Weekly Regulatory Recap #13 — NIS2, GDPR, CRA: The 5 Key Regulatory Updates

Strengthened NIS2 Support

ANSSI publishes new practical guides to help essential and important entities comply with the NIS2 directive.

• ›New sector-specific guides available on the ANSSI website
• ›Focus on security obligations for essential entities
• ›Transposition deadline: October 2026 — preparation must start now

CEF 2026: Coordinated Action on Transparency

The European Data Protection Board launches a coordinated action targeting information obligations (Articles 12 to 14 of the GDPR).

• ›Controls on the quality and accessibility of legal notices
• ›Verification of privacy policy compliance
• ›Risk of coordinated sanctions between national authorities

Cyber Threat Landscape 2025: +35% in Attacks

ANSSI publishes its annual report on the state of cyber threats in France.

• ›+35% incidents handled compared to 2024
• ›Ransomware remains the main threat for businesses
• ›Increasing targeting of local authorities and healthcare institutions

CRA: Market Surveillance Structure Being Set Up

The EU structures the governance of the Cyber Resilience Act with the appointment of the Market Surveillance Group Chair.

• ›Progressive establishment of the surveillance structure
• ›Future obligations for manufacturers of connected products
• ›Full application scheduled for 2027

ENISA: Moving Towards CVE Root Authority Role

The European cybersecurity agency is evolving towards a CVE Root Authority role, strengthening European coordination.

• ›Enhanced coordination for vulnerability management in Europe
• ›Standardisation of responsible disclosure processes
• ›Reduced dependency on the US CVE system (MITRE)