Publications

EU Cyber Regulations

23/06/2026

    Updated in June 2026. In an era where digital transformation is pivotal, cybersecurity has become a critical concern for businesses and governments alike. The European cybersecurity landscape is rapidly evolving, driven by a need to protect digital infrastructure and ensure the safety and privacy of data. This post aims to provide an overview of the key emerging regulations, acts, directives, and standards shaping cybersecurity in Europe.

    1. Regulations, Directives and Acts:

    With the upcoming European regulations regarding cybersecurity, the EU aims to establish an efficient and robust framework to address future challenges and protect the community, especially consumers of emerging technologies. Let’s clarify and summarise the different type of legal instruments available at the European level:

    2. Product cybersecurity in EU:

    In terms of product cybersecurity several initiatives are present in the European Landscape.

    2.1 Cyber Resilience Act (CRA)

    The Cyber Resilience Act (CRA) is a European Union regulation that establishes cybersecurity requirements for products with digital elements (PDEs), including both hardware and software. Its objective is to improve the cybersecurity and resilience of digital products throughout their entire lifecycle, from design and development to market placement, maintenance, and vulnerability management.

    • Product Security Requirements: Manufacturers must ensure that products with digital elements are designed, developed, and produced in accordance with essential cybersecurity requirements, including secure-by-default configurations and appropriate risk management measures.
    • Vulnerability Handling: Manufacturers must establish processes for identifying, documenting, remediating, and disclosing vulnerabilities. They are also required to report actively exploited vulnerabilities and severe security incidents to the relevant authorities.

    The CRA was formally adopted as Regulation (EU) 2024/2847, published in the Official Journal of the European Union on 20 November 2024, and entered into force on 10 December 2024.

    2.1.1 CRA Challenges and Applus+ Laboratories view

    Experts generally view the CRA as a significant step forward in reinforcing EU cybersecurity. It aligns with other EU regulations like the NIS2 Directive and the AI Act, aiming to create a cohesive cybersecurity framework across different sectors. However, there are concerns about the Act's stringent reporting requirements and potential overlaps with existing laws, which could impose additional burdens on manufacturers and importers. Some experts advocate for more clarity and flexibility in the reporting obligations to avoid overwhelming smaller companies and stifling innovation.

    The concern about having to pass several certifications for a single product around the world, which would increase the effort and costs, is significant. That’s why CRA standardization is crucial. Since the adoption of the CRA, the European Commission has made substantial progress in launching the supporting standardization framework. In February 2025, it adopted Standardization Request M/606, formally mandating the European Standardization Organisations (CEN, CENELEC, and ETSI) to develop a comprehensive portfolio of harmonized standards supporting the implementation of the CRA. The request includes 41 standardization deliverables, covering both horizontal standards applicable across product categories and vertical, product-specific standards for important and critical products. These standards are intended to provide manufacturers with a presumption of conformity with the CRA's essential cybersecurity and vulnerability-handling requirements.

    More information on CRA and Applus+ related services

    2.2 Radio Equipment Directive (RED) and RED Delegated Act

    The Radio Equipment Directive (2014/53/EU) establishes a regulatory framework for placing radio equipment on the EU market, covering aspects like safety, health, electromagnetic compatibility, and the efficient use of the radio spectrum. It aims to create a single market for radio equipment, ensuring these products are safe and do not interfere with other electronic equipment.

    The Delegated Act to the RED, specifically addressing Articles 3.3 (d), (e), and (f), introduces new cybersecurity requirements for wireless devices. These articles cover:

    • Network protection – Article 3(3) d: Ensuring that radio equipment does not harm the network or misuse its resources.
    • Protection of personal data and privacy – Article 3(3) e: Protecting personal data and privacy of users.
    • Protection from monetary fraud – Article 3(3) f: Implementing safeguards to prevent monetary fraud.

    However, the RED Cybersecurity Delegated Regulation is now transitional. To avoid overlap with the Cyber Resilience Act (CRA), the European Commission has adopted a delegated regulation repealing Delegated Regulation (EU) 2022/30 with effect from 11 December 2027, the date on which the CRA becomes fully applicable.

    As a result, radio equipment within the scope of Delegated Regulation (EU) 2022/30 and placed on the EU market between 1 August 2025 and 10 December 2027 must comply with the RED cybersecurity requirements. From 11 December 2027, cybersecurity requirements for products with digital elements, including relevant radio equipment, will be addressed under the CRA instead.

    2.2.1 RED Challenges and Applus+ Laboratories view

    As of now, since the RED delegated act will be mandated for compliance from August 1st, 2025, the EN18031 (parts 1, 2, and 3) has recently been voted as the harmonized standard for RED compliance to 11th December 2027.
    In any case, during this transitional period, tThe RED cybersecurity measures articles proposed are stillseen as necessary to protect consumers' data and ensure the integrity of communication networks. There is a widespread belief that standards to comply with the RED directive will be superseded by the CRA standards.

    2.3 Cyber Security Act (CSA)

    The act introduces an EU-wide cybersecurity certification framework for ICT products, services, and processes. This framework aims to enhance trust and security in the digital market by ensuring that products and services meet consistent and recognised security standards.

    One of the schemes under the CSA is the recent EUCC. The EUCC implementing act has already entered into force, setting the rules for the scheme stakeholders. Other schemes to come include the EU5G and the EUCS, the latter being expected by Q4 2024.

    Other schemes that are already ongoing include the European Digital Identity Wallets and Managed Security Services according to the SWD (Staff Working Document) for the Union Rolling Work Programme for European cybersecurity certification.

    The framework is also expected to evolve through the proposed Cybersecurity Act 2 (CSA2). On 20 January 2026, the European Commission presented a proposal to revise Regulation (EU) 2019/881. CSA2 aims to simplify and accelerate the development of EU cybersecurity certification schemes, strengthen ENISA’s role, and make the certification framework more effective and easier to use. The proposal includes binding timelines for ENISA to prepare certification schemes after a Commission request, broader operational support tasks for ENISA, and measures to better align certification with other EU cybersecurity legislation. It also introduces new elements related to trusted ICT supply chains and the possible use of certification to support compliance with other EU legal requirements. CSA2 is currently a legislative proposal and has not yet been adopted.

    2.3.1 CSA Challenges and Applus+ Laboratories View

    The launch of the European Common Criteria-based cybersecurity certification scheme (EUCC) represents a major milestone, as it is the first fully operational certification scheme adopted under the CSA framework. The EUCC provides a harmonized European approach for certifying ICT products and is expected to reduce reliance on multiple national certification schemes. Its adoption has been widely welcomed by industry and public authorities as an important step towards a more mature European cybersecurity certification ecosystem.

    Nevertheless, practical implementation challenges remain. Stakeholders continue to monitor the rollout of the EUCC framework, including the accreditation and authorisation processes for certification bodies and IT Security Evaluation Facilities (ITSEFs), as well as the interaction between the EUCC and existing national certification arrangements. In addition, the long-term success of the scheme will depend on achieving sufficient market uptake, ensuring consistent interpretation across Member States, and maintaining alignment with international certification frameworks.

    Looking ahead, several additional certification schemes are under development, including the EU Cloud Services Scheme (EUCS), the EU5G scheme, the European Digital Identity Wallets (EUDI Wallets) scheme, and the Managed Security Services (EUMSS) scheme. These initiatives are expected to expand the scope of the European cybersecurity certification framework into strategic sectors that are increasingly important for Europe's digital sovereignty and resilience.

    The development of future schemes, particularly EU5G, presents both opportunities and challenges. To maximise industry adoption and minimise compliance costs, stakeholders have emphasised the importance of alignment with internationally recognised standards and certification frameworks, including those developed by organisations such as the GSMA and 3GPP. Greater international interoperability would help manufacturers avoid duplicative certification efforts while maintaining a high level of cybersecurity assurance.

    The debate surrounding the EUCS scheme illustrates the broader challenges involved in balancing cybersecurity, market integration, and strategic autonomy objectives. Earlier discussions regarding potential sovereignty requirements generated considerable debate among Member States, cloud service providers, and industry associations. More recent policy discussions have shifted towards transparency, risk management, and assurance requirements that can be applied consistently across the EU while preserving openness and competitiveness within the European cloud market.

    At the policy level, these challenges have contributed to the proposal for a revised Cybersecurity Act (CSA2), published by the European Commission in January 2026. CSA2 seeks to streamline the development and maintenance of certification schemes, introduce binding timelines for scheme preparation, strengthen ENISA's role, and improve the overall agility of the certification framework. The proposal reflects a growing consensus that the certification ecosystem must evolve more rapidly to address emerging technologies, changing threat landscapes, and increasing regulatory demands. While CSA2 is still undergoing the EU legislative process, it is widely regarded as an important step towards making European cybersecurity certification more efficient, scalable, and responsive to market needs.

    2.4 Artificial Intelligence Act

    The European Union Artificial Intelligence Act (AI Act), Regulation (EU) 2024/1689, is the world's first comprehensive legal framework specifically designed to regulate artificial intelligence. The regulation establishes harmonized rules for the development, placement on the market, deployment, and use of AI systems across the EU, with the objective of ensuring that AI is trustworthy, safe, transparent, and respectful of fundamental rights.

    The AI Act adopts a risk-based approach, classifying AI systems according to their potential impact on individuals and society. The framework distinguishes between prohibited AI practices (unacceptable risk), high-risk AI systems subject to stringent requirements, AI systems subject to transparency obligations, and low-risk or minimal-risk systems, which remain largely unregulated.

    Although the AI Act primarily focuses on AI governance and fundamental rights protection, it also contains important cybersecurity-related provisions, particularly for high-risk AI systems. These include requirements for:

    • Risk Management: Establishing and maintaining risk management processes throughout the AI system lifecycle, including the identification and mitigation of cybersecurity threats and vulnerabilities.
    • Cybersecurity and Robustness Requirements: Ensuring that high-risk AI systems achieve appropriate levels of accuracy, robustness, resilience, and cybersecurity, including protection against manipulation, adversarial attacks, data poisoning, and unauthorised interference.

    The AI Act entered into force on 1 August 2024 and is being implemented through a phased timeline.

    Provisions prohibiting unacceptable-risk AI systems became applicable on 2 February 2025, while obligations for general-purpose AI models will apply from August 2025. Most requirements for high-risk AI systems will become applicable from 2 August 2026, with certain obligations for specific regulated products applying from August 2027. This staggered approach is intended to provide organisations with sufficient time to adapt their governance, compliance, security, and risk management processes while fostering innovation and the responsible deployment of artificial intelligence across the European Union.

    2.4.1 AI Act Challenges and Applus+ Laboratories view

    Some experts, particularly from start-ups and SMEs, have raised concerns that the AI Act may impose significant regulatory burdens. They argue that increased compliance requirements could place European companies at a competitive disadvantage compared to their American and Chinese counterparts, potentially creating additional barriers to innovation and market growth.

    Attention is now shifting towards the effective implementation and enforcement of the Act. This will require ensuring that the AI Office is adequately resourced and that the proposed AI Liability Directive works in a coherent and complementary manner alongside the AI Act. Nevertheless, considerable work remains to be done, particularly in the development of harmonized standards and practical guidance needed to support consistent application across the European Union.

    ​2.5 European Digital Identity Framework

    The European Digital Identity Framework (eIDAS 2.0) is the revised EU regulatory framework designed to provide citizens, residents, and businesses with secure, interoperable, and trusted digital identity solutions across the European Union. Building upon the original eIDAS Regulation adopted in 2014, the revised framework addresses previous limitations by introducing a more user-centric and comprehensive approach to digital identity management.

    Key elements of the framework include:

    • Enhanced eIDAS Regulation: Strengthened requirements for electronic identification, authentication, and trust services, ensuring higher levels of security, privacy, and cross-border interoperability.
    • European Digital Identity Wallets (EUDI Wallets): Secure digital wallets enabling users to store, manage, and share identity data, credentials, and official documents while maintaining control over their personal information.

    The revised eIDAS Regulation entered into force in May 2024. Since then, Member States, the European Commission, and industry stakeholders have been working on the implementation of the framework, including the development of common technical standards, certification schemes, and large-scale pilot projects. The first European Digital Identity Wallets are expected to become available progressively across Member States from 2026 onwards.

    ETSI has recently announced the release of the first set of standards supporting the European Digital Identity.

    2.4.1 European Digital identity challenges and Applus+ Laboratories view

    Experts welcome the framework's strong emphasis on security, privacy, and interoperability. The harmonized technical architecture and common standards are expected to facilitate secure cross-border digital transactions and increase trust in digital identity services throughout the EU. More info

    The introduction of the European Digital Identity Wallet is considered a major milestone in empowering citizens and organisations with trusted digital credentials, potentially accelerating the adoption of digital services in both the public and private sectors.

    However, several challenges remain. Implementing such a comprehensive framework across all Member States requires significant coordination and alignment of national systems. Ensuring interoperability between diverse technical infrastructures, governance models, and trust ecosystems continues to be a complex undertaking.

    From a conformity assessment perspective, particular attention must be paid to the certification and evaluation of European Digital Identity Wallets and their associated components. Given the critical nature of the services provided and the sensitive personal data they process, robust cybersecurity assessment, privacy verification, and compliance testing will be essential to ensure trustworthiness and regulatory compliance. The development of harmonized certification schemes and assessment methodologies will therefore be a key success factor for the effective deployment of the European Digital Identity Framework. 

    Are there other regulations to be implemented at the same time?

    Yes, there are other regulations such as DORA and NIS2 that also implement and interact with the EU cybersecurity framework landscape.

    NIS2 Directive: Establishes cybersecurity risk management and incident reporting obligations for essential and important entities across a wide range of sectors. The directive strengthens cybersecurity governance and supply chain security requirements, which are particularly relevant for providers of digital identity and trust services.

    Digital Operational Resilience Act (DORA): Applies specifically to the financial sector and introduces detailed requirements for ICT risk management, incident reporting, third-party risk management, and advanced threat-led penetration testing. Financial institutions using digital identity solutions must ensure compliance with both DORA and eIDAS-related requirements

    What about other regulations from China and USA?

    But what about cybersecurity regulations around the world? Several frameworks, laws, frameworks, guidelines, acts are present around the world.

    Here are some of the relevant cybersecurity regulations in China:

    • Cybersecurity Law
    • MLPS 2.0
    • Cybersecurity Review Measures
    • Cryptography Law
    • Radio Regulations, Administrative Provisions on Radio Frequencies
    • Guidelines for AI Ethics, New Generation AI Development Plan
    • eID system, Real-Name Registration System

     

    Here are some of the relevant cybersecurity regulations in USA:

    • CISA
    • FISMA
    • NIST Cybersecurity Framework, Executive Order on Cybersecurity
    • FCC Rules and Regulations
    • AI Initiative Act, Algorithmic Accountability Act
    • NSTIC, Real ID Act

    Experts generally view the EU’s regulatory frameworks as setting a high bar for digital governance, ensuring that technologies are developed and used responsibly. However, the interaction with US and Chinese regulations highlights the challenges of differing approaches.

    The EU’s comprehensive and stringent regulations can sometimes lead to higher compliance costs and potential innovation stifling, while the more flexible US approach and the stringent but centrally controlled Chinese model each have their own sets of benefits and drawbacks. The key is finding a balance that promotes innovation while ensuring security, privacy, and ethical standards!

    At Applus+ Laboratories, we are here to guide and support you through the certification process, to verify your product meets compliance standards.

    Back to Publications

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel