Network & Information Systems Directive (NIS2)
| Relevant for | Into force | Compliance deadline | Penalties |
|---|---|---|---|
|
Essential and important services |
2022 |
2024 |
Max. 2% of global turnover or 10M EUR |
The NIS2 Directive enhances EU-wide cybersecurity to improve the internal market. It mandates Member States to implement national strategies, designate authorities, and establish incident response teams. Additionally, it imposes risk management, reporting, information sharing, and enforcement obligations.
| Relevant for | Into force | Compliance deadline | Penalties |
|---|---|---|---|
|
Financial services industry & ICT providers |
2023 |
2025 |
Yes |
The Digital Operational Resilience Act strengthens the financial sector’s resilience against digital disruptions. It requires financial entities to implement robust risk management, incident reporting, and testing protocols and also applies to ICT third party service providers. The Act also mandates information sharing and sets out supervisory and enforcement measures for Member States.
Artificial Intelligence Act
(AI Act)
| Relevant for | Into force | Compliance deadline | Penalties |
|---|---|---|---|
|
Those providing and using AI systems |
2024 (expected) |
2025-2026 (expected) |
Max. 6% of global turnover or 30M EUR |
Regulatory framework aimed at ensuring the safe and ethical development and deployment of artificial intelligence technologies. It categorizes AI systems based on risk levels, imposing stricter requirements on high-risk applications to protect fundamental rights and safety. The Act also promotes transparency and accountability by requiring clear documentation and human oversight for certain AI systems.
Cyber Resilience Act
(CRA)
| Relevant for | Into force | Compliance deadline | Penalties |
|---|---|---|---|
|
Those involved with putting products with digital elements on the market (including manufactures, importers, distributors). |
2024 (expected) |
2027 (expected) |
Max. 2.5% of global turnover or 10M EUR |
Applies to products with digital elements made available on the market, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.
Cyber Security Act
(CSA)
| Into force |
|---|
|
To be determined |
The EU Cybersecurity Act introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union.
