As the EU tightens its cybersecurity requirements, application security is front and center. Let’s take a look at some of the common threads across the three main regulations — and what they mean in practical terms for AppSec practitioners.
European Union cybersecurity regulations, standards, and frameworks underline the systemic risks posed by IT systems, and the software applications that run on them. Each has its own specific requirements and/or frame of reference, but all are governed by a common thread: Prioritizing digital resilience over specific vulnerabilities.
For cybersecurity teams, the upshot has been a shift in addressing the long-standing challenge of establishing cybersecurity as a strategic, operational, and financially impactful practice across all aspects of the business. As the different regulations come into force, proof of compliance is likely to become a prerequisite for doing business with partners and customers.
So how can AppSec practitioners make sense of it all — without having to call in the lawyers? The regulations that have the most impact on security and AppSec teams are DORA, CRA, and NIS2. Fortunately, there’s a lot of overlap, and some headline approaches and themes emerge. Before we get into the practicalities, it’s no harm to take a brief tour of what each entails, and why they’re relevant to application security.
DORA: The Digital Operational Resilience Act
What it is: Effective since January 17, 2025, DORA focuses on cybersecurity and operational resilience for the financial sector. “Financial sector” in this case includes everything from banks to investment organizations and crypto assets. Breaches will incur fines of up to 2% of annual global turnover.
Why it matters to AppSec teams: Among other things, DORA’s emphasis on secure coding practices (it’s mandatory), vulnerability management, and third-party risk management means that AppSec will play a pivotal role in compliance.
CRA: The Cyber Resilience Act
What it is: Adopted in October 2024, the EU’s CRA introduced common cybersecurity standards for all products with digital components – hardware and software. The Act mandates cyber risk assessments before entering the market; documentation must be maintained for ten years.
Why it matters to AppSec teams: With its emphasis on security by design principles, specific mention of applications, software supply chain security, and vulnerability management, the CRA has significant resonance with best practices in application security. Compliance with the CRA – and receiving the accompanying ‘CE mark’ – will bring an additional layer of credibility and security to your organization’s products.
NIS2: Network and Information Systems Directive 2
What it is: NIS is focused on harmonizing cybersecurity regulations across EU member states, with the goal of boosting collective resilience. This second iteration of the Directive is broader in scope – and introduces more stringent obligations. Critical infrastructure and digital services, including cloud and search engines, have been added.
Why it matters to AppSec teams: NIS2 came into effect in October 2024 and now mandates comprehensive risk management for all connected systems and applications. Organizations must also establish processes for detecting, managing, and reporting cybersecurity incidents. “Security by design”, vulnerability management, and supply chain security feature heavily.
Noticing a pattern?
The good news for AppSec teams is that there’s a lot of overlap in the legislation. Even better news: Most of what’s mandated already constitutes best practice for security practitioners. You already know the deal — but now you have a compliance framework to back it all up when you’re making your case for better cybersecurity practices across your organization.
Let’s take a look at some of the biggest areas of overlap across the regulations.
EU Cybersecurity Regulations — What they Mean for AppSec
In practical terms, security and AppSec practitioners will see a lot of obligations, frameworks, and guidelines that resonate with their day-to-day goals: Supply chain security, secure development practices, testing…
Between them, the CRA, DORA, and NIS2 enforce higher security standards across software (and hardware) applications. For any business developing or deploying applications in the EU – and in today’s business environment, this covers everything from baby monitors to barbecues – the bottom line is that compliance is less of an option and more of a legal requirement.
Here are some of the elements that specifically impact application security teams.
Secure by Design, by Default
If there’s one overarching takeaway from each of these regulations, it’s the principle of Secure by Design. It’s mandated by CRA and DORA. Application security practitioners will recognize the drill, but we can break it into five key areas:
1. Integrate Secure Development Practices
Whether it’s mandated (CRA, DORA), or “encouraged” (NIS2), security should be integrated from the design phase, at every stage of the software development lifecycle (SDLC). This covers everything from vulnerability detection and mitigation, to developing and enforcing security policies and processes at every stage. For AppSec teams working under NIS2, both web and cloud-based applications come in for specific attention and controls, including possible security audits. All three call for some aspect of secure development, including:
- Secure by Design software development practices (CRA, DORA, NIS2).
- Secure coding practices and vulnerability mitigation throughout the SDLC (CRA, DORA, NIS2).
- Implementation of “policies, tools, and procedures” tailored to securing assets, including applications (CRA, DORA, NIS2).
2. Continuous Risk and Vulnerability Management
Each of the EU regulations carries comprehensive requirements around monitoring, detection and mitigation of software vulnerabilities, throughout the product life cycle. Regular vulnerability assessments, pen testing, remediation, and monitoring of software weaknesses all feature heavily. Which is just as well if you’re complying with CRA, which has mandatory reporting of actively exploited vulnerabilities to ENISA (the European Union Agency for Cybersecurity) – within 24 hours of discovery. However you slice it, continuous risk and vulnerability management feature heavily, including:
- Continuous monitoring and mandated timely remediation of weakness (CRA).
- Enforcing compliance with vulnerability evaluations and checks (DORA).
- Adoption of Coordinated Vulnerability Disclosure (CVD) with Bug Bounty Programs (NIS2).
3. Enhanced Software Supply Chain Security
Supply chain security and third-party risk come in for special attention in all three pieces of legislation. For good reason: The interconnections between software components create a complex supply chain in which a single vulnerability can be exploited, triggering compromises that spread far and wide. This expanded attack surface offers cyberattackers a “one effort to mug the whole crowd” opportunity. Which is why each of the regulations calls for some variation of:
- Regular assessment of third-party providers’ risk management practices (DORA).
- Generation and maintenance of a Software Bill of Materials, with continuous monitoring of dependencies (CRA).
- Comprehensive risk assessments that explicitly include third-party and supplier risks (NIS2).
4. Comprehensive Testing and Monitoring
Security and AppSec teams are no strangers to the concept of testing early and often. No surprise, then, that the EU cybersecurity regulations underscore the importance of application security testing:
- Automatic security updates for timely detection, mitigation and/or patching of software vulnerabilities (CRA mandates automated updates, DORA and NIS2 include them).
- Threat-led penetration testing, along with techniques including attack simulation (DORA).
- Continuous monitoring and remediation to enhance resilience (CRA, DORA, NIS2).
5. Rigorous Incident and Response Reporting
Early detection and mitigation are cornerstones of secure application development. Timely reporting helps ensure that lessons are learned, and insights gained — building both secure coding practices and improving patch management and prioritization. All three of the EU cybersecurity regulations we’re exploring require rapid incident notification (as little as 24 hours for the CRA), detailed documentation and post-incident analysis, and well-documented procedures. They also have their own unique aspects:
- Notification of active exploits to ENISA within 24 hours of discovery (CRA).
- Integration of incident reporting into a broader framework, including threat-led penetration testing (DORA).
- Multi-step reporting for significant incidents, with mandated data sharing for cross-border cooperation and mitigation.
Building Resilience and Compliance with OX Security’s ASPM Platform
From an application security perspective, each of the EU regulations we’ve explored represents an opportunity to drive best practices, while underlining the strategic importance of cybersecurity to the overall business. Compliance not only supports a proactive approach to cybersecurity, but also builds customer trust. Added bonus: The emergence of clear rules, guidelines, and frameworks improves everyone’s security posture, and helps improve collaboration across developer, security, and AppSec teams.
The OX ASPM platform helps bring all of the threads together, supporting the application security testing and software supply chain security processes that underpin strategic, risk-based cybersecurity approaches. OX’s unique platform and toolset effectively reduce the amount and severity of application-related risk by systematically identifying all software in your estate, and its security posture – allowing for deep analysis of application-related risk, and providing a way for organizations to prioritize and remediate vulnerabilities.
ASPM achieves these goals through correlation and automation, which reduces the time, effort, and accuracy necessary to understand application or software security posture. A robust ASPM solution like OX Security allows organizations to comply with CRA, DORA, and NIS2 by helping them to see everything, focus on what matters, and mitigate risk at scale.
)