Governance

European Regulation: CRA, NIS2 and beyond

A complete guide to CRA, NIS2, and AI Act: obligations, sanctions, operational checklists, and compliance roadmaps for European organizations.

integrating security

22 January 2026

Table of contents

  • Regulatory landscape: from product to service and AI
  • Scope and stakeholders
  • Core obligations: Incident Reporting, secure-by-cesign, SBOM, certification
  • Impact on Italian companies: from gap analysis to compliance
  • Incident reporting template (NIS2)
  • Practical examples for secure-by-design and SBOM (CRA)
  • Best practices: integrating security, privacy, and compliance
  • Useful snippets: scripts and templates to speed up compliance
  • Prospects: AI Act, GPAI, guidance, and codes of practice
  • Operational bonus: ready-to-use mini-roadmap (summary)

The European cyber security framework has entered a phase of maturity: the NIS2 Directive, the Cyber Resilience Act (CRA), the Cyber Security Act, and the AI Act are reshaping responsibilities, processes, and controls throughout the lifecycle of digital products, services, and data.

For Italian and European organizations from SMEs to large enterprises, including operators of essential services compliance now means more than paperwork. It means implementing measurable processes, secure-by-design architectures, continuous monitoring, and an integrated governance model involving the CISO, compliance team, and business leadership.

This in-depth article provides:

  • A regulatory overview with scope, actors, and obligations (e.g., incident reporting, secure-by-design, SBOM, certification).
  • The impact on Italian companies: gap analysis, compliance roadmap, KPI, and sanctions.
  • An operational example: CRA compliance checklist, incident report templates, and roadmap for adaptation.
  • The role of the CISO and compliance team in ensuring governance and internal audit.
  • Future perspectives: how AI Act, Cyber Security Act, and ENISA certification will evolve.

Key timelines: the Cyber Resilience Act entered into force on 10 December 2024, with main obligations applying from 11 December 2027. The NIS2 Directive (EU 2022/2555) has been transposed in Italy through Legislative Decree 138/2024, with strict deadlines for incident reporting: early warning within 24 hours, notification within 72 hours, and a final report within one month. The AI Act entered into force on 1 August 2024, with obligations gradually phased in until 2 August 2027(including GPAI rules effective 2 August 2025).

Regulatory landscape: from product to service and AI

The EU regulatory system builds an interconnected web:

  • NIS2 Directive
    Expands scope and obligations versus NIS1; mandates risk management, structured incident reporting, technical and organizational measures, supervision, and sanctions. The Italian transposition (D.Lgs. 138/2024) defines the National Cyber Security Agency (ACN) as the competent authority and “single point of contact.”
  • Cyber Resilience Act (CRA)
    Introduces secure-by-design requirements for products with digital elements (hardware/software), vulnerability management, SBOM, and reporting duties. Main obligations effective 11 December 2027.
  • Cyber Security Act
    Strengthens ENISA and establishes a European certification framework with assurance levels (basic, substantial, high) for ICT products, services, and processes.
  • AI Act
    Introduces a risk-based approach banning unacceptable-risk uses, regulating high-risk systems (e.g., infrastructure, health, employment), requiring GPAI transparency and labeling (including deepfakes/chatbots). Full enforcement by 2027.

These laws are complementary: NIS2 focuses on service resilience and governance, CRA on product security, Cyber Security Act on trust through certification, and AI Act on responsible, transparent use of artificial intelligence.

Scope and stakeholders

NIS2 Directive

Applies to “essential” and “important” entities across critical sectors (energy, transport, banking, healthcare, public administration, digital infrastructure, etc.). Obligations: risk management, incident reporting, business continuity, and internal audit. Non-compliance triggers significant sanctions.

Cyber Resilience Act

Covers products with digital elements placed on the EU market including software, hardware, and IoT devices. Manufacturers, importers, and distributors must ensure secure-by-design, vulnerability management, SBOM, and disclosure.

Cyber Security Act

Provides voluntary but increasingly demanded EU certification schemes managed by ENISA, often required in supply chains and public tenders.

AI Act

Applies to providers and users of AI systems in the EU. Obligations depend on risk level: high-risk systems must comply with strict requirements (data quality, documentation, human oversight, cyber security). GPAI providers must ensure transparency and documentation from August 2025.

Core obligations: Incident Reporting, secure-by-cesign, SBOM, certification

Incident reporting (NIS2)

  • Early warning within 24 hours of becoming aware of the significant incident (indicating whether unlawful acts or cross-border impacts are suspected).
  • Incident notification within 72 hours, including an initial assessment, indicators, impacts on services and users, and measures taken.
  • Final report within 1 month, including root cause analysis and corrective actions.
  • Intermediate updates (progress reports) if the incident is still ongoing.

Secure-by-design and vulnerability management (CRA)

  • Secure-by-design and secure-by-default requirements for products with digital elements;
  • Documented vulnerability management process (monitoring, patching, customer communication);
  • Availability of an SBOM (Software Bill of Materials);
  • End-of-support management, with transparency on residual risks. Full application from 2027.

Certification (Cyber Security Act)

  • Ability to demonstrate compliance and maturity through EU schemes (e.g. EUCC – Common Criteria – and future schemes for cloud and services).
  • Graduated assurance levels (basic / substantial / high), with growing demand across supply chains and in public procurement tenders.

AI Act

  • Risk-based classification: prohibitions (e.g. social scoring); stringent requirements for high-risk systems (data governance, logging, transparency, human oversight, cybersecurity); and obligations for GPAI (transparency, documentation).

Impact on Italian companies: from gap analysis to compliance

To comply with NIS2 and prepare for CRA, organizations must adopt an integrated compliance roadmap:

  • Governance
    Defined roles (CISO, compliance team), board accountability, internal audit.
  • Processes
    Risk and vulnerability management, incident response, supplier risk.
  • Technology
    Asset inventory, SIEM/SOAR, EDR/XDR, SBOM tools, DevSecOps pipeline.
  • People
    Training, tabletop exercises, performance indicators.
  • Contracts
    Clauses on incident reporting, SLA, patching, and liability.
  • Documentation
    Policies, procedures, templates, and audit evidence.

Example: rapid gap analysis

  • Scope
    Critical systems and services (NIS2 scope), software/hardware product portfolio (CRA scope).
  • Controls
    Mapping of NIS2/CRA requirements against current controls (NIST / ISO 27001 / ISA / IEC 62443 frameworks where relevant).
  • Maturity scoring
    0–5 for each requirement (policies, processes, technology, evidence).
  • Prioritization
    Risk and cost-based (quick wins within 90 days; structural initiatives within 6–18 months).
  • Roadmap
    Milestones, owners, budget, KPIs (e.g. % of systems with SBOM, average patching time for CVSS ≥ 7, incident MTTD/MTTR, logging coverage).

CRA compliance checklist

  • Product inventory with digital elements and versions; mapping of components and dependencies (including open source) → SBOM.
  • Secure-by-design
    Baseline security defaults, hardening, secure-by-default configurations, attack surface reduction.
  • Threat modeling and risk analysis per release; security requirements embedded in acceptance criteria.
  • DevSecOps pipeline
    SAST / DAST / SCA (including license checks), artifact signing, reproducible build supply chain.
  • Vulnerability management
    Intake (CVD), triage, remediation SLAs, customer communication, CVE tracking.
  • Technical documentation
    Security, testing, update plans, end-of-support; user instructions for secure configurations.
  • In-field monitoring
    Telemetry (privacy-by-design), crash/vulnerability collection, secure update channel.
  • Contracts
    Clauses with suppliers/components, audit rights, end-of-life management.
  • Evidence
    Test reports, attestations, audit trails; readiness for regulatory supervision.
  • Transition plan through 2027
    Priorities by product family, budget, staffing, and certification where appropriate.

Incident reporting template (NIS2)

1) Early warning (24h)

incident_id: "NIS2-2025-000123"

phase: "early_warning_24h"

detection_timestamp: "2025-11-04T07:15:00Z"

report_timestamp: "2025-11-04T14:00:00Z"

entity: "Acme S.p.A."

sector: "Healthcare"

summary:

  suspected_illicit_act: true

  cross_border_impact: "unknown"

  affected_services: ["EHR portal", "API gateway"]

initial_actions:

  - "isolated affected subnet"

  - "blocked outbound traffic"

requested_guidance: true

Notification (72h)

phase: "incident_notification_72h"

impact:

  service_disruption: "partial"

  users_affected: 24000

technical_details:

  attack_vector: "phishing -> credential theft"

  mitre_techniques: ["T1566", "T1078"]

mitigation:

  containment: ["account reset", "network segmentation"]

  eradication: ["malware removal"]

coordination:

  csirt_contacted: "yes"

  law_enforcement: "pending"

2) Incident Notification (within 72 hours)

incident_id: "NIS2-2025-000123"

phase: "incident_notification_72h"

impact:

  service_disruption: "partial"

  users_affected: 24000

  data_compromise: "under_investigation"

technical_details:

  attack_vector: "phishing -> credential theft -> lateral movement"

  iocs:

    ips: ["1.2.3.4","5.6.7.8"]

    hashes: ["sha256:..."]

  mitre_techniques: ["T1566", "T1078", "T1021"]

mitigation:

  containment: ["account reset","network segmentation","EDR quarantine"]

  eradication: ["malware removal","kerberos reset"]

coordination:

  csirt_contacted: "yes"

  law_enforcement: "no"

  suppliers_involved: ["IdP vendor", "MFA provider"]

2) Final report (30 days)

incident_id: "NIS2-2025-000123"

phase: "final_report_30d"

root_cause: "legacy vpn exposed; missing mfa exception policy"

timeline:

  - "2025-11-01 10:12Z initial phishing"

  - "2025-11-02 08:05Z lateral movement"

  - "2025-11-03 17:45Z detection by EDR"

  - "2025-11-04 07:15Z incident declared"

lessons_learned:

  - "enforce conditional access for all identities"

  - "deprecate legacy vpn by Q1"

  - "tuning SIEM detection for abnormal OAuth grants"

kpi:

  mttd_hours: 33

  mttr_hours: 60

follow_up_actions:

  - "tabletop exercise"

  - "supplier security review"

  - "audit interno su identity governance"

This process supports CRA compliance by enforcing secure-by-design, vulnerability management, and SBOMtransparency.

Practical examples for secure-by-design and SBOM (CRA)

DevSecOps Pipeline with Automatic SBOM

Example of SBOM integration in the build cycle (suitable for GitLab/GitHub Actions/Jenkins):

# Generate SBOM in CycloneDX format

cyclonedx-bom -o sbom.json

# Check for known vulnerabilities (SCA)

grype dir:. --output json > vuln-report.json

# Firma artefatti (es. Sigstore cosign)

cosign sign --key cosign.key registry.example.com/app:1.2.3

# Policy gate (pseudocomando): rifiuta build se CVSS≥7 non mitigati

./policy-gate --sbom sbom.json --vulns vuln-report.json --cvss-threshold 7.0

Product security policy file (excerpt)

product_security_policy:

  secure_defaults: true

  hardening_baseline: "CIS Level 1"

  crypto_minimums:

    tls: "1.2+"

    algorithms: ["AES-GCM","CHACHA20-POLY1305"]

    key_rotation_days: 90

  vulnerability_management:

    intake: "security@example.com"

    cvd: "https://example.com/.well-known/security.txt"

    triage_sla_days:

      critical: 7

      high: 15

      medium: 30

  sbom:

    format: "CycloneDX"

    published_to_customers: true

  update_lifecycle:

    eol_notice_months: 12

    channel: "signed OTA"

This setting supports CRA compliance: secure-by-design, vulnerability management, SBOM, patching cycle, and transparent communication.

Compliance roadmap: 90 days → 12 months → 24+ months

Phase 1 – 90 Days

  • Assign CISO, create compliance governance.
  • Perform gap analysis.
  • Establish incident reporting workflow.
  • Generate initial SBOMs.
  • Implement minimal telemetry (EDR/logging).

Phase 2 – 6–12 Months

  • Integrate DevSecOps pipeline.
  • Conduct tabletop exercises.
  • Update supply chain contracts.
  • Start preparing for certification.

Phase 3 – 12–24+ Months

  • Extend SBOM coverage and risk-based patching.
  • Implement regular internal audits.
  • Align AI systems with AI Act obligations.
  • Pursue ENISA certification where strategic.

Role of the CISO and Compliance Team

  • CISO
    Leads risk strategy, defines architecture, oversees detection, response, and audit.
  • Compliance team
    Interprets laws, maintains documentation, coordinates reporting.
  • Developers/IT
    Implement secure coding, SBOM, and patching.
  • Procurement/Legal
    Manage contracts and supplier security.
  • Board
    Approves budget and evaluates KPI.

Best practices: integrating security, privacy, and compliance

  • Combine privacy-by-design and secure-by-design.
  • Conduct threat modeling and targeted penetration tests.
  • Manage vulnerabilities via structured SLA.
  • Deliver continuous training and tabletop exercises.
  • Measure resilience KPI (patch time, attack surface reduction, SBOM coverage).
  • Leverage ENISA certification for competitive trust.

Useful snippets: scripts and templates to speed up compliance

Example – Quick compliance assessment (pseudo-Python)

requirements = {

  "NIS2": ["incident_24h","incident_72h","final_30d","risk_management","business_continuity","audit_interno"],

  "CRA":  ["secure_by_design","vuln_mgmt","sbom","update_policy","cvd_channel"]

}

controls = {

  "incident_24h": True,

  "incident_72h": True,

  "final_30d": False,

  "risk_management": True,

  "business_continuity": False,

  "audit_interno": False,

  "secure_by_design": "partial",

  "vuln_mgmt": True,

  "sbom": "partial",

  "update_policy": False,

  "cvd_channel": True

}

def score(val):

    return 1 if val is True else (0.5 if val=="partial" else 0)

nis2 = sum(score(controls[r]) for r in requirements["NIS2"])/len(requirements["NIS2"])

cra  = sum(score(controls[r]) for r in requirements["CRA"])/len(requirements["CRA"])

print({"NIS2_score": nis2, "CRA_score": cra})

Idea: to obtain a ‘thermometer’ for the gap analysis (0–1) and link the scores to the KPIs.

Example – security.txt for CVD

Contact: mailto:security@example.com

Encryption: https://example.com/pgp.txt

Policy: https://example.com/security-policy

Acknowledgments: https://example.com/hall-of-fame

Preferred-Languages: it, en

Enforcement and Sanctions

  • NIS2: strong national sanctions (in Italy under D.Lgs. 138/2024).
  • CRA: from 2027, non-compliant products may be blocked or fined.
  • AI Act: up to €35 million or 7% of global turnover for severe violations.

Prospects: AI Act, GPAI, guidance, and codes of practice

In 2025, the Commission confirmed the timeline for the AI Act and promoted a Code of Practice to support compliance with GPAI models: useful for providing interpretative certainty and aligning industry and regulator. For companies, this means preparing AI inventories, risk classification, internal policies, and data governance now.

Operational case (example): how an integrated program reduces accidents and response times

A manufacturing company with connected products and a customer portal:

  • Starts NIS2/CRA gap analysis → discovers absence of SBOM and incomplete incident reporting runbooks.
  • Implements DevSecOps pipeline, CycloneDX SBOM, and policy gates; defines NIS2 24/72/30 templates.
  • Updates supplier contracts for patching SLA and notification requirements.
  • Conducts two tabletop exercises per year with CISO, compliance team, IT, and legal.
  • Result: MTTD reduced by 40%, MTTR by 35%, 100% of incidents notified within 72 hours, no audit non-compliances, CVSS≥7 time-to-patch reduced from 21 to 10 days. (Realistic example of KPI impact).

Conclusion

Europe is moving from “checklist compliance” to continuous resilience.
NIS2 enforces governance and incident reporting; the CRA embeds security into the product itself; the Cyber Security Act enables certification and trust; and the AI Act extends ethical, secure governance to artificial intelligence. Preparing now through gap analysis, roadmap, and KPI means reducing risks, avoiding sanctions, and building sustainable digital trust.

Operational bonus: ready-to-use mini-roadmap (summary)

  • 0–30 days
    Roles (CISO, compliance team), incident-report templates, asset/product inventory.
  • 30–90 days
    SBOM for core product, secure-by-design baseline, tabletop exercise.
  • 3–12 months
    DevSecOps pipeline with SAST/DAST/SCA, policy gate, supply-chain contracts.
  • 12–24 months
    Certification where strategic, AI Act integration for high-risk use cases, internal audit at steady state.

Questions and answers

  1. Difference between NIS2 and CRA?
    NIS2 covers organizational resilience and incident reporting; CRA governs product security and SBOM.
  2. Does NIS2 affect SMEs?
    Yes many medium-sized entities are now included as “important” operators.
  3. What are NIS2 reporting deadlines?
    24h (early warning), 72h (notification), 30 days (final report).
  4. When does CRA apply?
    Main obligations apply from 11 December 2027.
  5. What is an SBOM?
    A Software Bill of Materials a detailed list of software components, key to supply chain security.
  6. How does the Cyber Security Act help?
    Provides ENISA-led certification schemes to demonstrate trust.
  7. What changes with the AI Act for GPAI?
    From August 2025, GPAI providers must ensure transparency and documentation.
  8. What are the sanctions?
    NIS2    : national penalties; CRA: product bans/fines; AI Act: up to 35M€ or 7% turnover.
  9. How to start a gap analysis?
    Map obligations vs current controls, score maturity (0–5), prioritize by risk, plan KPI-driven roadmap.
  10. Is certification mandatory?
    Not yet, but ENISA schemes are becoming standard in supply chains.
3
To top