Knowledge Base

EU compliance, explained

Practitioner-grade articles on CRA, NIS2, AI Act, DORA, RED. Written by NexCyber regulatory engineering. Open access — no gate, no sign-up required.

Fundamentals

4 articles

CRA 6 min

What is the Cyber Resilience Act (CRA) ?

A 6-minute explainer on the EU CRA : scope, obligations, enforcement timeline, max exposure, who is concerned.

★ NEXCYBER 5 min

SBOM vs Evidence vs MRCC — what's the difference ?

Three artifacts often confused. We clarify SBOM (technical inventory), Evidence (audit trail), MRCC (signed readiness certificate).

NIS2 8 min

NIS2 : essential entity vs important entity — how to know which you are

Article 3 + Annexes I/II decoded. Self-classification flowchart + impact on incident reporting deadlines + penalties.

AI Act 10 min

EU AI Act risk tiers — Prohibited / High-risk / Limited / Minimal

Article 5/6/50/52 risk classification with practical examples per industry. Includes systemic risk GPAI threshold.

Implementation

1 article

DORA 7 min

DORA Chapter V : ICT third-party risk management explained

Register of information, contractual requirements, ICT concentration risk thresholds. Practical guidance for ICT providers and financial entities.

Compliance Process

1 article

RED 6 min

RED cybersecurity requirements (in force 2025-08-01) — what changed

Delegated Regulation (EU) 2022/30 Articles 3.3.d/e/f decoded. EN 18031 harmonized standards series + CE marking implications.

Evidence & SBOM

1 article

★ NEXCYBER 9 min

The Evidence Trust Layer — how NexCyber proves compliance, not just claims it

Continuous evidence collection, integrity hashing, signed snapshots. Why an Evidence Trust Layer is the foundation of a verifiable MRCC.

Post-Launch

1 article

CRA 7 min

Post-launch compliance monitoring : continuous obligations don't stop at CE marking

Vulnerability handling (CRA Article 13), incident reporting (NIS2 Art. 23, DORA Art. 19), substantial modification triggers, MRCC re-issuance criteria.