24.07.2025

Digital Resilience Requires Clarity: Practical Cybersecurity Rules for Companies Needed

At a meeting of the KRITIS Competence Group – Regulatory Affairs of the eco Association of the Internet Industry in July, industry and legal experts discussed the regulatory challenges surrounding NIS2, the Cybersecurity Act (CSA), the Cyber Resilience Act (CRA) and the E-Evidence Regulation. The event made it clear that companies urgently need more clarity, interoperability and relief regulations in European cybersecurity policy.

Four major areas of work for the digital economy

NIS2, the Cybersecurity Act (CSA), the Cyber Resilience Act (CRA) and the E-Evidence Regulation: these four key EU regulatory initiatives were the focus of a meeting of the KRITIS Competence Group – Regulatory Affairs of eco – Association of the Internet Industry.
In July, industry and legal experts came together to discuss the challenges and open questions surrounding the implementation of these projects. The tenor was clear: companies need more guidance, uniform reporting requirements, transparent certification procedures and practicable rules – small and medium-sized enterprises in particular are increasingly feeling overwhelmed.

Ulrich Plate, Leader of the KRITIS Competence Group at eco, criticised, among other things, problematic wording in the German draft for implementing the NIS2 Directive. He was particularly critical of planned exemptions and the omission of the term "cyber hygiene", which has been an important guiding concept for basic protection measures to date.

Charleen Roloff, Senior Policy Advisor at eco, called for a stronger and independent ENISA, a transparent, comprehensible certification regime and harmonised, practical reporting requirements. According to Roloff, the current patchwork of regulations is particularly overwhelming for SMEs, which have neither sufficient resources nor legal clarity.

Klaus Landefeld, Board Member for Infrastructure & Networks at eco, also expressed concern, particularly with regard to the e-evidence regulation. The current definition of cross-border activities is so vague that, in the worst case, even municipal utilities or smaller web shops could fall within its scope.

Thomas Pfützenreuter from Securance – iAP GmbH emphasised the increasing importance of documented evidence in certification procedures. Certification is no longer a voluntary option, but a basic requirement for market access. Companies that do not systematically document their processes and requirements could be forced out of the market in the medium term.

eco actively contributes positions – next steps in preparation

The eco Association is accompanying the ongoing consultations on the CSA reform and the implementation of NIS2 and E-Evidence with statements, expert contributions and dialogue formats. Another event on E-Evidence is planned for autumn 2025. Member companies receive tailored recommendations and materials to help them prepare for new regulatory requirements at an early stage.

For press enquiries or if you are interested in participating in the eco Competence Group KRITIS, please contact:

presse@eco.de

Digital Resilience Requires Clarity: Practical Cybersecurity Rules for Companies Needed