Home Assessments How NexCyber decides which regulations apply to you

How NexCyber decides which regulations apply to you

Last updated on Jun 02, 2026

💡 📊 Assessments — Applicability is the foundation of every assessment — here's how NexCyber determines which EU cybersecurity regulations are in scope for your company.

How NexCyber decides which regulations apply to you

EU regulations don't apply uniformly. Some target product manufacturers (CRA, RED). Others target essential entities (NIS2). Others target the financial sector (DORA). Others target AI providers and deployers (AI Act). Before you spend time on an assessment, you need to know which ones actually concern you.

This article explains how NexCyber decides — transparently, with the legal anchor for every conclusion.

The applicability inputs

NexCyber reads three pieces of your profile to determine applicability :

  1. Country of registration — anchors you to EU member state law.
  2. Sector — drives NIS2 essential / important / out-of-scope classification.
  3. Company size (headcount + turnover) — drives the thresholds in NIS2, DORA, and the AI Act.

Plus, for each regulation, a series of regulation-specific questions during the assessment (do you place products on the EU market ? do you operate an AI system ? do you handle financial data ? etc.).

How each regulation's applicability is decided

CRA — Cyber Resilience Act

Applies if : you place a product with digital elements on the EU market. Digital elements = software, hardware with connected components, IoT devices, AI systems embedded in products. Full enforcement from 11 December 2027.

Decision anchor : Regulation (EU) 2024/2847, Art. 2.

NIS2

Applies if : you operate in one of 18 sectors listed in Annex I/II of the Directive and you meet the size threshold (medium = 50+ headcount or €10M+ turnover for most sectors). Essential vs important entity classification follows.

Decision anchor : Directive (EU) 2022/2555, Art. 2 + Annexes I/II.

AI Act

Applies if : you are a provider (you develop or place an AI system on the EU market) or a deployer (you use an AI system within the EU). Risk tier (prohibited · high-risk · limited · minimal) determines obligations.

Decision anchor : Regulation (EU) 2024/1689, Art. 2-6 + Annex III.

DORA

Applies if : you are a financial entity as defined in Art. 2 (banks, payment institutions, insurance, crypto-asset service providers, etc.) or a critical ICT third-party provider to one. In force from 17 January 2025.

Decision anchor : Regulation (EU) 2022/2554, Art. 2.

RED — Radio Equipment Directive

Applies if : you place radio equipment (any device that intentionally emits or receives radio waves for communication or radio determination) on the EU market. Cyber requirements from 1 August 2025.

Decision anchor : Directive 2014/53/EU + Delegated Act 2022/30.

When you're "not applicable"

This is good news. A regulation that doesn't apply to you is a regulation you can ignore — and we don't bury that finding under a "still recommended" disclaimer. We say plainly : "CRA does not apply to your company because…" with the article and the threshold that excluded you.

You can re-check applicability anytime — if your sector, size, or product mix changes, your applicability picture moves.

What if you're unsure ?

Run a Free Scope Review. It takes 5 minutes and gives you a clear applicability map for all five regulations without you committing to a full assessment.

→ See "Reading your assessment results" → See "Common mistakes to avoid in your first assessment"

💬 Need help?

  • Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
  • Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 · NexCyber Help Center