EU Cyber Regulation, Part I: Three Regulations — One Framework

What do CSA2, NIS2, and CRA require from companies now? Cybersecurity regulation is evolving in leaps. Finland’s Cybersecurity Act, which transposes the EU Network and Information Security Directive (NIS2) into Finnish legislation, only became applicable in April 2025. Companies had barely managed to update their risk management to the level required by law when the European Commission was already proposing amendments to the Directive.

In recent months, the Commission has presented two proposals to amend the Directive. In November, the Commission published the Digital Omnibus package, and in January 2026, a new cybersecurity package.

The Cybersecurity Act covers 18 critical sectors, including energy, transport, healthcare, and digital infrastructure, and its key obligations are clear: systematic risk management, including supply chain management, and an obligation to report significant incidents to authorities. The Cybersecurity Act is also particularly noteworthy from a liability perspective, as it imposes personal liability on company management for the company’s information security.

The cybersecurity package published by the Commission in January 2026 refines and supplements existing regulation. Its amendments concern the EU Cybersecurity Act (CSA2) and the NIS2 Directive. A reform concerning supply chain security is proposed for the Cybersecurity Act. The proposed amendment to the NIS2 Directive, in turn, seeks to clarify the scope of application and reduce national variation, particularly regarding risk management obligations. In practice, this is good news for companies operating in multiple Member States.

The proposal refines the scope of application in both directions. Some smaller operators are excluded, but at the same time, new operators are brought within the scope of regulation. These include, for example, providers of so-called dual-use products and technologies suitable for both civilian and military use, hydrogen sector operators, and providers of digital identity wallets. In addition, the Commission proposes more detailed reporting on ransomware attacks. In practice, authorities could in future also request information on whether ransom payments have been made.

– In Finland, this means that the Cybersecurity Act will be reopened. The amendments are expected to be approved at the earliest by the end of 2026, after which Member States will have one year to update their national legislation, says Martta Salmi-Pekkala.

The Digital Omnibus Package Brings Relief to Security Breach Reporting

From a cybersecurity perspective, the most significant change is the one-stop-shop principle for incident notifications. In practice, a company could in future submit a single notification through a portal maintained by ENISA, and the system would forward it to all relevant authorities, whether under the NIS2 Directive, GDPR, DORA, the CER Directive, eIDAS, or other applicable legislation.

A cybersecurity incident can currently trigger multiple overlapping notification obligations to different authorities, each in a slightly different format and on a different timeline. For a company operating in several Member States, this would represent an improvement. For a company operating solely in Finland, the situation is not as straightforward, as reporting would shift to a European system.

– There are also open questions related to practical implementation, such as how the different notification timelines under various regulations will be reconciled through a single portal. Companies will still need to be aware of these notification deadlines and understand the requirements of each regulation, says Axel Hård af Segerstad.

Cybersecurity Becomes Part of Products’ CE Marking

The Cyber Resilience Act (CRA) focuses on product cybersecurity and covers network-connected devices and software. Its obligations will enter into force in stages: the vulnerability notification obligation in September 2026 and full conformity as a market access requirement in December 2027.

The September milestone in particular deserves attention, as it also applies to products already on the market. The Cyber Resilience Act introduces mandatory requirements for products, and these must be built into product development processes going forward. These requirements now also extend to the supply chain, forcing companies to incorporate them into their procurement requirements. Likewise, products remain subject to update requirements even after being placed on the market.

Systematic Building of Trustworthiness

Behind the regulatory landscape, which may at times seem confusing, there is a solid logic. For several years now, the EU has been building a three-tiered framework for digital security. The Cyber Resilience Act ensures that products and software entering the market are secure. NIS2 requires that organisations in critical sectors manage risks and report incidents. The Commission’s latest proposal from January, CSA2, adds a third dimension to the framework.

Supply chain management is required under all three regulations, but the Cybersecurity Act takes the requirements to a new level. For the first time, it creates the possibility to exclude third countries or individual suppliers and their components from the EU market entirely.

– Cybersecurity is not just about technical solutions — it is about the trustworthiness of the digital operating environment and business, Maria Aholainen summarises.

The next article in the series will examine CSA2 and supply chain security in more detail.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.