TL;DR
NexCyber RICE covers 5 EU regulatory frameworks. This page is your one-page functional map. Detailed pages live in each section.
Disclaimer โ RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.
๐ At a glance
| Framework | Scope (functional) | Why it matters |
|---|---|---|
| ๐ก๏ธ CRA | Products with digital elements (PDE) | Manufacturers, importers, distributors placing PDEs on the EU market |
| ๐ NIS2 | Essential & important entities (18 sectors) | Medium/large entities + their suppliers |
| ๐ค AI Act | AI systems & GPAI (risk-tiered) | Providers, deployers, importers, distributors |
| ๐ก RED Cyber | Connected radio equipment | Devices processing personal data, traffic, payments |
| ๐ฆ DORA | Financial sector + critical ICT providers | Banks, insurers, fintechs, their key ICT vendors |
๐ก๏ธ CRA โ Cyber Resilience Act
Functional scope. Horizontal cybersecurity requirements for products with digital elements (PDE).
Top obligations
- Essential cybersecurity at design & development
- Vulnerability handling (coordinated disclosure, security updates)
- Conformity assessment + CE marking
- Incident & exploited-vulnerability reporting
- Technical documentation + SBOM
RICE helps scope your product estate, map applicable requirements, surface evidence gaps, ingest SBOMs, build audit-ready dossiers, issue MRCC.
RICE does NOT act as a notified body, sign your CE declaration, or replace legal counsel.
๐ NIS2 โ Network & Information Security 2
Functional scope. Baseline cybersecurity across essential & important entities, transposed per Member State.
Top obligations
- 10 minimum risk-management measures (incl. supply chain)
- Incident notification: 24h early warning ยท 72h notification ยท 1-month report
- Governance & management accountability
- Business continuity & crisis management
- Vulnerability handling & disclosure
RICE helps map entity classification, surface the 10 measures vs your evidence, track supplier risk, prepare incident-reporting templates.
RICE does NOT replace national CSIRT/CSA guidance, your DPO or CISO judgment.
๐ค AI Act โ Artificial Intelligence Act
Functional scope. Risk-tiered framework: prohibited ยท high-risk ยท limited-risk ยท minimal-risk ยท GPAI.
Top obligations (high-risk)
- Risk management across lifecycle
- Data governance & quality (training / validation / test)
- Technical documentation + record-keeping
- Transparency & instructions for use
- Human oversight, accuracy, robustness, cybersecurity
- Conformity assessment + EU declaration + CE
- Post-market monitoring + serious-incident reporting
RICE helps classify AI use cases per tier, map applicable obligations, organize technical docs, prepare GPAI transparency artifacts.
RICE does NOT run notified body assessment for high-risk AI, replace your DPIA or fundamental-rights assessment.
๐ก RED Cyber โ Radio Equipment Directive (delegated act)
Functional scope. Cybersecurity essential requirements (Art. 3.3 d/e/f) for radio equipment.
Top obligations
- 3.3.d โ Network protection
- 3.3.e โ Personal data & traffic data protection
- 3.3.f โ Fraud / monetary-value protection
- Conformity via harmonized standards (EN 18031 series) or notified body route
- Technical file + CE marking
RICE helps identify applicable sub-requirements, map evidence against harmonized standards, organize test reports, prepare technical file.
RICE does NOT run notified body testing or accredited lab measurements.
๐ฆ DORA โ Digital Operational Resilience Act
Functional scope. ICT operational resilience for financial sector + oversight of critical ICT third-party providers (CTPP).
Top obligations
- ICT risk management framework
- ICT-related incident reporting (classification + timelines)
- Digital operational resilience testing (incl. TLPT for significant entities)
- ICT third-party risk management (register, clauses, exit strategy)
- Information & intelligence sharing (voluntary)
RICE helps map entity classification, structure ICT third-party register, surface contract gaps, organize testing evidence, prepare incident-classification templates.
RICE does NOT substitute EBA/ESMA/EIOPA decisions, TLPT provider engagement, or internal audit.
๐ Regulatory overlap
Many obligations cross frameworks โ vulnerability handling (CRA, NIS2, DORA), supply-chain risk (NIS2, DORA, AI Act high-risk), incident reporting (CRA, NIS2, DORA).
Cross-Reg Decision Engine lets you assess once and reuse evidence โ instead of running 5 parallel audits. Always verify, per regulator, that a piece of evidence is acceptable for that specific obligation in its jurisdiction.
๐ซ What RICE never does
- Does not issue binding legal opinions
- Does not act as a notified body
- Does not certify your final compliance
- Does not replace your DPO, CISO, internal auditor, or external counsel
- Does not file regulatory notifications on your behalf
RICE prepares you. The final step always involves your team + your legal/certification partners.
โก๏ธ Next steps
- ๐ Run your first assessment โ see your scope & gap
- ๐ก๏ธ Reach Trust Passport & MRCC โ share readiness
- ๐ฌ Ask NexCyber Support anytime via the chat
Last reviewed: 2026-06-02 ยท Disclaimer applies on every section above.