The directive targets firewalls, routers, and VPNs that are no longer receiving vendor patches, as nation-state actors shift their tactics from endpoints to infrastructure.