SaaS vendors and cybersecurity: are you NIS2 CRA DORA proofed?

2026 is a year of convergence for the compliance of SaaS publishers with regard to their cyber risk management NIS2, CRA, DORA, here is what you need to know at the very least.

• The European NIS2 Directive (2022/2555) aims to "ensure a common high level of cybersecurity throughout the EU". It has not yet been transposed into France but it will be soon, on the basis of the "Bill on the resilience of critical infrastructures and the strengthening of cybersecurity" (NOR: PRMD2412608L/Bleue‑1), somewhat forgotten since March 2025 following the ministerial tribulations that we know.

The question that comes up frequently these days among SaaS vendors is: am I concerned?

Reading the directive, the answer is anything but obvious. The text, riddled with cross‑references, is repulsive in its approach and thwarts any reasonable attempt to extract a decision tree from it. At least one that looks like an oak tree rather than a weeping willow.

Fortunately, the draft law sheds some light on the understanding of this and allows us to summarize things as follows: companies that operate in "highly critical sectors" or "other critical sectors" are subject to NIS2, subject to criteria related to their workforce and turnover (general case) or their quality (e.g. trusted service providers, or domain name providers).

The lists of highly critical, and otherwise critical, sectors are included in Annexes 1 and 2 of the NIS2 Directive.

Among the highly critical sectors is the provision of "cloud computing services", which should be understood in all possible forms according to recital 33 of the NIS Directive: "Cloud computing service models include, among others, infrastructure services (IaaS), platform services (PaaS), software as a service (SaaS) and network services (NaaS)".

So, if you are a service provider in SaaS mode, you are potentially concerned as soon as you can be considered an "essential entity" or a "significant entity", i.e., in the general case:

Essential entity (art 8 of the draft law) = highly critical sector (Annex I directive) AND (at least 250 people OR turnover of more than €50 million and annual balance sheet of more than €43 million)

Significant entity (art 9 of the draft law): highly critical or critical sector (Annexes I and II Directive) AND (at least 50 people OR turnover and annual balance sheet of more than €10 million)

This implies that a very large number of SMEs that provide SaaS services, regardless of the nature of these services, are affected by NIS2, which they may not have seen coming. But they must now seriously consider it since  compliance with NIS2, subject to future French texts, is due to take place in 2026.

• SaaS vendors may also be affected by CRA, Regulation 2024/2847 of 23 October 2024 "on horizontal cybersecurity requirements for products with digital elements".

The question of whether or not SaaS vendors are affected by CRA is the subject of recital 33 of that regulation: 'Cloud solutions shall constitute remote data processing solutions within the meaning of this Regulation only if they meet the definition set out in that Regulation. For example, cloud functionalities provided by a manufacturer of smart home devices that allow users to control the device remotely fall within the scope of this Regulation. Conversely, websites that do not support the functionality of a product with digital elements or cloud services that are not designed and developed under the responsibility of the manufacturer of a product with digital elements do not fall within the scope of this Regulation."

Translated into French (!), it seems that this means that as soon as the service is 100% online, without any component installed at the customer's site, then it is not subject to CRA. However, it is when another remotely accessible component is involved in the service. Personally, it seems very obscure to us, but we recommend reading a very informative blog on the subject of the EU Cyber Resilience Act (CRA): what you need to know

CRA comes into force between September 2026 (notification obligations) and December 2027.

• Finally, as soon as our SaaS publisher provides its services to a company in the financial sector, it falls within the scope of DORA, Regulation 2022/2554 of December 14, 2022 on the digital operational resilience of the financial sector.

He must therefore conclude a contract with his client containing minimum information relating to his services (listed in Art 30.2 of the regulations), and additional obligations if the service supports a critical or important function.

The definition of a "critical or significant function" is included in Section 3.22 of the DORA Regulations: "a function the disruption of which is likely to materially impair the financial performance of a financial entity, or the soundness or continuity of its services and business, or an interruption, anomaly or failure in the performance of that function, is likely to materially impair the ability of a financial entity to comply on an ongoing basis with the conditions and obligations of its authorisation, or its other obligations under the applicable provisions of financial services law; »

If the service is in the "critical or important" category, then reference should be made to the DORA Delegated Regulation 2025/532 of 24 March 2025, which provides clarification on the requirements applicable to the outsourcing of ICT services supporting critical or important functions, or significant parts thereof.

The DORA Regulation has been applicable since January 17, 2025