Europe’s Cyber Regulations Come into Force – and What It Means for US Companies

The EU has taken the lead in cybersecurity regulation, and the business impacts are already being felt worldwide. On this episode of Advancing Cyber, Cristin Flynn Goodwin is joined by Chris Hale, Senior Director for Cyber and National Security Law at Cisco, and Emily Lemaire, Financial Services Regulatory Lawyer at Covington & Burling, to unpack Europe’s leading cybersecurity regulations – the Digital Operational Resilience Act (DORA), Network Information Systems Directive (NIS) 2.0, and the Cyber Resilience Act (CRA), all of which have passed milestone dates in the past 4 months. Together, they explore how these landmark regulations are reshaping the global security landscape and causing companies—especially those in the U.S.—to think about their approach to compliance and resilience. 

DORA’s 4-hour incident reporting rule, NIS 2.0’s expanded scope, and CRA’s product-focused requirements impact how organizations manage cybersecurity and operational risk. Cristin, Chris, and Emily delve into the profound implications of these laws: whether short reporting timeframes increase risk, whether disclosures of newly detected exploitation of vulnerabilities amplifies risks, and whether the potential for billion-dollar penalties drives more effective compliance.  

The discussion doesn’t just stop at the rules. They tackle the deeper questions: Can the U.S. maintain its best-practice approach in a world where compliance is increasingly driven by law?  How will companies balance compliance obligations and business needs now that regulations include model contractual clauses?

This episode is essential listening for cybersecurity, legal, and policy experts navigating a world where the EU is rewriting the playbook—and daring the rest of the world to follow.