EMETHRA

The cyber resilience regulatory framework you need to know

CRA, NIS2, Cybersecurity Act, Executive Order 14028. Deadlines, requirements, sanctions and how to prepare.

Key deadlines

The dates you can't ignore

Ya activa

NIS2 now in force

Risk management and incident reporting obligations are now applicable

11 jun 2026

Notified bodies designated

CRA certification bodies will be operational

11 sept 2026

Reporting obligations active

24h reporting of exploited vulnerabilities mandatory

11 dic 2027

Full CRA application

All products must meet essential requirements

Request Product Snapshot

CRA

Cyber Resilience Act

What is CRA?

The Cyber Resilience Act is the European regulation establishing cybersecurity requirements for all products with digital elements. It applies to manufacturers, importers and distributors of hardware and software marketed in the EU. The guiding principle is 'cybersecurity by design': security must be built in from the design phase, not added later.

Main requirements

  • Art. 10Essential cybersecurity requirements
  • Art. 11Vulnerability management
  • Art. 12Security updates (min. 5 years)
  • Art. 14Exploited vulnerability reporting (24h)
  • Art. 28EU Declaration of Conformity
  • Art. 30Mandatory CE marking
  • Art. 31Technical documentation (10 year retention)

Sanctions

Up to 15M EUR or 2% worldwide turnover

For non-compliance with essential requirements, lack of cooperation or reporting failures

How EMETHRA helps

  • Automatic SBOM generation (SPDX, CycloneDX)
  • CRA Annex VII documentation ready for audit
  • Vulnerability alerts for 24h reporting
  • Automated EU Declaration of Conformity
Request Product Snapshot

NIS2

Network and Information Security Directive

What is NIS2?

The NIS2 Directive significantly expands the scope of its predecessor, including new sectors and establishing clearer criteria. Article 21 establishes risk management measures that covered entities must implement and demonstrate to competent authorities.

Art. 21 Measures

  • Risk analysisContinuo
  • Incident managementContinuo
  • Early alert24h
  • Incident notification72h
  • Final report1 mes

Sanctions

Essential entities
10M EUR / 2%
Important entities
7M EUR / 1.4%
Request Product Snapshot

Cybersecurity Act

European certification framework

Basic Level

Manufacturer self-declaration. For low-risk products.

Substantial Level

Notified Body evaluation. For medium-risk products.

High Level

Rigorous evaluation + testing. For critical products.

Request Product Snapshot

USA Regulations

Executive Order 14028 + NIST SP 800-218

Executive Order 14028

The May 2021 executive order establishes that software vendors to the federal government must provide SBOM. It sets a precedent being adopted by the American private sector.

NIST SP 800-218 (SSDF)

The Secure Software Development Framework establishes practices for producing secure software. It includes requirements for dependency management, code analysis and vulnerability response.

Why does it matter if I'm a European company?

If you sell software to American companies, especially through federal channels or to companies working with the government, you need to meet these requirements. Additionally, many private companies are adopting these standards as reference.

Request Product Snapshot

Regulations comparison

RegulationRegionKey deadlineMax sanction
Cyber Resilience ActUESept 202615M / 2%
NIS2 DirectiveUEActiva10M / 2%
Cybersecurity ActUEProgresivoPerdida cert.
EO 14028 + NISTUSAActivoExclusion
Request Product Snapshot

Need help with compliance?

EMETHRA automates documentation generation and alerts you to critical deadlines.

Request Product Snapshot