2 (Network and Information Security) Directive – epitomize the growing commitment to securing the digital ecosystem, both by setting rigorous cybersecurity standards and by fostering cooperation among member states.
The Cybersecurity Landscape
According to the Global Cybersecurity Outlook 2025, cyber threats continue to escalate worldwide. Around 72% of organizations surveyed have reported a rise in cyber risks, largely fueled by ransomware, AI-powered tools, and increasingly sophisticated attacks. Examining how organizations measure up, it was found:
- Amongst large corporations the average cybersecurity maturity level stands at 54%, showing a slight yearly improvement but indicating a need for growth. A 56% average protection rate against ransomware attack vectors among large companies indicates that without improved defences, major breaches can still occur. Small and mid-sized businesses also lag behind, with 36% considered in a critical cybersecurity state, despite an 18% improvement from 2024. (Source)
- The financial sector leads with a 62.5% maturity score, motivated by regulatory pressure and investments. (Source)
- Information security spending is rising, now at 9% of IT budgets in the EU, reflecting increasing investment but also recruitment challenges, as cybersecurity staffing ratios have declined despite the rising demand. 90% of organizations expect a surge in cyberattacks next year, emphasizing the urgency for preparedness. (Source)
Why the Cyber Resilience Act is Crucial for Digital Products
The Cyber Resilience Act (CRA) addresses the challenges of managing vulnerabilities and preventing cyber incidents by establishing uniform cybersecurity criteria for digital products available on the EU market. Around two-thirds of incidents reported under the Network and Information Security (NIS) framework result from exploited vulnerabilities, showing that managing hardware and software security throughout the entire product lifecycle – from design, to development, and through to decommissioning – is essential. (Source)
The CRA focuses on:
- Cybersecurity rules and essential requirements for connected products with digital elements, including hard- and software, in both consumer and OT contexts.
- Obligations spanning the entire supply chain, to be addressed by manufacturers, importers and distributors.
- Lifecycle security, market surveillance, and enforcement to ensure ongoing compliance.
Notably, the CRA excludes cloud-based services or SaaS products, which fall under the scope of the NIS2 Directive, and other special categories such as medical or automotive devices, which are already covered by existing legislation.
The Role of NIS2 in Strengthening Cyber Resilience
The revised NIS2 Directive builds on its predecessor by addressing fragmented resilience across member states and sectors. It promotes:
- A high level of cybersecurity across the EU, with mandatory measures such as incident handling, supply chain security and vulnerability management.
- Enhanced cooperative structures, including a dedicated Cooperation Group to facilitate sharing of cyber threat intelligence and best practices, as well as a network of national Computer Security Incident Response Teams (CSIRTs) to coordinate operational response efforts.
The NIS2 directive raises the bar on cybersecurity governance, risk management, and compliance especially amongst the sectors newly included within its scope. Despite ongoing efforts, many organizations currently fail to fully comply with NIS2 standards, with significant gaps remaining in areas such as third-party risk evaluation and asset management.
Furthermore, while cybersecurity budgets and manpower have generally risen due to NIS2, many entities (particularly SMEs) face difficulties in securing adequate resources to meet these demands.
What These Developments Mean
The CRA and NIS2 together set EU-wide stringent cybersecurity standards that impact businesses operating in the EU, and also help to elevate security practices globally due to the market’s size and influence. The regulations encourage adoption of secure-by-design principles and robust risk management processes across digital product and service lifecycles.
These regulations incentivize greater investment in cybersecurity technologies and human capital, though persistent workforce shortages pose ongoing challenges. With cyberattacks growing in frequency and complexity, compliance with CRA and NIS2 provisions is critical to mitigating breaches, protecting sensitive data, and maintaining confidence in digital applications and products.
The emphasis on cross-border cooperation also strengthens the EU’s collective capabilities in incident detection, response, and recovery, thereby enhancing the overall resilience of the union against cyber threats.
While this overview only scratches the surface of the Cyber Resilience Act and NIS2 Directive, it is clear that cybersecurity remains a foundational element for the safety and reliability of digital products and services. The EU’s evolving regulatory landscape continues to make decisive progress in enforcing security from the earliest stages of product development, and unifying efforts to counteract rising cyber threats. To navigate the complex cyber risk landscape effectively, organizations must commit to compliance and allocate appropriate resources toward cybersecurity initiatives.
