The article examines the effectiveness of recent European Union cybersecurity regulations, particularly the Cyber Resilience Act (CRA) and the revised NIS 2 Directive. While these frameworks aim to improve cyber resilience across critical sectors, their real-world impact remains uncertain, as member states are still in the process of implementing them. The author highlights how national-level interpretations vary widely—some countries favor prescriptive rules, while others adopt a more risk-based approach—making the EU a kind of regulatory testing ground.

The piece argues that the success of these regulations should be judged not by compliance rates or the number of audits conducted, but by actual reductions in the consequences of cyber incidents. Suggested outcome-based metrics include service downtime and incident-related disruptions normalized by population. The key takeaway is that while regulation sets the foundation, continuous measurement, comparison, and adaptation will be essential to determine what truly improves cybersecurity resilience across the EU.

‍

Source: https://dale-peterson.com/2025/07/16/is-eu-cybersecurity-regulation-effective/