In today’s rapidly evolving regulatory landscape, businesses face increasing cybersecurity obligations under a growing number of laws and regulations. These often-overlapping frameworks can easily create confusion, especially regarding requirements, timelines and their application to the security technologies you rely on.
To help our partners and customers navigate this complexity, we’ve compiled a clear overview of three key EU regulations shaping the future of cybersecurity and product compliance: the NIS2 Directive, the AI Act and the Cyber Resilience Act (CRA).
Below, you’ll find a summary of each regulation, what’s changing, and how Hikvision is responding to ensure our products meet the highest security, transparency and compliance standards.
What is the NIS2 Directive?
The NIS2 Directive strengthens the EU’s cybersecurity framework, replacing and building upon the 2016 NIS Directive (NIS1). Its primary goal is to strengthen collective cybersecurity across EU Member States in response to increased cyber threats. The Directive focuses on enhancing cybersecurity enforcement, fostering cooperation among cybersecurity authorities, securing supply chains, and clearer incident reporting processes.
It applies to all companies, suppliers, and organizations, including non-EU entities, delivering essential or important services in the EU, such as operators in energy, transport, healthcare, digital infrastructure, public administration, as well as key digital services and manufacturers of critical products.
NIS2’s transposition into national law, due by October 2024, remains ongoing, and its practical implementation may vary across EU Member States. Operating and providing service throughout Europe from headquarters in the Netherlands, Hikvision will ensure strict adherence to all the legal requirements set forth by Dutch authorities and promptly complete the necessary registration procedures once the NIS2 Directive is formally implemented.
It is also important to note that NIS2 does not currently include an official certification scheme, and there is no “NIS2-compliant” product label.
Hikvision’s Approach
Hikvision goes beyond regulatory compliance and we adhere to internationally recognized cybersecurity standards, including ISO 27001, ISO 27701 and CSA STAR, ETSI EN 303645, Common Criteria (CC) and Cybersecurity Labeling Scheme (CLS).
Recently, Hikvision has also achieved IEC 62443-4, a standard for industrial network security, which supports secure product development practices that align with NIS2 requirements for risk management, cybersecurity by design and ensuring that products are secure throughout their lifecycle.
To support industry understanding, we’ve released an updated Guide to the NIS2 Directive with insights into the main changes and requirements introduced by this regulatory framework.
What is the AI Act?
The EU AI Act is the world’s first comprehensive law regulating the development and use of Artificial Intelligence (AI). It is part of a broader framework designed to manage risks while promoting trustworthy AI. The legislation categorizes risk into four distinct levels with regulatory requirements increasing by level: Unacceptable Risk (prohibited), High Risk (subject to strict obligations), Limited Risk (transparency requirements) and Minimal Risk (mostly unregulated).
The AI Act took effect on August 1, 2024, but its implementation is gradual. Prohibitions for unacceptable risks have been in force since February 2, 2025 while the requirements for High-Risk AI systems are expected to come into effect on August 2, 2027.
In light of the EU’s ongoing focus on strengthening competitiveness, legislative efforts are underway to simplify parts of its technology regulation. This includes discussions on the AI Act, with some Member States and companies calling to pause the implementation timeline. Hikvision is monitoring these developments closely to ensure compliance with the evolving EU regulatory framework.
Hikvision’s Approach
Hikvision is continuously enhancing its compliance measures, grounded in the principle of “Tech for Good”, leveraging technology to improve societal well-being.
Hikvision is firmly committed to not developing any products that would be utilized for AI practices falling under the ‘Unacceptable Risk’ category, which are prohibited by the EU AI Act. We also require our clients and end-users to respect the same principles and refrain from applying Hikvision’s products in violation of the AI Act.
Hikvision is also actively reviewing its AI products and closely monitoring the upcoming technical requirements and compliance pathways, including High-Risk AI system certification processes.
What is the Cyber Resilience Act (CRA)?
The CRA introduces mandatory cybersecurity rules for all digital products sold in the EU – including video surveillance cameras, software and connected systems. The regulation focuses on:
- Embedding security throughout the product lifecycle
- Ensuring timely vulnerability reporting and incident handling
- Improving transparency and trust for end-users
The CRA also establishes rules and conditions for affixing the CE marking, indicating a product’s conformity assessment and compliance with the regulation's cybersecurity requirements.
While the CRA is already in force, key operational requirements apply gradually, starting with manufacturers’ reporting obligations concerning actively exploited vulnerabilities applying from September 2026, with full application by the end of 2027.
Hikvision’s Approach
At Hikvision, we welcome this regulation and fully support its mission. We have actively contributed to the EU’s public consultation on the CRA and the corresponding consultation on the technical description, providing insights based on our expertise and experience to help shape realistic, effective and implementable cybersecurity requirements, to protect end-users.
We adhere to rigorous global standards and certifications and have taken additional steps, including:
- Secure-by-Design development: We integrated security into every stage of the product lifecycle, including architecture design, vulnerability scanning and penetration testing.
- Responsible vulnerability management: Hikvision is a CVE Numbering Authority, and we ensure that vulnerabilities are patched quickly, transparently disclosed and communicated to partners and users.
- Customer-focused security support: We provide clear documentation, best-practice guides and security update notifications to help users configure and operate systems securely.
- Lifecycle protection: Our products are supported with regular security updates and ongoing testing throughout their operational life.
For more details, please visit our Cybersecurity Webpage