Overview of Regulatory Bodies and Frameworks

Introduction

Overview of Regulatory Bodies and Frameworks

The EU software compliance landscape involves multiple institutions operating at different levels — from the European Commission drafting legislation to national market surveillance authorities enforcing it. Understanding who does what, and how the different frameworks interact, is essential for building a compliance strategy that holds up in practice.

The Legislative Layer: European Commission and Parliament

The European Commission proposes legislation and oversees its implementation. The digital product regulations that define today’s compliance obligations — the CRA, the AI Act, the PLD — were all developed and adopted through the Commission’s legislative process. The Commission also issues implementing regulations, delegated acts, and guidance that fill in technical details not specified in the primary legislation. In January 2026, the Commission proposed targeted amendments to the NIS2 Directive aimed at simplifying compliance for smaller organisations — demonstrating that the legislative framework continues to be actively developed.

The European Parliament and Council of the EU adopt legislation and have the power to amend Commission proposals. Both institutions have been actively engaged in shaping the digital product regulatory framework, particularly around the AI Act and the CRA.

The Enforcement Layer: ENISA and National Authorities

ENISA — the EU Agency for Cybersecurity is the central technical authority for cybersecurity across the EU. Its role under the current regulatory framework is substantial:

  • Under the CRA, manufacturers must report actively exploited vulnerabilities to ENISA and national CSIRTs within 24 hours of discovery — a requirement that becomes mandatory from September 2026.
  • ENISA operates the European Vulnerability Database (EUVD), launched in May 2025, which serves as the centralised platform for vulnerability information across the EU.
  • ENISA publishes detailed technical guidance that translates legislative requirements into implementable security measures — including its extensive NIS2 implementation guidance, which maps requirements to internationally recognised standards including ISO 27001.
  • ENISA co-hosts the annual Cybersecurity Standardisation Conference alongside CEN, CENELEC, and ETSI. The 10th edition, held in Brussels in March 2026, focused on the state of CRA standards development and the interplay between the CRA, NIS2, DORA, and eIDAS.

National Market Surveillance Authorities (MSAs) are responsible for enforcing EU product regulations within their member states. Under the CRA, MSAs have the power to require manufacturers to bring non-compliant products into conformity, restrict or prohibit products from the market, and impose financial penalties. The specific authority varies by member state, but the enforcement architecture is harmonised across the EU.

The EU AI Office, established within the European Commission, oversees the implementation of the AI Act at EU level — particularly for general-purpose AI models. National competent authorities handle enforcement for most AI applications within their jurisdictions.

The Standards Layer: CEN, CENELEC, and ETSI

Harmonised European standards are the practical mechanism through which legislative requirements become implementable. Following a harmonised standard creates a legal presumption of conformity — meaning manufacturers who implement the relevant standards correctly can demonstrate compliance without commissioning a separate legal analysis of every requirement.

CEN (European Committee for Standardisation) and CENELEC (European Committee for Electrotechnical Standardisation) develop standards for products and electrotechnical systems respectively. Both are actively developing CRA-specific standards under the mandate issued by the European Commission.

ETSI (European Telecommunications Standards Institute) develops standards for telecommunications and related digital infrastructure. ETSI has been particularly active in cybersecurity standardisation, with existing standards (including EN 303 645 for consumer IoT) providing a reference point for CRA compliance.

The current CRA standards pipeline includes three categories:

  • Type A — core cybersecurity principles applying to all products with digital elements. Expected by August 2026.
  • Type B — horizontal standards covering product-agnostic cybersecurity requirements and vulnerability handling. The vulnerability handling standard is expected by August 2026; the broader requirements standard by October 2027.
  • Type C — vertical standards for specific product categories. Expected by October 2026.

The Conformity Assessment Layer: CABs and Notified Bodies

For products requiring third-party conformity assessment — Important Products (Class I and II) and Critical Products under the CRA, and High-Risk AI systems under the AI Act — the assessment must be conducted by an accredited Conformity Assessment Body (CAB), also referred to as a Notified Body when formally designated under a specific regulation.

CABs are accredited by national accreditation bodies (in Malta, this is the Malta Competition and Consumer Affairs Authority, MCCAA). They conduct the technical assessment that underpins the CE marking declaration for products that cannot self-certify. The availability of accredited CABs is a practical constraint on the market — as compliance deadlines approach, demand for CAB services is increasing faster than accredited capacity.

The Key Regulatory Frameworks

Cyber Resilience Act (CRA) — Regulation (EU) 2024/2847 Mandatory cybersecurity requirements for all products with digital elements. Covers security by design, vulnerability management, incident reporting, and CE marking. Vulnerability reporting active from September 2026; full application from December 2027.

AI Act — Regulation (EU) 2024/1689 Risk-based framework for AI systems. Prohibited practices enforceable from February 2025; GPAI model obligations from August 2025; full application for most operators from August 2026. High-risk AI embedded in regulated products has an extended transition to August 2027.

Product Liability Directive (PLD) — Directive 2024/2853 Extends strict product liability to software and digital products. Removes historic exemptions that protected software manufacturers. Takes effect December 2026.

NIS2 Directive — Directive 2022/2555 Cybersecurity risk management and incident reporting obligations for operators of essential and important entities across 18 critical sectors. Already in force; implementation varies by member state. Commission proposed simplifying amendments in January 2026.

How the Frameworks Interact

These regulations are designed to be complementary but their interaction creates compliance complexity. The CRA and PLD explicitly reference each other — non-compliance with CRA requirements can constitute a product defect under the PLD, creating direct liability exposure. NIS2 and the CRA both require vulnerability management and incident reporting, with ENISA receiving reports under both regimes. The AI Act interacts with the CRA for AI systems embedded in digital products.

Navigating this intersection — understanding which frameworks apply to a specific product, what each requires, and how to demonstrate compliance efficiently — is the practical challenge MVC is designed to solve.

← Back to Regulatory

Need guidance?

Our experts are ready to help you navigate the EU regulatory landscape. Contact us to discuss your compliance needs.

Contact us