← Zurück zum Sicherheitsblog
Compliance & Regulierung
22. März 2026
10 Min. Lesezeit
CRA-Durchsetzung beginnt mit erstem Verwaltungskooperationsgruppen-Treffen, KI-Board entwickelt Strategie weiter, ENISA startet KMU-Bereitschaftsumfrage
Eine wegweisende Woche für die EU-Cybersicherheitsregulierung. The Cyber Resilience Act moves from paper to practice with the first Administrative Cooperation Group meeting. The AI Board convenes its 7th session to shape enforcement strategy. ENISA surveys SMEs on CRA readiness. The Digital Europe Programme pivots to meet evolving threats. And FBI warnings about Russian intelligence targeting encrypted messaging apps underscore why NIS2 incident reporting matters more than ever.
Automatisieren Sie Ihre Compliance...
Kontinuierliche Compliance-Überwachung für NIS2, DORA, CRA, DSGVO und EU AI Act....
Kostenlose Bewertung starten →
🏛️ Cyber Resilience Act: First Administrative Cooperation Group Convenes
Milestone — CRA Enforcement Infrastructure Activated
On March 20, 2026, the European Commission convened the first meeting of the Administrative Cooperation Group for the Cyber Resilience Act (CRA). This marks the transition from legislation to active enforcement preparation — the machinery that will hold product manufacturers accountable is now operational.
The Administrative Cooperation Group brings together national market surveillance authorities from across EU member states. Its mandate: coordinate the enforcement of cybersecurity requirements for all products with digital elements sold in the European single market.
What This Means for Organizations
The group's activation signals that enforcement is no longer theoretical. Market surveillance authorities are now coordinating on:
- Harmonized enforcement procedures: Ensuring consistent application of CRA requirements across all 27 member states
- Product testing protocols: Establishing common methodologies for verifying product cybersecurity compliance
- Cross-border cooperation: Streamlining the process for removing non-compliant products from multiple national markets simultaneously
- Penalty frameworks: Aligning approaches to sanctions, which can reach up to €15 million or 2.5% of global annual turnover
Critical CRA Timeline
| Date | Obligation |
| Sep 2026 | Vulnerability and incident reporting obligations begin |
| Dec 2027 | Full compliance required for all products with digital elements |
| Ongoing | Security updates required for product lifetime or minimum 5 years |
Action required: Product manufacturers, software companies, and IoT vendors must begin compliance programs immediately. With the Administrative Cooperation Group now active, enforcement actions can begin as soon as the September 2026 reporting deadline hits. Don't wait for December 2027 — the first obligations are six months away.
🤖 AI Board Convenes 7th Meeting on Enforcement Strategy
Also on March 20, the EU AI Board held its 7th meeting, bringing together representatives from all member states to discuss the latest developments in the Commission's AI strategy. The Board is the key governance body responsible for ensuring consistent application of the EU AI Act across the Union.
Key Discussion Points
- Harmonized standards: Progress on developing technical standards for high-risk AI system compliance, due to apply from August 2026
- General-purpose AI models: Enforcement approaches for providers of foundation models, including transparency and copyright obligations
- National enforcement bodies: Coordination between member state AI authorities on inspection methodologies and expertise sharing
- AI Office guidelines: Review of the EU AI Office's latest guidance documents on prohibited AI practices, which have been in effect since February 2025
August 2026 — High-Risk AI Obligations Take Effect
Organizations deploying AI systems in areas like critical infrastructure, employment, law enforcement, or education must comply with the EU AI Act's high-risk requirements starting August 2, 2026. This includes mandatory risk assessments, human oversight mechanisms, data quality requirements, and technical documentation. The window for preparation is closing rapidly.
📊 ENISA Surveys SMEs on CRA Readiness
On March 18, ENISA launched a targeted survey for small and medium-sized enterprises to assess their awareness of and readiness for the Cyber Resilience Act. The survey aims to understand three critical dimensions:
- CRA awareness levels: Do SMEs know the regulation exists and understand their obligations?
- Readiness and maturity: How prepared are SMEs to meet cybersecurity requirements for their products?
- Support needs: What kind of guidance, tools, and resources would SMEs find most useful?
This is significant because SMEs represent the majority of product manufacturers in the EU. Many lack dedicated security teams and may struggle to meet CRA requirements — particularly SBOM documentation, vulnerability handling processes, and conformity assessment procedures.
If you're an SME manufacturing products with digital elements: Participate in the ENISA survey. Your input will directly shape the support resources the EU develops. More importantly, engaging with the survey now forces an internal conversation about CRA readiness that your organization likely needs to have.
💶 Digital Europe Programme Adapts to Evolving Threats
On March 19, the European Commission announced that the Digital Europe Programme is being restructured to better deliver on Europe's evolving digital security needs. The programme funds cybersecurity capacity building, including:
- National SOC networks: Cross-border Security Operations Centers for threat detection and intelligence sharing
- Cybersecurity skills: Training programmes to address the chronic shortage of cybersecurity professionals across member states
- SME support tools: Practical resources and certification assistance for smaller organizations facing NIS2 and CRA compliance
- AI cybersecurity: Funding for research into AI-powered threat detection and response capabilities
Separately, the European Cybersecurity Competence Centre (ECCC) opened a new Horizon Europe call worth €56.2 million on March 17, specifically targeting cybersecurity research and innovation. This represents one of the largest single funding rounds dedicated to EU cybersecurity R&D.
🔐 FBI Warning: Russian Intelligence Targets Encrypted Messaging — NIS2 Implications
On March 20, the FBI issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of Signal, WhatsApp, and other encrypted messaging apps through sophisticated phishing campaigns. Thousands of accounts have already been compromised.
Why This Matters for NIS2 Compliance
The attack campaign has direct implications for organizations subject to NIS2 obligations:
- Incident reporting: If your employees use encrypted messaging for business communications and their accounts are compromised, this may trigger NIS2's 24-hour early warning and 72-hour incident notification requirements
- Supply chain risk: Compromised messaging accounts can be used to impersonate trusted contacts, potentially breaching supply chain communications covered under NIS2
- Security measures: NIS2 requires "appropriate and proportionate" technical measures — organizations should review whether encrypted messaging policies include phishing-resistant authentication mechanisms
- State-sponsored threats: NIS2 explicitly addresses nation-state threat actors. This FBI warning provides concrete intelligence that should be incorporated into organizational risk assessments
Immediate Action Required
Organizations should issue internal advisories about the Signal/WhatsApp phishing campaign, enable registration lock on all corporate messaging accounts, audit linked devices on encrypted messaging platforms, and update incident response playbooks to cover messaging account compromise scenarios.
📈 NIS2 & DORA Status Update
NIS2: Cross-Border Cooperation Accelerating
- ENISA continues its EU Agencies Network (EUAN) chairmanship through 2026, with cybersecurity governance across EU institutions as a top priority
- ENISA's updated International Strategy (published February 9) strengthens alignment with EU international cybersecurity policies and promotes EU values in global cybersecurity governance
- ENISA as CVE Root: Since November 2025, ENISA serves as a CVE Program-Root, centralizing European vulnerability coordination — a capability directly supporting NIS2's vulnerability disclosure requirements
- Cybersecurity Exercise Methodology (published February 16) provides organizations with a structured framework for building internal cybersecurity exercises — directly supporting NIS2's testing requirements
DORA: Q1 2026 Compliance Checkpoint
The Digital Operational Resilience Act has been enforceable since January 17, 2025. Financial entities should now be in full compliance. Key activities for Q1 2026:
- Complete ICT third-party risk registers with all critical and important service providers identified
- Submit ICT-related incident reports using the European Supervisory Authorities' standardized templates
- Conduct first round of threat-led penetration testing (TLPT) for significant financial institutions
- Finalize information-sharing arrangements with industry peers through established ISACs
🗓️ Upcoming Regulatory Deadlines
| Date | Regulation | Milestone |
| Jun 2026 | NIS2 | Netherlands: Entity self-assessment deadline |
| Aug 2026 | EU AI Act | High-risk AI system obligations apply |
| Sep 2026 | CRA | Vulnerability & incident reporting obligations begin |
| Q4 2026 | DORA | First TLPT cycle completion for significant entities |
| 2027 | EU AI Act | General-purpose AI model obligations apply |
| Dec 2027 | CRA | Full product compliance required |
✅ Compliance Action Items This Week
- CRA: Track the Administrative Cooperation Group's outputs. Begin product inventory and SBOM documentation if you haven't already. September 2026 is six months away.
- EU AI Act: Classify your AI systems against the risk categories. High-risk obligations apply from August 2026 — less than five months away.
- ENISA SME Survey: If you're an SME manufacturing digital products, participate in the CRA readiness survey to shape the support resources you'll receive.
- NIS2: Issue internal advisory about the Russian intelligence messaging phishing campaign. Review encrypted messaging security policies. Update threat assessment documentation.
- DORA: Ensure Q1 ICT incident reports are filed. Complete TLPT scoping for significant financial entities. Verify third-party risk register completeness.
- Funding: Review the ECCC's €56.2M Horizon Europe call — cybersecurity R&D funding of this scale is rare. Application deadlines are typically 90 days.
Automatisieren Sie Ihre Compliance mit KENSAI
Kontinuierliche Compliance-Überwachung für NIS2, DORA, CRA, DSGVO und EU AI Act. Echtzeit-Regulierungsverfolgung mit automatisierter Lückenanalyse.
Kostenlose Bewertung starten →
Bleiben Sie compliant. Bleiben Sie voraus.
🗡️ KENSAI Compliance Intelligence
22. März 2026