Skip to main content
Services+
Platform+
Insights+
TALK TO US
All Insights
Regulatory Compliance·8 min read·

Four Frameworks, One Vendor: The Regulatory Exposure Problem NIS2, DORA, CRA, and the Revised CSA Create

By Dritan Saliovski

European enterprises are now subject to four converging cybersecurity frameworks: NIS2, DORA, the Cyber Resilience Act, and the proposed revised Cybersecurity Act. Each evaluates different dimensions of the same vendor relationship. A supplier that satisfies one framework can be disqualified under another. Most compliance teams are still running these as separate programs, which means the cross-framework exposure stays invisible until it surfaces as a regulatory finding or a forced technology replacement.

Key Takeaways

  • The revised Cybersecurity Act (CSA2), proposed January 2026, introduces "non-technical risk" as a formal criterion for assessing ICT suppliers - country of origin, government influence exposure, and geopolitical alignment now factor into procurement decisions across 18 critical sectors
  • The Commission can retroactively designate a supplier as high-risk and require phase-out of already-deployed components within 36 months, a first in EU cybersecurity law
  • CRA reporting obligations begin 11 September 2026; NIS2 audits are underway across member states; DORA has been in force since January 2025 - compliance timelines are converging, not sequenced
  • Fines for revised CSA supply chain violations could reach 7% of global turnover, the highest penalty ceiling in the current EU cybersecurity stack
  • A single regulatory exposure matrix across all four frameworks converts fragmented compliance programs into one strategic vendor governance conversation
7%Maximum fine under revised CSA (of global turnover)European Commission CSA2 proposal, January 2026
36 moMaximum phase-out period for high-risk suppliersRevised CSA Article provisions, 2026
18Critical sectors covered by NIS2 and revised CSANIS2 Directive, Annex I and II
Scroll to see more
EU cybersecurity regulatory timeline from 2024 to 2027 showing DORA, NIS2, CRA, revised CSA, and US trade action milestones with a Today marker at April 2026
Source: Synthesized from European Commission, USTR, and member state implementation schedules. Revised CSA timeline estimated based on typical EU legislative process.
Scroll to see more

Four frameworks, four different questions about the same vendor

Each framework evaluates a different risk dimension. NIS2 asks whether your organization manages cybersecurity risk across its supply chain, with incident reporting obligations and management accountability. DORA asks whether financial entities can maintain operational resilience through ICT disruptions, with prescriptive requirements for critical third-party provider oversight and resilience testing. The Cyber Resilience Act asks whether the products you deploy were designed and maintained with security built in, with vulnerability reporting and conformity assessment obligations. The revised Cybersecurity Act asks a question none of the others touch: whether the supplier's jurisdiction, ownership structure, and government exposure create non-technical risks that compromise the security of EU critical infrastructure.

Scroll to see more
Four-circle Venn diagram showing what NIS2, DORA, CRA, and the revised CSA each evaluate about the same vendor, with overlapping areas for shared requirements like risk assessment, reporting obligations, and supply chain security
Four regulatory lenses - overlapping but not aligned. No framework covers trade or tariff risk.
Scroll to see more

These are not overlapping requirements with minor variations. They are structurally different assessment dimensions applied to the same supplier relationship. A cloud provider can satisfy NIS2 supply chain due diligence requirements, meet DORA's critical third-party standards, and ship CRA-compliant products, yet still be designated as a high-risk supplier under the revised CSA because of where it is headquartered or who controls it.

The lex specialis principle adds complexity rather than clarity. DORA prevails over NIS2 where they directly overlap for financial entities, but the revised CSA introduces a horizontal layer that cuts across both. An organization subject to DORA still faces NIS2 obligations in areas DORA does not cover - specifically personnel security measures and MFA/encryption policy documentation, as detailed in our analysis of Sweden's Cybersecurity Act implementation. The CRA then adds product-level obligations that neither NIS2 nor DORA address: a vendor's organizational compliance does not guarantee that its products meet CRA essential cybersecurity requirements.

What the revised Cybersecurity Act changes

On 20 January 2026, the European Commission proposed a comprehensive overhaul of the original 2019 Cybersecurity Act. The revision introduces a trusted ICT supply chain security framework that formalizes non-technical risk assessment, a first in EU law.

Non-technical risk means the Commission can now evaluate whether a supplier is established in, or controlled by entities from, a third country that poses cybersecurity concerns. The designation criteria include whether that jurisdiction requires vendors to disclose software or hardware vulnerabilities to local authorities before they are exploited, whether it lacks independent judicial remedies for cybersecurity concerns, and whether it harbors threat actors conducting malicious cyber operations.

The consequences for designated high-risk suppliers are material. They face exclusion from procurement procedures for key ICT components, exclusion from EU funding programs, and prohibition from obtaining EU cybersecurity certification. Operators of electronic communications networks would be required to ensure they do not rely on high-risk suppliers for critical assets.

The most significant provision is retroactive reclassification. The Commission can designate a supplier as high-risk after its products are already deployed, triggering a mandatory phase-out period that should not exceed 36 months. For telecom operators still using equipment from suppliers like Huawei and ZTE, this provision has immediate practical implications. But the mechanism applies across all 18 sectors covered by NIS2, including energy, transport, healthcare, banking, and digital infrastructure.

Fines for supply chain violations under the revised CSA could reach 7% of worldwide turnover, depending on the nature of the breach. That exceeds the penalty ceilings under NIS2 (EUR 10 million or 2% of turnover for essential operators) and DORA (EUR 5 million or 2% of turnover).

Where the frameworks diverge on supply chain

Scroll to see more
Compliance obligation windows — January 2025 to December 2027Jan 2025Jul 2025Jan 2026Jul 2026Jan 2027Jul 2027Dec 2027TodayDORA — in forceDORA — CTPP designationNIS2 — SE Cybersecurity ActNIS2 — first auditsCRA — reporting obligationsCRA — full applicationCSA2 — proposal to adoption (est.)CSA2 — 36-month phase-out (est.)S.301 — investigation periodS.122 — temporary tariffsNIS2 / Sweden CSADORACRARevised CSA (proposed)US trade actionsSource: Synthesized from European Commission, USTR, and member state implementation schedules
Source: Synthesized from European Commission implementation schedules, Swedish Government Offices, and USTR announcements. Revised CSA timeline estimated based on typical EU legislative process.
Scroll to see more

The table below maps how each framework handles the same vendor governance question. The divergences are where cross-framework exposure emerges.

Scroll to see more
Assessment dimensionNIS2DORACRARevised CSA
What it evaluatesOrganizational security postureICT operational resilienceProduct security by designSupplier jurisdiction and geopolitical risk
Scope18 sectors, entity-wideFinancial sector, ICT systemsAll products with digital elements on EU marketSame 18 NIS2 sectors (horizontal layer)
Supply chain obligationDue diligence on direct suppliers and service providersCritical third-party provider register and oversightManufacturer responsibility for product lifecycle securityNon-technical risk assessment of supplier origin and control
Incident reporting24h early warning, 72h notification, 1-month final report4h initial classification, 72h intermediate, 1-month final24h vulnerability/incident report, 72h follow-up, 14-day final (vulnerabilities) / 1-month (incidents)Via NIS2 framework (no separate timeline)
What can trigger a supplier changeEvidence of inadequate security measuresConcentration risk or resilience failure at CTPPNon-compliant product recalled from EU marketHigh-risk designation based on jurisdiction, retroactive, with 36-month phase-out
Maximum fineEUR 10M or 2% of global turnoverEUR 5M or 2% of global turnoverEUR 15M or 2.5% of global turnoverUp to 7% of worldwide turnover
Scroll to see more

The structural gap: NIS2 and DORA assess what a vendor does (security measures, resilience practices). The CRA assesses what a vendor makes (product security). The revised CSA assesses who a vendor is and where it comes from. A vendor can score well on all three operational dimensions and still fail the jurisdictional test, or vice versa.

The geopolitical variable compliance programs miss

The regulatory convergence described above is happening against a backdrop of US-EU trade tensions that create a second layer of vendor exposure no cybersecurity framework currently captures.

On 11 March 2026, the US Trade Representative initiated Section 301 investigations into 16 economies, including the EU, targeting structural excess manufacturing capacity. Separately, the US administration has explicitly characterized EU digital regulation, including the Digital Markets Act and Digital Services Act, as discriminatory against American technology companies. The USTR has signaled that digital regulation could become the basis for its own Section 301 investigation, citing the potential for tariffs or fees on services.

This creates a bidirectional risk that most compliance teams are not structured to see. On one side, the revised CSA's non-technical risk criteria establish a mechanism that could functionally restrict US-origin suppliers from EU critical infrastructure if the Commission determines that US jurisdiction poses cybersecurity concerns. On the other side, US retaliatory measures - whether tariffs, service fees, or regulatory restrictions - could affect EU vendors operating in the US market. Organizations evaluating how vendor trust and political risk affect procurement will recognize this dynamic from the AI platform context.

The structural point extends beyond any single administration or trade dispute. The EU is building permanent mechanisms for technology sovereignty through the CSA2, the Cloud and AI Development Act, and the Digital Omnibus package. The US has demonstrated, across administrations, a willingness to use trade enforcement tools against digital regulation it considers discriminatory. This dynamic will persist regardless of election outcomes on either side of the Atlantic.

No cybersecurity questionnaire currently in use captures jurisdictional or trade-policy exposure. The vendor that passes your NIS2 supply chain assessment and DORA critical third-party review may carry geopolitical risk that only becomes visible when a Commission implementing act or a Section 301 determination changes the regulatory ground underneath a technology relationship you assumed was stable.

How to build the exposure matrix

The gap between running four separate compliance programs and running one integrated vendor governance program is a single tool: a regulatory exposure matrix that maps critical vendors against all applicable frameworks plus jurisdictional risk.

Structure. List critical vendors down the left column. Run NIS2, DORA, CRA, and the revised CSA across the top as separate columns. Add a final column for trade and jurisdictional exposure. For each intersection, document assessment status (compliant, gap identified, not assessed), criteria used, gaps identified, and remediation owner.

Where to start. Prioritize vendors that operate in the infrastructure layer: cloud providers, identity and access management platforms, network equipment suppliers, managed security services, and any vendor whose product is embedded in systems you cannot easily replace. These are the relationships where a forced phase-out under the revised CSA would be most disruptive and most expensive. For organizations deploying AI agents alongside these infrastructure vendors, the AI data governance framework adds another dimension to the assessment.

What to look for. The matrix will surface three categories of findings most organizations miss when running frameworks in isolation. First, vendors with conflicting status across frameworks - satisfying one set of requirements while carrying unaddressed exposure under another. Second, vendors with concentration risk that spans multiple frameworks, where a single provider's failure or restriction would trigger obligations under NIS2, DORA, and potentially the revised CSA simultaneously. Third, vendors with jurisdictional exposure that existing cybersecurity assessments do not capture, including suppliers headquartered in or controlled from jurisdictions that could be designated under the revised CSA's non-technical risk criteria, or suppliers whose market access could be affected by trade enforcement actions in either direction.

Expected outcome. Most organizations will find three to five vendors that create exposure across multiple frameworks they had not previously connected. This takes approximately one focused week with existing procurement, security, and compliance data. It transforms four separate compliance programs into a single strategic vendor governance conversation that the board, the CISO, the procurement function, and legal can all act on. For a detailed look at how Sweden has implemented NIS2 into national law and what that means for affected organizations, see our comprehensive guide to Sweden's Cybersecurity Act 2025.

The full Intelligence Brief - covering the complete four-framework comparison matrix, exposure matrix template with worked examples, remediation prioritization by maturity level, and the regulatory timeline with key compliance milestones - is available below.

Work With Us

Assess Your Cross-Framework Vendor Exposure

Innovaiden works with leadership teams deploying AI agents across their organizations - from initial setup and training to security framework alignment and governance readiness. Reach out to discuss how we can help your team.

Get in Touch

Frequently Asked Questions

What are the four EU cybersecurity frameworks that converge on vendor risk?

NIS2 evaluates organizational supply chain due diligence and incident reporting. DORA evaluates ICT operational resilience for financial entities. The Cyber Resilience Act evaluates product security by design. The revised Cybersecurity Act (CSA2), proposed January 2026, evaluates non-technical risk including supplier jurisdiction, ownership, and government exposure. Each applies different assessment criteria to the same vendor relationship.

What is the revised Cybersecurity Act's non-technical risk assessment?

The revised CSA introduces a formal mechanism for the European Commission to evaluate whether an ICT supplier's country of origin, government influence exposure, or geopolitical alignment creates cybersecurity concerns. The Commission can designate suppliers as high-risk and require phase-out of already-deployed components within 36 months, with fines up to 7% of worldwide turnover.

Can a vendor pass one EU framework and fail another?

Yes. A cloud provider can satisfy NIS2 supply chain due diligence, meet DORA's critical third-party standards, and ship CRA-compliant products, yet still be designated as a high-risk supplier under the revised CSA because of where it is headquartered or who controls it. The frameworks assess structurally different dimensions: what a vendor does, what it makes, and who it is.

What is a regulatory exposure matrix and how does it help?

A regulatory exposure matrix maps critical vendors against all four frameworks plus jurisdictional risk in a single view. For each vendor-framework intersection, it documents assessment status, criteria used, gaps identified, and remediation owner. Most organizations running this exercise discover three to five vendors with cross-framework exposure they had not previously connected.

How do US trade tensions affect EU vendor compliance?

Section 301 investigations and tariff actions create a second layer of vendor exposure no cybersecurity framework currently captures. The revised CSA's non-technical risk criteria could functionally restrict US-origin suppliers from EU critical infrastructure, while US retaliatory measures could affect EU vendors in the American market. This bidirectional risk sits outside current compliance questionnaires.

Related Insights

Regulatory Compliance

Sweden's Cybersecurity Act (2025:1506): NIS2 Is Now Law

AI in Practice

From Copilots to Colleagues: What Computer-Use Agents Mean for Enterprise Operations

AI & Data

The End of Single-Vendor AI Stacks: Why Enterprises Need a Model Portfolio

Sources

  1. European Commission. Proposal for a regulation on cybersecurity requirements for products with digital elements (Cyber Resilience Act). ec.europa.eu. 2024.
  2. European Commission. Proposal for a revised Cybersecurity Act (CSA2) - trusted ICT supply chain security framework. ec.europa.eu. 2026.
  3. European Parliament and Council. Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). eur-lex.europa.eu. 2022.
  4. European Parliament and Council. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (NIS2). eur-lex.europa.eu. 2022.
  5. Swedish Government Offices. Cybersecurity Act (Lag om cybersäkerhet, SFS 2025:10). regeringen.se. 2025.
  6. USTR. Section 301 investigation announcements. ustr.gov. 2026.
  7. European Commission. Inception impact assessment for the revised Cybersecurity Act. ec.europa.eu. 2025.
Back to Insights