Home Assessments The five EU regulations NexCyber covers

The five EU regulations NexCyber covers

Last updated on Jun 02, 2026

💡 📊 Assessments — A reference summary of CRA, NIS2, AI Act, DORA, and RED — who they target, what they require, and how NexCyber maps them.

The five EU regulations NexCyber covers

NexCyber natively covers the five EU regulations that together form the new cybersecurity baseline for digital companies operating in or selling to the European market. This article is a reference card — keep it open during your assessment.

CRA — Cyber Resilience Act

Regulation (EU) 2024/2847 Ã‚Âˇ Full enforcement 11 December 2027.

Targets : anyone who places a product with digital elements on the EU market. Software vendors, IoT manufacturers, embedded device makers, AI providers, hardware companies — all in scope.

Core obligations :

  • Annex I § 1 — security requirements + secure-by-default
  • Annex I § 2 — vulnerability handling + coordinated disclosure
  • Art. 13-14 — manufacturer obligations + SBOM (Software Bill of Materials)
  • Art. 11 — conformity assessment route (Module A vs B+C)
  • Art. 14 — incident reporting (24h / 72h / final)

Maximum exposure : Ãĸ‚ÂŦ15M or 2.5% global turnover.

NIS2 — Directive on the security of network and information systems

Directive (EU) 2022/2555 Ã‚Âˇ In force since October 2024.

Targets : essential and important entities across 18 sectors — energy, transport, banking, health, digital infrastructure, ICT service management, public administration, manufacturing of computer/electronic products, and more. Size threshold typically medium (50+ headcount or Ãĸ‚ÂŦ10M+ turnover).

Core obligations :

  • Art. 21 — 10 cybersecurity risk management measures
  • Art. 23 — incident reporting cascade (24h early warning Ã‚Âˇ 72h notification Ã‚Âˇ 1 month final)
  • Art. 24 — supply-chain security + third-party assurance
  • Art. 32 — sanctions up to Ãĸ‚ÂŦ10M or 2% global turnover

AI Act

Regulation (EU) 2024/1689 Ã‚Âˇ Risk-tiered enforcement, full obligations 2 August 2026.

Targets : providers (you develop or place an AI system) and deployers (you use an AI system) within the EU. Risk tier drives obligations :

  • Tier 1 — Prohibited (Art. 5) : social scoring, manipulative AI, etc. Banned outright.
  • Tier 2 — High-risk (Art. 6 + Annex III) : credit scoring, employment, education, law enforcement, etc. Major obligations.
  • Tier 3 — Limited risk (Art. 50) : transparency obligations only (chatbots, deepfakes).
  • Tier 4 — Minimal risk : no specific obligations.

Maximum exposure : Ãĸ‚ÂŦ35M or 7% global turnover (Tier 1 violations).

DORA — Digital Operational Resilience Act

Regulation (EU) 2022/2554 Ã‚Âˇ In force since 17 January 2025.

Targets : EU financial entities (banks, payment institutions, insurance, investment firms, crypto-asset service providers, etc.) and their critical ICT third-party providers.

Five pillars :

  • Art. 5-14 — ICT risk management framework
  • Art. 17-23 — incident classification + reporting
  • Art. 24-27 — digital operational resilience testing (TLPT)
  • Art. 28-30 — ICT third-party risk register
  • Art. 45 — information + intelligence sharing

Maximum exposure : Ãĸ‚ÂŦ10M or 2% global turnover.

RED — Radio Equipment Directive (Cyber Delegated Act)

Directive 2014/53/EU + Delegated Act 2022/30 Ã‚Âˇ Cyber requirements in force 1 August 2025.

Targets : manufacturers of radio equipment placed on the EU market (Wi-Fi devices, Bluetooth, cellular, satellite — anything that intentionally emits or receives radio waves).

Three new cyber essential requirements added by the Delegated Act :

  • Art. 3.3.d — protect network functioning + resources
  • Art. 3.3.e — safeguards for personal data + privacy
  • Art. 3.3.f — anti-fraud features

Harmonised standards : EN 18031-1/-2/-3. Conformity assessment via Module A or B+C.

Maximum exposure : market withdrawal + national financial penalties.

How to choose your first assessment

Most companies are in scope for two or more regulations. Common combinations :

  • Product companies : CRA + NIS2
  • AI providers : AI Act + GDPR (separate)
  • Financial sector : DORA + NIS2
  • IoT manufacturers : CRA + RED + NIS2

Start with the regulation where your deadline is closest, then iterate.

Ãĸ†’ See "How NexCyber decides which regulations apply to you" Ãĸ†’ See "Fastest path to your first MRCC Certificate"

đŸ’Ŧ Need help?

  • Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
  • Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹī¸ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 ¡ NexCyber Help Center