The European Union has taken various legislation in recent years to strengthen digital resilience. New legislation such as NIS2, DORA, CER, CSA and CRA have been enacted to make Europe more cyber-secure. But what exactly do these cybersecurity laws entail? To whom do they apply? And how do they contribute to increased cyber resilience? Below we provide an overview of these laws, their impact and how they aim to form the basis for a secure digital Europe.
The Digital Decade: foundation for a cyber-secure EU
In 2021, the European Commission launched an ambitious plan for a Digital Decade (Digital Decade), with the goal of making Europe digitally independent and resilient by 2030. This plan focuses on strengthening digital infrastructure, businesses and services, with a strong emphasis on cyber resilience. To operate safely digitally, the basic components - digital products, services and networks - must be well secured.
The latest European cyber laws provide a solid legal framework to ensure this security. These laws focus on securing various sectors, from critical infrastructures to financial services and digital products, to reduce the risk of cyber attacks. Below we discuss the five most important laws: NIS2, DORA, CER, CSA and CRA, and how they complement each other.
The legislative framework around cybersecurity in the EU
Below we explain the scope of each law, its main features and its entry into force. For ease of understanding, European legislation is enacted in the form of a directive (directive) or regulation (regulation or act). Regulations are directly applicable in all EU member states. Directives must first be transposed into national (such as Belgian) law.
- Scope of NIS2: Critical sectors such as energy, transportation, banking, financial markets infrastructure, healthcare, drinking water, wastewater, ICT services management (e.g. data centers and cloud providers) government, space, digital providers etc.
- What is the purpose of NIS2? The NIS2 is a sequel to the 2016 NIS guideline and imposes more stringent cybersecurity measures on a larger number of entities in critical sectors. Penalties for non-compliance are being tightened and directors of these entities may also be held personally liable.
- Entry into force of NIS2: NIS2 had to be transposed into the legislation of EU member states by Oct. 17, 2024. In Belgium, the transposition law approved on April 18, 2024 and on May 17, 2024 published in the Belgian Official Gazette. This NIS2 law is on Oct. 18, 2024 entered into force in Belgium.
- Scope: Financial institutions (such as banks, insurers), investment fund managers, as well as ICT service providers that provide critical services to these financial entities (such as providers of cloud services and data reporting services).
- What is the purpose of DORA? This regulation seeks to increase the operational digital resilience of the financial sector, with requirements for risk management and incident reporting. Financial institutions must also have their digital resilience tested regularly and have strict requirements for their choice of ICT vendors.
- Entry into force of DORA: DORA entered into force on Jan. 16, 2023, and is effective as of Jan. 17, 2025 took effect.
CER: Critical Entities Resilience Directive.)
- Scope: Entities that provide essential entities in sectors such as energy, transportation, banking, financial market infrastructure, public health, drinking water, wastewater, digital infrastructure (including electronic communications networks and data centers that are also covered by NIS2 include), government agencies, aerospace and food companies.
- What is the purpose of CER? This directive aims to reduce vulnerabilities and strengthen the physical resilience of critical entities in the EU (against natural and man-made disasters, among others) in order to ensure the unimpeded provision of these services. These entities should conduct risk assessments and take appropriate measures to enhance their resilience.
- Effective date: The CER had to be transposed into the legislation of EU member states by Oct. 17, 2024. Belgium has already missed this deadline. In the Belgian Parliament, however, a bill discussed to amend the law of July 1, 2011 on the security and protection of critical infrastructures, as well as its implementing decree, in order to improve the availability and continuity of operation of critical infrastructures in the electricity subsector of the energy sector.
CSA: Cybersecurity Act (Regulation Cybersecurity.)
- Scope of the CSA: Manufacturers and providers of ICT products, services and processes within the EU.
- What is the purpose of the CSA? This regulation introduces a voluntary European certification framework for cybersecurity of ICT products, services and processes. This regulation also defines the tasks of ENISA, the European Union Cybersecurity Agency
- Entry into force of CRA: The CSA has been applicable in all EU member states since June 27, 2019. In January 2024, a Implementing Regulation published that becomes applicable on Feb. 27, 2025.
- Scope of the CRA: Manufacturers and developers of products with digital elements offered in the EU market.
- What is the purpose of the CRA? CRA aims to improve the cybersecurity of hardware and software products by imposing requirements in the design and development of such products. It also requires manufacturers to address vulnerabilities throughout the product life cycle.
- Entry into force of the CRA: The CRA entered into force on Dec. 10, 2024, and will be in effect for the next 3 years so that it will be fully applicable from the end of 2027.
Dutch 
English