Skip to main content
Log in

The EU’s cybersecurity framework: the interplay between the Cyber Resilience Act and the NIS 2 Directive

Der Cybersicherheitsrahmen der Europäischen Union: das Zusammenspiel zwischen Cyber Resilience Act und NIS-2-Richtlinie

  • Published:
International Cybersecurity Law Review Aims and scope Submit manuscript

Abstract

European cybersecurity legislation is comprised of various pieces of legislation. How does the newly proposed Cyber Resilience Act (CRA) fit into this system? In this article we briefly illustrate how the CRA proposal interacts with other pieces of EU cybersecurity legislation. We go on to highlight the interaction between the CRA proposal and the Network and Information Security 2 Directive (NIS 2) and, in particular, reveal the interaction with regard to risk management measures, coordinated security risk assessments, notification requirements, and market surveillance provisions. Furthermore, we take a closer look at the relationship between the CRA proposal and the NIS 2 Directive regarding the classification of critical products with digital elements and point out the Commission’s understanding of “criticality”. We outline how the CRA proposal is designed to facilitate the compliance of essential and important entities with the complex due diligence requirements set forth in the NIS 2 Directive, and to contribute towards the comparability of information on products with digital elements. The CRA proposal will bring additional value for essential and important entities as it will facilitate the process of searching for trustworthy products. However, we also identify some avoidable shortcomings of the CRA proposal.

Zusammenfassung

Die Gesetzgebung der Europäischen Union (EU) zur Cybersicherheit setzt sich aus verschiedenen Rechtsakten zusammen. Wie fügt sich der jüngst vorgeschlagene Cyber Resilience Act (CRA) in dieses System ein? In diesem Artikel erläutern wir kurz, wie der CRA-Vorschlag mit anderen Teilen der EU-Cybersicherheitsgesetzgebung interagiert. Wir beleuchten die Interaktion zwischen dem CRA-Vorschlag und der NIS-2-Richtlinie (Network and Information Security Directive) und zeigen insbesondere die Interaktion in Bezug auf Risikomanagementmaßnahmen, koordinierte Sicherheitsrisikobewertungen, Meldepflichten und Vorgaben zur Marktüberwachung auf. Darüber hinaus gehen wir näher auf die Beziehung zwischen dem CRA-Vorschlag und der NIS-2-Richtlinie ein, was die Klassifizierung kritischer Produkte mit digitalen Elementen betrifft, und zeigen auf, was die Kommission unter „Kritikalität“ versteht. Wir skizzieren, wie der CRA-Vorschlag wesentlichen und wichtigen Unternehmen die Einhaltung der komplexen Due-Diligence-Pflichten der NIS-2-Richtlinie erleichtern und zur Vergleichbarkeit von Informationen über Produkte mit digitalen Elementen beitragen soll. Der CRA-Vorschlag wird für wesentliche und wichtige Unternehmen einen zusätzlichen Nutzen bringen, da er die Unternehmen bei der Suche vertrauenswürdiger Produkte mit digitalen Elementen unterstützt. Wir stellen jedoch auch einige vermeidbare Unzulänglichkeiten des CRA-Vorschlags fest.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

Notes

  1. Wessel [14] argues that cybersecurity causes a need of developing of a separate field of research.

  2. For a cyber threat and vulnerability landscape across Europe see Kertysova et al. [11].

  3. Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, COM (2022) 454 final (CRA proposal).

  4. Explanatory Memorandum CRA proposal, p. 9.

  5. Ibidem, p. 1.

  6. For the historical development of the legal framework on cybersecurity in the EU see Papakonstantinou [12].

  7. For the explanation of the role of state in cybersecurity see Cavelty and Egloff [2].

  8. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC.

  9. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU.

  10. Art. 2 (2) CRA proposal.

  11. Explanatory Memorandum CRA proposal, p. 9.

  12. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166.

  13. Art. 2 (2) CRA proposal.

  14. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91.

  15. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91.

  16. Art. 2 (2) CRA proposal.

  17. SWD (2022) 282, Part 1/3, S. 34.

  18. Art. 2 (3) and (5) CRA proposal.

  19. Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC.

  20. Recital 15 CRA proposal.

  21. Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3 (3), points (d), (e) and (f), of that Directive.

  22. Explanatory Memorandum CRA proposal, p. 9.

  23. Directive 2014/32/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of measuring instruments.

  24. SWD (2022) 282, Part 2/3, p. 68.

  25. Proposal for a Regulation of the European Parliament and of the Council on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council, and repealing Council Directive 87/357/EEC and Directive 2001/95/EC of the European Parliament and of the Council, COM (2021) 346 final.

  26. SWD (2022) 282, Part 2/3, p. 102.

  27. Chapter III, Section 1, Chapters V and VII, and Chapters IX to XI of General Product Safety Regulation.

  28. Recital 28 and Art. 7 CRA proposal.

  29. Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain union legislative acts, COM/2021/206.

  30. Art. 43 AI Act.

  31. Recital 29 and Art. 8 CRA proposal.

  32. Proposal for a Regulation of the European Parliament and of the Council on machinery products, COM (2021) 202.

  33. Recital 30 and Art. 9 CRA proposal.

  34. Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space, COM/2022/197.

  35. Recital 31 CRA proposal.

  36. Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys.

  37. SWD (2022) 282, Part 2/3, p. 77.

  38. Directive 2014/31/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of non-automatic weighing instruments.

  39. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).

  40. Page 11 and Recital 39 CRA proposal.

  41. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS 1 Directive).

  42. Recital 6 and Art. 1 NIS 1 Directive.

  43. Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, COM (2020) 823.

  44. Essential entities are, for instance, electricity suppliers, railway companies, banks, pharmaceutical products manufacturers and wastewater disposal companies (Art. 3 NIS 2 Directive).

  45. Important entities are, for instance, providers of online marketplaces and search engines, manufacturers of medical devices, manufacturers of machinery, providers of postal and courier services and car manufacturers (Art. 3 NIS 2 Directive).

  46. Art. 21 (1) NIS 2 Directive.

  47. Ibidem.

  48. Recital 85 NIS 2 Directive.

  49. Art. 21 (2) (d) and Art. 21 (3) NIS 2 Directive.

  50. Recital 85 and Art. 21(3) NIS 2 Directive.

  51. Art. 10 (1) and Annex I Part 1 CRA proposal.

  52. Art. 10 (7) CRA proposal.

  53. SWD (2022) 282, Part 1/3, p. 6.

  54. Ibidem, p. 77.

  55. Ibidem, p. 13.

  56. Art. 10 (7) und Art. 23 (1) CRA proposal.

  57. Art. 10 (10) CRA proposal.

  58. SWD (2022) 282, Part 1/3, p. 13.

  59. Ibidem, S. 85.

  60. Recital 11 CRA proposal.

  61. Recital 46, Art. 12 (3) and Art. 19 (1) NIS 2 Directive.

  62. Recital 46 NIS 2 Directive.

  63. Recital 47, Art. 19 (2) NIS 2 Directive.

  64. Art. 6 CRA proposal.

  65. Recitals 26, 27 and 62, Art. 6 (1) and (5) CRA proposal.

  66. Recitals 26 and Art. 6(4) CRA proposal.

  67. Annex III CRA proposal.

  68. Art. 6 (2) CRA proposal.

  69. Art. 6 (2) (b) CRA proposal.

  70. Art. 6 (5) CRA proposal.

  71. Recitals 25 CRA proposal.

  72. Art. 23 (1) NIS 2 Directive.

  73. Art. 6 No.6 NIS 2 Directive.

  74. Art. 23 (3) NIS 2 Directive.

  75. Recital 101 NIS 2 Directive.

  76. Art. 23 (4) NIS 2 Directive.

  77. Art. 10 (1) and Art. 23 (1) NIS 2 Directive.

  78. Art. 23 (1) NIS 2 Directive.

  79. Art. 11 (1) and (2) CRA proposal.

  80. In contrast to the NIS 2 Directive, the CRA proposal does not include a definition of the term “incident”.

  81. “Actively exploited vulnerabilities” are defined as “vulnerabilities for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner” (Art. 3 No. 39 CRA proposal).

  82. Art. 11 (1) and (2) CRA proposal.

  83. Ibidem.

  84. This implies that the reporting burden for manufacturers of products with digital elements under the CRA proposal will, in general, be much higher than for essential and important entities under the NIS 2 Directive. In this context, it should also be kept in mind that the CRA proposal applies to any manufacturer, irrespective of their size, while the NIS 2 Directive provides for exemptions for small essential and important entities.

  85. Recital 34 CRA proposal.

  86. The “market surveillance authority” is an authority as defined in Art. 3 No. (4) of Regulation (EU) 2019/1020. It is at the discretion of Member States to decide whether the market surveillance authority is the same as the national competent authorities referred to in Art. 8 of the NIS 2 Directive (Recital 55 and Art. 3 No. 33 CRA proposal, Art. 8 NIS 2 Directive).

  87. Member States can designate one or more national competent authorities. In case, they designate more than one authority, they must ensure that one of them acts as national single point of contact on cybersecurity (“single point of contact”) (Art. 8 (3) NIS 2 Directive).

  88. Art. 11 (1) and (2) CRA proposal.

  89. “Hardware” is defined as “a physical electronic information system, or parts thereof capable of processing, storing or transmitting of digital data” (Art. 3 No. 7 CRA proposal).

  90. “Software” is defined as “the part of an electronic information system which consists of computer code” (Art. 3 No. 6 CRA proposal).

  91. “Component” is defined as “software or hardware intended for integration into an electronic information system” (Art. 3 No. 8 CRA proposal).

  92. Art. 2 (1) and Art. 3 No. 1 CRA proposal.

  93. Art. 3 No. 2 CRA proposal.

  94. “Indirect connection” is defined as “a connection to a device or network, which does not take place directly but rather as part of a larger system that is directly connectable to such device or network” (Art. 3 No. 12 CRA proposal).

  95. “Logical connection” is defined as “virtual representation of a data connection implemented through a software interface” (Art. 3 No. 10 CRA proposal).

  96. “Physical connection” is defined as “any connection between electronic information systems or components implemented using physical means, including through electrical or mechanical interfaces, wires or radio waves” (Art. 3 No. 11 CRA proposal).

  97. Art. 3 No. 2 CRA proposal.

  98. Recital 9 CRA proposal.

  99. Art. 41 CRA proposal.

  100. Recital 51 and Art. 41 CRA proposal.

  101. Art. 46 (1) CRA proposal.

  102. Recital 58, Art. 43 and Art. 46 (1) CRA proposal.

  103. Art. 46 (1) and (6) CRA proposal.

  104. Recital 59, Art. 46 (7) CRA proposal.

  105. Recital 59 CRA proposal.

  106. Interestingly, while Recitals 58 and 59 and Article 46 mostly focus on the usage of risky products with digital elements by essential entities under the scope of the NIS 2 Directive, when it comes to defining exceptional circumstances, Recital 59 addresses both essential and important entities.

  107. Art. 46 (8) and (9) CRA proposal.

References

  1. Abraham C, Sims RR (2021) A Comprehensive Approach to Cyber Resilience. MIT Sloan Manag Rev 2021(63):1–4

    Google Scholar 

  2. Cavelty MD, Egloff FJ (2019) The politics of cybersecurity: balancing different roles of the state. St Antonys Int Rev 15(1):37–57 (https://www.ingentaconnect.com/content/stair/stair/2019/00000015/00000001/art00004)

    Google Scholar 

  3. Council of the EU (2022a) Strengthening EU-wide cybersecurity and resilience—provisional agreement by the Council and the European Parliament (Press release, 13 May 2022)

    Google Scholar 

  4. Council of the EU (2022b) Strengthening EU-wide cybersecurity and resilience—provisional agreement by the Council and the European Parliament (Press release, 13 May 2022)

    Google Scholar 

  5. Council of the EU (2022c) EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation

    Google Scholar 

  6. Gueye, A., & Mell, P. (2021). A Historical and Statistical Studyof the Software Vulnerability Landscape. arXiv preprint arXiv:2102.01722

  7. European Commission (2021) Study on the need of Cybersecurity requirements for ICT products—No. 2020-0715 Final Study Report

    Google Scholar 

  8. European Commission (2022) Commission Staff Working Document, Impact Assessment Report, Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020, SWD(2022) 282.

  9. European Commission Joint Research Centre (2020) Cybersecurity—our digital anchor, a European perspective https://doi.org/10.2760/352218

    Book  Google Scholar 

  10. European Parliament (2021on) European Parliament resolution of 10 June 2021 on the EU’s Cybersecurity Strategy for the Digital Decade (2021/2568(RSP)). https://www.europarl.europa.eu/doceo/document/TA-9-2021-0286_EN.html. Accessed 15 Nov 2022

  11. Kertysova K, Frinking E, Dool KVD, Maričić A, Bhattacharyya K (2018) Cybersecurity: Ensuring awareness and resilience of the private sector across Europe in face of mounting cyber risks https://doi.org/10.2864/98090 (Study of The Hague Centre for Strategic Studies for The European Economic and Social Committee (EESC))

    Book  Google Scholar 

  12. Papakonstantinou V (2022) Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity? Comput Law Secur Rev. https://doi.org/10.1016/J.CLSR.2022.105653

    Article  Google Scholar 

  13. Steinberg S (2020) Cyberattacks now cost companies $200,000 on average, putting many out of business. CNBC. https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html. Accessed 15 Nov 2022

  14. Wessel RA (2019) Cybersecurity in the European Union: Resilience through Regulation? In: Conde E, Yaneva Z, Scopelliti M (eds) Routledge Handbook of EU Security Law and Policy. ISBN 978-0-429-46591‑8

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Philipp Eckhardt.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Eckhardt, P., Kotovskaia, A. The EU’s cybersecurity framework: the interplay between the Cyber Resilience Act and the NIS 2 Directive. Int. Cybersecur. Law Rev. 4, 147–164 (2023). https://doi.org/10.1365/s43439-023-00084-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1365/s43439-023-00084-z

Keywords

Schlüsselwörter

Navigation