EU cybersecurity regulation is moving at pace. A cluster of new and updated legislative instruments – from NIS2 and CER to the Cyber Resilience Act and DORA – is reshaping obligations for operators of networks and information systems, manufacturers of digital and machinery products, and critical entities across key sectors. For businesses trying to keep pace, the challenge isn't just understanding one regulation. It's navigating an entire ecosystem of overlapping requirements. This overview sets out what is coming, who is affected, and when the changes apply.
A. NIS2 Directive (NIS2)
What? The NIS2 Directive modernizes European cybersecurity law and aims to raise the baseline of cyber resilience across the Union. Covered entities must register, report significant incidents to the relevant authority and conduct cybersecurity training. The Directive specifies detailed technical and organizational measures that covered entities must implement. See our summary of the German NIS2 implementation law.
Who? NIS2 significantly expands the scope compared to the original NIS1 Directive. As a general rule, it applies to medium-sized and larger entities in 18 sectors (including energy, food, digital infrastructure, chemicals, space, machinery and others).
When? Member States were required to transpose NIS2 by 2024, but several missed this deadline. In Germany, the NIS2 implementation law was published on 5 December 2025. Covered entities in Germany were required to register by 6 March 2026; currently, only around one third of entities subject to registration have done so.
B. Critical Entities Resilience Directive (CER)
What? The CER Directive creates a framework to strengthen the resilience of essential service providers against a range of threats. It complements NIS2 by focusing on physical resilience to risks such as natural disasters, terrorism and sabotage. The underlying recognition: cybersecurity and physical security are deeply interconnected.
Who? CER covers essential service providers in eight sectors:
- Energy
- Water
- Transport
- Finance
- Health
- Food
- Waste management
- IT/telecommunications
Member States retain discretion in setting quantitative thresholds, so the scope is similar to, but not identical with, NIS2´s “essential entities.”
When? CER entered into force on 16 January 2023. The transposition deadline was 17 October 2024. Germany did not meet this deadline, but its national implementation law (the “KRITIS-Dach-Gesetz”) entered into force on 17 March 2026. First registration obligations for affected entities apply by 17 July 2026.
C. Cyber Resilience Act (CRA)
What? The Cyber Resilience Act targets the cybersecurity of products with digital elements. Unlike NIS2 – which focuses on the network and information systems of entities – the CRA’s objective is to ensure cybersecurity of certain hardware and software products themselves. Germany recently issued a first draft of an implementing law to determine the national authority.
Who? Manufacturers of software or hardware products with digital elements, particularly products connected to the internet, but also standalone software.
When? The CRA entered into force on 10 December 2024. Main obligations will apply from 11 December 2027. Reporting obligations apply from 11 September 2026.
D. Radio Equipment Directive (RED)
What? The RED provides the EU framework to ensure that radio equipment meets essential safety, health and radio spectrum standards. Recently, specific cybersecurity provisions have become applicable, adding requirements that overlap with and, in some respects, anticipate elements of the CRA. See our overview of the RED cybersecurity obligations.
Who? The RED applies to all radio equipment sold in the EU, including WLAN devices, Bluetooth devices, and mobile communications equipment. It is particularly relevant for IoT products that will also fall within the scope of the CRA.
When? The RED has been in force for over a decade. However, its dedicated cybersecurity requirements only started to apply from 1 August 2025 due to delayed EU delegated regulation. As a result, many operators still underestimate its impact, even though it already imposes cybersecurity obligations that partially pre-empt the CRA.
E. Digital Operational Resilience Act (DORA)
What? DORA sets a binding, harmonized framework for managing ICT risk in the financial sector, covering ICT risk management, incident reporting, resilience testing, third‑party risk management, and information sharing.
Who? DORA applies to EU‑regulated financial entities, such as banks, insurers, investment firms, and payment and crypto-asset service providers.
When? DORA has applied since 17 January 2025. Throughout 2026, supervisory expectations in areas such as governance, resilience testing, third-party exit strategies, and audit rights are continuing to take shape.
F. Outlook: Cybersecurity Act 2.0
What? Even as current cybersecurity instruments enter into force, the EU is already planning to change them. In January 2026, new plans were presented under the “Cybersecurity Act 2.0” label. These focus on:
- Adjusting existing rules, including the NIS2 Directive;
- Updating European cybersecurity certification frameworks to improve technical implementation; and
- Changing the role of ENISA, in particular regarding the reporting of cybersecurity incidents.
Who? The reforms are expected to primarily affect entities already in scope of NIS2, with particular relevance for sectors such as chemicals, electricity, hydrogen production and dual-use infrastructure.
When? There is no fixed timeline yet. Current expectations point to finalization of Cybersecurity Act 2.0 in early 2027.
G. Outlook: Machinery Regulation
What? The new Machinery Regulation governs the placing of new machinery on the EU market and introduces direct design and safety requirements for machinery and related products. In conjunction with the CRA, it will shape cybersecurity and safety expectations for connected machinery.
Who? All manufacturers of machinery and certain related products. The definition of “machinery” is broad and essentially covers any assembly of parts or devices that are connected to a drive system.
When? The Regulation will apply from 20 January 2027. Unlike the Machinery Directive, this regulation will apply directly across all Member States without requiring national transposition.
The European cybersecurity landscape around 2026 is characterized by overlapping distinct regimes, each targeting a different layer – entities, infrastructure, or products. Businesses should map which instruments apply to them (NIS2/CER/DORA on the organizational side; CRA/RED/Machinery Regulation on the product side) and plan compliance projects with a view to the staggered, but now rapidly approaching, deadlines.