#KEYMASTERS – DORA, CRA, and NIS2 – How PKI helps comply

In this KEYMASTER session, Jiannis Papadakis, Director of Solutions Engineering EMEA at Keyfactor, and Sven Rajala, International PKI Man of Mystery at Keyfactor, discuss the upcoming European compliance regulations:

• Cyber Resilience Act (CRA)
• NIS 2 Directive
• Digital Operational Resilience Act (DORA)

These regulations target various sectors within the EU, including manufacturing, critical infrastructure, and finance, demanding a higher standard of security and resilience.

Watch the KEYMASTER episode here:

The CRA focuses on manufacturing, especially as IoT devices and smart machinery become more common, while DORA addresses the financial sector’s need for secure data communication. NIS 2 broadens the definition of critical infrastructure, enforcing stricter compliance and audit requirements across more industries.

How you can comply

Public Key Infrastructure (PKI) is highlighted as a critical tool in meeting these compliance requirements. PKI ensures trusted identities, data integrity, and confidentiality—core aspects for compliance. Although the regulations avoid specifying exact technical protocols, they emphasize crypto agility, pushing for modern cryptographic algorithms and adaptable security measures.

Compliance deadlines are looming, with CRA giving a 36-month runway and DORA set to become mandatory by 2025. The discussion underscores the increasing complexity and need for interoperability, as these regulations create overlapping responsibilities across industries. As businesses face audits and potential penalties, they must adapt to these regulations to stay compliant and secure.

Important dates

Here are the important dates to remember for the EU regulations NIS 2, DORA, and the Cyber Resilience Act (CRA):

Cyber Resilience Act (CRA):

• The CRA was approved in April 2024.
• Businesses have a 36-month transition period from approval, meaning they must comply by April 2027.

Digital Operational Resilience Act (DORA):

• DORA will come into force on January 17, 2025.
• By this date, organizations within the EU’s financial sector are expected to meet operational resilience requirements and implement measures for cybersecurity and IT risk management.

NIS 2 Directive:

• The directive was adopted in January 2023.
• EU Member States have until this month, October 2024, to transpose NIS 2 into national legislation.
• Organizations under NIS 2 requirements must comply by October 2024 as Member States finalize their national-level implementations.
  • The general expectation is that member states continue their efforts to finalize these laws in the coming months, but for now, progress varies across the EU. For organizations affected by NIS 2, it's crucial to stay informed on the specific national regulations as they are adopted to ensure compliance with both the incident reporting and risk management requirements laid out in the directive.

Each regulation carries significant compliance demands, with penalties for non-compliance, so it’s essential to begin preparing for these deadlines.

Learn more

• Webinar: Preparing for the Cyber Resilience Act with PKI
• eBook: 5 Things You Need to Know About EU’s DORA Regulation
• eBook: 5 things you should know about the NIS 2 Directive