Skip to main content
Platform+
Insights+
TALK TO US
All Insights
Regulatory Compliance·8 min read··

Five Frameworks, One Vendor: How NIS2, DORA, CRA, the Revised CSA, and the EU AI Act Create Cross-Framework Exposure

By Dritan Saliovski

European enterprises are now subject to five converging EU frameworks: NIS2, DORA, the Cyber Resilience Act, the proposed revised Cybersecurity Act, and the AI Act. Each evaluates different dimensions of the same vendor relationship. A supplier that satisfies one framework can be disqualified under another. Most compliance teams are still running these as separate programs, which means the cross-framework exposure stays invisible until it surfaces as a regulatory finding or a forced technology replacement.

Key Takeaways

  • The revised Cybersecurity Act (CSA2), proposed January 2026, introduces "non-technical risk" as a formal criterion for assessing ICT suppliers, country of origin, government influence exposure, and geopolitical alignment now factor into procurement decisions across 18 critical sectors
  • The Commission can retroactively designate a supplier as high-risk and require phase-out of already-deployed components within 36 months, a first in EU cybersecurity law
  • The EU AI Act adds a fifth lens: any vendor selling, integrating, or operating AI systems faces classification (prohibited / high-risk / limited / minimal) and provider-deployer-importer obligations that overlap NIS2 and CRA but apply distinct AI-specific tests; the November 2025 Digital Omnibus proposes deferring high-risk obligations from August 2026 to December 2027, forcing vendors to plan two parallel timelines
  • CRA reporting obligations begin 11 September 2026; NIS2 audits are underway across member states; DORA has been in force since January 2025, compliance timelines are converging, not sequenced
  • Fines for revised CSA supply chain violations could reach 7% of global turnover; AI Act fines for prohibited practices reach the same ceiling — these are the highest penalty ceilings in the current EU regulatory stack
  • A single regulatory exposure matrix across all five frameworks converts fragmented compliance programs into one strategic vendor governance conversation
7%Maximum fine under revised CSA (of global turnover)European Commission CSA2 proposal, January 2026
36 moMaximum phase-out period for high-risk suppliersRevised CSA Article provisions, 2026
18Critical sectors covered by NIS2 and revised CSANIS2 Directive, Annex I and II
Scroll right to see more
EU cybersecurity regulatory timeline from 2024 to 2027 showing DORA, NIS2, CRA, revised CSA, and US trade action milestones with a Today marker at April 2026
Source: Synthesized from European Commission, USTR, and member state implementation schedules. Revised CSA timeline estimated based on typical EU legislative process.
Scroll right to see more

Five frameworks, five different questions about the same vendor

Each framework evaluates a different risk dimension. NIS2 asks whether your organization manages cybersecurity risk across its supply chain, with incident reporting obligations and management accountability. DORA asks whether financial entities can maintain operational resilience through ICT disruptions, with prescriptive requirements for critical third-party provider oversight and resilience testing. The Cyber Resilience Act asks whether the products you deploy were designed and maintained with security built in, with vulnerability reporting and conformity assessment obligations. The revised Cybersecurity Act asks a question none of the others touch: whether the supplier's jurisdiction, ownership structure, and government exposure create non-technical risks that compromise the security of EU critical infrastructure. The EU AI Act adds the fifth question: how the vendor's AI systems are classified (prohibited, high-risk, limited-risk, or minimal-risk), what role the vendor plays (provider, deployer, importer, distributor), and which obligations attach to that combination — including transparency, conformity assessment, post-market monitoring, and the GPAI rules that took effect 2 August 2025.

Scroll right to see more
Four-circle Venn diagram showing what NIS2, DORA, CRA, and the revised CSA each evaluate about the same vendor, with overlapping areas for shared requirements like risk assessment, reporting obligations, and supply chain security
The four cybersecurity-specific lenses, overlapping but not aligned. The EU AI Act adds a fifth dimension (AI risk classification and provider/deployer roles) covered separately below. No framework covers trade or tariff risk.
Scroll right to see more

These are not overlapping requirements with minor variations. They are structurally different assessment dimensions applied to the same supplier relationship. A cloud provider can satisfy NIS2 supply chain due diligence requirements, meet DORA's critical third-party standards, ship CRA-compliant products, and comply with AI Act provider obligations on its hosted models, yet still be designated as a high-risk supplier under the revised CSA because of where it is headquartered or who controls it.

The lex specialis principle adds complexity rather than clarity. DORA prevails over NIS2 where they directly overlap for financial entities, but the revised CSA introduces a horizontal layer that cuts across both. An organization subject to DORA still faces NIS2 obligations in areas DORA does not cover, specifically personnel security measures and MFA/encryption policy documentation, as detailed in our analysis of Sweden's Cybersecurity Act implementation. The CRA then adds product-level obligations that neither NIS2 nor DORA address: a vendor's organizational compliance does not guarantee that its products meet CRA essential cybersecurity requirements.

What the revised Cybersecurity Act changes

On 20 January 2026, the European Commission proposed a comprehensive overhaul of the original 2019 Cybersecurity Act. The revision introduces a trusted ICT supply chain security framework that formalizes non-technical risk assessment, a first in EU law.

Non-technical risk means the Commission can now evaluate whether a supplier is established in, or controlled by entities from, a third country that poses cybersecurity concerns. The designation criteria include whether that jurisdiction requires vendors to disclose software or hardware vulnerabilities to local authorities before they are exploited, whether it lacks independent judicial remedies for cybersecurity concerns, and whether it harbors threat actors conducting malicious cyber operations.

The consequences for designated high-risk suppliers are material. They face exclusion from procurement procedures for key ICT components, exclusion from EU funding programs, and prohibition from obtaining EU cybersecurity certification. Operators of electronic communications networks would be required to ensure they do not rely on high-risk suppliers for critical assets.

The most significant provision is retroactive reclassification. The Commission can designate a supplier as high-risk after its products are already deployed, triggering a mandatory phase-out period that should not exceed 36 months. For telecom operators still using equipment from suppliers like Huawei and ZTE, this provision has immediate practical implications. But the mechanism applies across all 18 sectors covered by NIS2, including energy, transport, healthcare, banking, and digital infrastructure.

Fines for supply chain violations under the revised CSA could reach 7% of worldwide turnover, depending on the nature of the breach. That exceeds the penalty ceilings under NIS2 (EUR 10 million or 2% of turnover for essential operators) and DORA (EUR 5 million or 2% of turnover).

What the EU AI Act adds — and what the Digital Omnibus changed

The AI Act (Regulation (EU) 2024/1689) is the fifth framework most vendor-risk programs still treat as a separate workstream. It is not. Any supplier that provides, integrates, deploys, or distributes AI systems in the EU is now in scope under one of four risk classifications, with obligations that overlap NIS2 (cybersecurity risk management), CRA (product conformity), and the revised CSA (jurisdictional supplier risk for general-purpose AI with systemic risk).

The AI Act's structure is risk-tiered:

  • Prohibited practices (subliminal manipulation, social scoring, untargeted facial-recognition scraping) — fines up to EUR 35 million or 7% of global turnover, whichever is higher
  • High-risk AI systems (Annex III categories: critical infrastructure, employment, essential services, law enforcement, migration, justice, education) — conformity assessment, risk management system, data governance, human oversight, post-market monitoring; fines up to EUR 15 million or 3% of turnover
  • Limited-risk (chatbots, generative content) — transparency obligations
  • Minimal-risk — voluntary codes of conduct
  • General-purpose AI (GPAI) — separate provider obligations on technical documentation, training data summaries, copyright compliance; additional obligations for GPAI with systemic risk

The 2 August 2025 milestone took effect on schedule: GPAI provider obligations and the AI literacy duty are now law. The 2 August 2026 milestone — high-risk AI obligations — is what the Digital Omnibus package proposed on 19 November 2025 to defer.

The Digital Omnibus, presented as a simplification package across multiple digital regulations, includes a draft amendment that would push the AI Act's high-risk applicability date from 2 August 2026 to 2 December 2027. As of the most recent reporting, the proposal is in trilogue negotiation; outcomes are not yet final. For vendors and procurement teams, the practical consequence is uncomfortable: until trilogue concludes, you must plan for both timelines. A high-risk AI system being deployed in mid-2026 cannot assume the deferral will pass; nor can a 2027 roadmap assume the original deadline will hold.

Scroll right to see more
AI Act dimensionPractical implication for vendor exposure
Risk classificationEven a vendor that does not sell AI as a product can become a "deployer" of a high-risk AI system simply by integrating one — the classification follows the use case, not the vendor's marketing
Provider-deployer-importer rolesA US vendor selling a model to an EU integrator can land both parties with overlapping obligations; the integrator may inherit "provider" status if it substantially modifies the system
GPAI systemic-risk thresholdModels trained with cumulative compute above 10²⁵ FLOPs trigger systemic-risk obligations including incident reporting, adversarial testing, and serious-incident notification
Digital Omnibus deferral (proposed)High-risk obligations may shift Aug 2026 → Dec 2027; vendors must maintain readiness for the original deadline until trilogue concludes
Scroll right to see more

For the broader regulatory framework comparison, see the EU AI Act in the context of converging cyber and AI regulation. For how political risk affects AI vendor procurement specifically, see AI vendor trust and political risk in due diligence.

Where the frameworks diverge on supply chain

Scroll right to see more
Compliance obligation windows - January 2025 to December 2027Jan 2025Jul 2025Jan 2026Jul 2026Jan 2027Jul 2027Dec 2027TodayDORA - in forceDORA - CTPP designationNIS2 - SE Cybersecurity ActNIS2 - first auditsCRA - reporting obligationsCRA - full applicationCSA2 - proposal to adoption (est.)CSA2 - 36-month phase-out (est.)S.301 - investigation periodS.122 - temporary tariffsNIS2 / Sweden CSADORACRARevised CSA (proposed)US trade actionsSource: Synthesized from European Commission, USTR, and member state implementation schedules
Source: Synthesized from European Commission implementation schedules, Swedish Government Offices, and USTR announcements. Revised CSA timeline estimated based on typical EU legislative process.
Scroll right to see more

The table below maps how each framework handles the same vendor governance question. The divergences are where cross-framework exposure emerges.

Scroll right to see more
Assessment dimensionNIS2DORACRARevised CSAEU AI Act
What it evaluatesOrganizational security postureICT operational resilienceProduct security by designSupplier jurisdiction and geopolitical riskAI system risk classification and provider/deployer obligations
Scope18 sectors, entity-wideFinancial sector, ICT systemsAll products with digital elements on EU marketSame 18 NIS2 sectors (horizontal layer)All AI systems placed on EU market or whose output is used in EU; GPAI providers globally
Supply chain obligationDue diligence on direct suppliers and service providersCritical third-party provider register and oversightManufacturer responsibility for product lifecycle securityNon-technical risk assessment of supplier origin and controlProvider/deployer/importer obligations flow through the AI value chain; substantial modification can shift roles
Incident reporting24h early warning, 72h notification, 1-month final report4h initial classification, 72h intermediate, 1-month final24h vulnerability/incident report, 72h follow-up, 14-day final (vulnerabilities) / 1-month (incidents)Via NIS2 framework (no separate timeline)Serious-incident reporting for high-risk AI; GPAI systemic-risk providers report to AI Office
What can trigger a supplier changeEvidence of inadequate security measuresConcentration risk or resilience failure at CTPPNon-compliant product recalled from EU marketHigh-risk designation based on jurisdiction, retroactive, with 36-month phase-outReclassification of system as high-risk; loss of CE marking; failed conformity assessment
Maximum fineEUR 10M or 2% of global turnoverEUR 5M or 2% of global turnoverEUR 15M or 2.5% of global turnoverUp to 7% of worldwide turnoverEUR 35M or 7% of turnover (prohibited practices); EUR 15M or 3% (high-risk non-compliance)
Key timeline (as of May 2026)In force; member state audits underwayIn force since Jan 2025Reporting begins 11 Sep 2026CSA2 proposed Jan 2026, in negotiationGPAI in force Aug 2025; high-risk obligations Aug 2026 (Digital Omnibus may defer to Dec 2027)
Scroll right to see more

The structural gap: NIS2 and DORA assess what a vendor does (security measures, resilience practices). The CRA assesses what a vendor makes (product security). The revised CSA assesses who a vendor is and where it comes from. The AI Act assesses what the vendor's AI system can do and what role the vendor plays in its lifecycle. A vendor can score well on the four operational and product dimensions and still fail the jurisdictional or AI classification test.

The geopolitical variable compliance programs miss

The regulatory convergence described above is happening against a backdrop of US-EU trade tensions that create a second layer of vendor exposure no cybersecurity framework currently captures.

On 11 March 2026, the US Trade Representative initiated Section 301 investigations into 16 economies, including the EU, targeting structural excess manufacturing capacity. Separately, the US administration has explicitly characterized EU digital regulation, including the Digital Markets Act and Digital Services Act, as discriminatory against American technology companies. The USTR has signaled that digital regulation could become the basis for its own Section 301 investigation, citing the potential for tariffs or fees on services.

This creates a bidirectional risk that most compliance teams are not structured to see. On one side, the revised CSA's non-technical risk criteria establish a mechanism that could functionally restrict US-origin suppliers from EU critical infrastructure if the Commission determines that US jurisdiction poses cybersecurity concerns. On the other side, US retaliatory measures, whether tariffs, service fees, or regulatory restrictions, could affect EU vendors operating in the US market. Organizations evaluating how vendor trust and political risk affect procurement will recognize this dynamic from the AI platform context.

The structural point extends beyond any single administration or trade dispute. The EU is building permanent mechanisms for technology sovereignty through the CSA2, the Cloud and AI Development Act, and the Digital Omnibus package. The US has demonstrated, across administrations, a willingness to use trade enforcement tools against digital regulation it considers discriminatory. This dynamic will persist regardless of election outcomes on either side of the Atlantic.

No cybersecurity questionnaire currently in use captures jurisdictional or trade-policy exposure. The vendor that passes your NIS2 supply chain assessment and DORA critical third-party review may carry geopolitical risk that only becomes visible when a Commission implementing act or a Section 301 determination changes the regulatory ground underneath a technology relationship you assumed was stable.

How to build the exposure matrix

The gap between running four separate compliance programs and running one integrated vendor governance program is a single tool: a regulatory exposure matrix that maps critical vendors against all applicable frameworks plus jurisdictional risk.

Structure. List critical vendors down the left column. Run NIS2, DORA, CRA, the revised CSA, and the AI Act across the top as separate columns. Add a final column for trade and jurisdictional exposure. For each intersection, document assessment status (compliant, gap identified, not assessed), criteria used, gaps identified, and remediation owner. For AI Act specifically, capture the system's risk classification, the vendor's role (provider / deployer / importer / distributor), and which timeline applies — the original 2 August 2026 deadline or the proposed 2 December 2027 deferral.

Where to start. Prioritize vendors that operate in the infrastructure layer: cloud providers, identity and access management platforms, network equipment suppliers, managed security services, and any vendor whose product is embedded in systems you cannot easily replace. These are the relationships where a forced phase-out under the revised CSA would be most disruptive and most expensive. For organizations deploying AI agents alongside these infrastructure vendors, the AI data governance framework adds another dimension to the assessment.

What to look for. The matrix will surface three categories of findings most organizations miss when running frameworks in isolation. First, vendors with conflicting status across frameworks, satisfying one set of requirements while carrying unaddressed exposure under another. Second, vendors with concentration risk that spans multiple frameworks, where a single provider's failure or restriction would trigger obligations under NIS2, DORA, and potentially the revised CSA simultaneously. Third, vendors with jurisdictional exposure that existing cybersecurity assessments do not capture, including suppliers headquartered in or controlled from jurisdictions that could be designated under the revised CSA's non-technical risk criteria, or suppliers whose market access could be affected by trade enforcement actions in either direction.

Expected outcome. Most organizations will find three to five vendors that create exposure across multiple frameworks they had not previously connected. This takes approximately one focused week with existing procurement, security, and compliance data. It transforms four separate compliance programs into a single strategic vendor governance conversation that the board, the CISO, the procurement function, and legal can all act on. For a detailed look at how Sweden has implemented NIS2 into national law and what that means for affected organizations, see our comprehensive guide to Sweden's Cybersecurity Act 2025.

The full Intelligence Brief covers the complete four-framework comparison matrix, exposure matrix template with worked examples, remediation prioritization by maturity level, and the regulatory timeline with key compliance milestones.

Work With Us

Assess Your Cross-Framework Vendor Exposure

Innovaiden works with leadership teams deploying AI agents across their organizations, from initial setup and training to security framework alignment and governance readiness. Reach out to discuss how we can help your team.

Get in Touch

Frequently Asked Questions

What are the five EU regulatory frameworks that converge on vendor risk?

NIS2 evaluates organizational supply chain due diligence and incident reporting. DORA evaluates ICT operational resilience for financial entities. The Cyber Resilience Act evaluates product security by design. The revised Cybersecurity Act (CSA2), proposed January 2026, evaluates non-technical risk including supplier jurisdiction, ownership, and government exposure. The EU AI Act evaluates AI system risk classification, transparency, and high-risk obligations on AI providers, deployers, and importers. Each applies different assessment criteria to the same vendor relationship.

What did the EU Digital Omnibus (Nov 2025) change about the AI Act timeline?

On 19 November 2025, the European Commission proposed the Digital Omnibus simplification package, which would defer the AI Act's high-risk obligations from 2 August 2026 to 2 December 2027. The proposal is in trilogue negotiation; vendors must now plan for two parallel enforcement scenarios — the original Aug 2026 deadline if the deferral stalls, or the Dec 2027 deadline if it passes. GPAI provisions that took effect 2 August 2025 are unaffected.

What is the revised Cybersecurity Act's non-technical risk assessment?

The revised CSA introduces a formal mechanism for the European Commission to evaluate whether an ICT supplier's country of origin, government influence exposure, or geopolitical alignment creates cybersecurity concerns. The Commission can designate suppliers as high-risk and require phase-out of already-deployed components within 36 months, with fines up to 7% of worldwide turnover.

Can a vendor pass one EU framework and fail another?

Yes. A cloud provider can satisfy NIS2 supply chain due diligence, meet DORA's critical third-party standards, and ship CRA-compliant products, yet still be designated as a high-risk supplier under the revised CSA because of where it is headquartered or who controls it. The frameworks assess structurally different dimensions: what a vendor does, what it makes, and who it is.

What is a regulatory exposure matrix and how does it help?

A regulatory exposure matrix maps critical vendors against all four frameworks plus jurisdictional risk in a single view. For each vendor-framework intersection, it documents assessment status, criteria used, gaps identified, and remediation owner. Most organizations running this exercise discover three to five vendors with cross-framework exposure they had not previously connected.

How do US trade tensions affect EU vendor compliance?

Section 301 investigations and tariff actions create a second layer of vendor exposure no cybersecurity framework currently captures. The revised CSA's non-technical risk criteria could functionally restrict US-origin suppliers from EU critical infrastructure, while US retaliatory measures could affect EU vendors in the American market. This bidirectional risk sits outside current compliance questionnaires.

Related Insights

Regulatory Compliance

Sweden's Cybersecurity Act (2025:1506): NIS2 Is Now Law

M&A Due Diligence

Sponsor Liability for Portfolio Cyber Failures: A Practitioner's Defense Playbook After Bain/PowerSchool

AI & Data

Data Questions to Ask Before Funding Your Next AI Initiative

Sources

  1. European Commission. Proposal for a regulation on cybersecurity requirements for products with digital elements (Cyber Resilience Act). ec.europa.eu. 2024.
  2. European Commission. Proposal for a revised Cybersecurity Act (CSA2), trusted ICT supply chain security framework. ec.europa.eu. 2026.
  3. European Parliament and Council. Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). eur-lex.europa.eu. 2022.
  4. European Parliament and Council. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (NIS2). eur-lex.europa.eu. 2022.
  5. Swedish Government Offices. Cybersecurity Act (Lag om cybersäkerhet, SFS 2025:10). regeringen.se. 2025.
  6. USTR. Section 301 investigation announcements. ustr.gov. 2026.
  7. European Commission. Inception impact assessment for the revised Cybersecurity Act. ec.europa.eu. 2025.
  8. European Parliament and Council — Regulation (EU) 2024/1689 (EU AI Act). 2024.
  9. DLA Piper — The Digital AI Omnibus: Proposed deferral of high-risk AI obligations under the AI Act. November 2025.
  10. EU AI Act Implementation Timeline. 2026.
Back to Insights
Subscribe