Top Resources for Business Resilience
This is not a blog.
This is where the questions people actually ask about EU digital regulation get answered, with the primary text cited and the regulatory layers kept distinct. Each tile answers one question.
Where the answer stops being general and starts depending on your product, that is where an engagement begins.
Assess
Find out which obligations apply to you, in minutes.
Which EU digital laws apply to my business?
Does my organisation fall under NIS2?
It depends on what you build, sell, and process, not on your sector alone. Most EU-active tech companies fall under several regimes at once. This 5-minute assessment identifies which of the major regulations reach you and where they overlap.
NIS2 applies by entity type and size, not by choice. This 3-minute check places you as an essential entity, an important entity, or out of scope, and shows the reporting line that follows.
Does the Cyber Resilience Act apply to my product?
The CRA applies to products with digital elements made available on the EU market. Whether it reaches you, and in which role (manufacturer, importer, distributor, open-source steward), decides which duties you carry. Reporting obligations begin on 11 September 2026, full requirements on 11 December 2027.
How mature is my vulnerability coordination governance?
Maturity here is not a policy on a shelf; it is whether intake, triage, handling, and disclosure actually work under pressure. This self-assessment scores where you stand against the CRA’s vulnerability-handling requirements.
Implement
The questions worth getting right before you start.
Which EU regulations apply to my business?
It turns on what you build, sell, and process. Most companies carry several regimes at once (GDPR, NIS2, CRA, DSA, AI Act, DORA), with overlapping but distinct duties. This overview maps which laws reach which business types, with deadlines and dependencies.
Where do I start with NIS2 compliance?
Start by confirming whether you are an essential or important entity, then map your measures and reporting against Articles 21 and 23. The starter guide gives the checklist and the order to do it in.
What does the CRA require for my products?
The CRA sets essential requirements (Annex I Part I), vulnerability-handling requirements (Annex I Part II), and event-triggered reporting (Article 14). These do not start together: reporting applies from 11 September 2026, the rest from 11 December 2027. The guide separates what you must do, by when, in which role.
Do I have to set up coordinated vulnerability disclosure (CVD)?
A working CVD needs a published intake channel, a triage and handling process, and stated timelines, aligned with ISO/IEC 29147 and 30111. Under the CRA this moves from good practice to a documented requirement (Annex I Part II, from 11 December 2027). The quick-start covers the intake channel and a maturity self-check.
Which policies and procedures do the regulations actually require?
Fewer documents than most vendors imply, and different ones. The CRA is largely a process-and-evidence obligation (vulnerability handling, SBOM, secure-by-design records); NIS2 asks for risk-management measures, not a template pack. This guidance shows which artefacts each regime genuinely expects.
Which deadlines apply across EU tech regulation, and which one hits first?
Enough of them now run in parallel that the real question is sequencing, not any single date. NIS2 has applied since October 2024 with transposition still uneven; the CRA is phased through to December 2027; the AI Act, DORA, DSA and others each carry their own staggered milestones. What matters is which one reaches you first, given what you build and where you operate.
Go deeper
How each obligation works once you get into the text.
What security measures does NIS2 require?
Article 21 sets the baseline: risk analysis, incident handling, business continuity, supply chain security, and more, all proportionate to the entity’s exposure. The NIS2 Navigator breaks each measure down with roadmaps and governance templates.
How fast must incidents be reported under NIS2?
An early warning within 24 hours, a notification within 72 hours, and a final report within one month (Article 23). The NIS2 Navigator sets out what each stage must contain.
How do I get mid-management ready for NIS2?
Readiness fails at the middle layer more often than at the top. This training targets the managers who own the processes NIS2 touches, in language they can act on.
How do boards and executives meet their regulatory duties?
Personal accountability at the management body level is spreading across EU digital regulation, not confined to a single text. NIS2 made it explicit that management bodies are liable for approving and overseeing cybersecurity risk measures (Article 20), and the pattern is widening as newer regimes land. Board and C-suite briefings translate that exposure into decisions leadership can defend.
How do my products meet CRA essential requirements and CE marking?
CE marking is the visible outcome of a conformity route, not a claim you make. Behind it sit the risk assessment, vulnerability handling, technical documentation, and declaration of conformity. Product classification decides which route applies.
How do I improve vulnerability management approaches?
Beyond a disclosure policy: coordination, response governance, and executive oversight, assessed against a maturity model rather than a checklist. The evaluation scores where you stand and what moves the needle first.
Stay Ahead
Navigate the landscape, and act before it hardens.
What applies to me now, and what's coming next?
Scope is not static; new acts and guidance keep shifting it. The RegNavigator tracks which EU tech policy regimes reach your profile and what is moving toward you, so the landscape stays legible as it changes.
How is EU tech regulation actually moving?
The direction of travel matters as much as today’s text. La tech est politique reads the power relations beneath the neutral, technical framing of EU digital policy, so you can see what is really at stake, not only what is announced.
Can I influence a regulation before it is final?
Yes, while it is still being drafted, which is the only point at which the text can still change. RS Strategy works inside EU policy processes rather than reading them afterwards, on questions that have not yet become obligations.
Can you bring the regulatory read to my board or team?
Yes. Tailored sessions for a specific audience (board, management, product teams) on the regulation that actually touches their decisions, pitched to what that audience needs to do with it.
How do I keep executives informed about critical regulatory developments?
Subscribe them to La tech est politique. The strategic read it delivers is the intelligence a board actually needs: the developments that change decisions, and why, without you writing the brief yourself.
What regulatory support fits my specific business requirements?
If your profile needs something more specific than the tools above, custom regulatory support can be scoped to your sector, products, and exposure.