Manufacturing
Policies & Standards
Cybersecurity legislation for industrial companies
The path out of the jungle of EU cyber regulation

Cyber Resilience Act, NIS-2 and the CER Directive: The cybersecurity legal situation for industrial companies in Europe is diverse and confusing. But the implementation of the various regulatory requirements can help to successfully defend against cyber attacks. This is urgently necessary, because the number of cyber attacks is increasing. According to the techconsult study "Attack Detection in Critical Infrastructure Companies" from the beginning of 2023, 79 % of companies estimate the current threat situation as growing to strongly growing. But who are affected by the regulations? What obligations arise from them? And what deadlines must industrial companies meet? Here is an overview of the most important cyber security laws in Europe.

1. Directive on Security of Network and Information Systems (NIS-2 Directive)

The NIS-2 Directive is an important part of the EU digital strategy "Shaping Europe's Digital Future" and the advancement of the first NIS Directive already issued in 2016. The aim is to ensure a high level of cyber security at European level and thus strengthen the single market. The directive entered into force on 16 January 2023. The EU member states must transpose the provisions into national legislation by 17 October 2024.

Affected economic sectors are divided into two categories: essential - i.e. sectors with high criticality - and important - other critical sectors. The former includes, for example, energy, transportation and traffic, financial markets, the health sector, digital infrastructure and public administration. Other critical sectors include postal and courier services, manufacturing, chemicals, and the production of medical devices, electronic equipment, machinery and means of transport. Exactly which companies within the defined sectors are affected is determined by the respective national legislation.

For industrial companies, NIS-2 brings new rules and thus new tasks. Companies must register and report cyber security incidents to the responsible authorities in a multi-stage process according to clearly defined guidelines.

Companies must also implement active risk management and adhere to standards for network and system security, incident handling, crisis management, secure supply chains and asset management. Protection mechanisms and technologies used must be state of the art. A certification obligation to demonstrate compliance can be additionally demanded and introduced by the nation states.

In Germany, it is planned to transpose NIS-2 into national law through the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). This is again an article law, which adapts many existing laws in accordance with the directive. Critical infrastructure operators in Germany have already built a solid foundation as a result of the IT Security Act. For example, companies that have implemented an Information Security Management System (ISMS) and the necessary trustworthy cybersecurity technology are well positioned and only have to expect minor adjustments.

The cybersecurity legal situation for industrial companies in Europe is diverse and confusing. (c) Getty Images
2. EU Cyber Resilience Act – cyber security for connected products

The EU Cyber Resilience Act (CRA) is a draft law with the aim of protecting end consumers and companies from products that do not take cyber security sufficiently into account. To this end, the Act aims to define requirements for products with digital elements in terms of development, design and production, thus ensuring cyber security throughout the life cycle - including, for example, the provision of software updates. The security level of networked end products is to be increased in order to prevent cybercrime. The law is expected to come into force in 2023. After that, those affected will have twelve to 24 months to implement the new requirements.

Many manufacturers of hardware and software products are affected by the regulations. The requirements are differentiated depending on the potential impact. Stricter regulations are expected for products that affect larger economic areas, such as IoT and mobile devices or operating systems. For example, cyber security is to be taken into account as early as the production process or configuration ("security by design and default") - starting with the planning of a product and continuing into the operating phase and several years after the product is sold (up to five years). In addition, manufacturers must keep detailed documentation. The provision of software updates or patches and the active communication of security vulnerabilities and their elimination is another essential component of regulation. Furthermore, clear and comprehensible operating instructions must be made available for affected products.

3. Directive on the Resilience of Critical Entities (CER Directive)

The EU CER Directive aims to strengthen the physical resilience of critical entities and thus to counter hybrid threats in particular. It replaces the old Directive 2008/114/EC and broadens its scope. These new rules oblige EU member states to identify critical facilities and strengthen their resilience. The CER Directive entered into force on 16 January 2023. EU member states must transpose the provisions into national legislation by 17 October 2024.

Affected economic sectors are divided into the categories “essential” and “important” according to the Directive. A total of eleven sectors are included in the scope, some of which overlap with the NIS-2 Directive: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration, space, and production, processing and distribution of food.

Companies must implement both organisational and technical security measures. These include a functioning risk management system to prevent business interruptions. A business continuity management system (BCMS) can be a suitable measure here. In addition, companies should be able to react adequately to security incidents and define an incident management plan accordingly. Security incidents should be reported to the responsible supervisory authorities. These can carry out their own inspections and audits and demand the implementation of appropriate measures.

 

Step by step to more security - this is what companies can do now

Industrial companies can prepare for the regulations in five steps:

  1. Check who is affected (product manufacturers, operators, integrators)
  2. Check requirements
  3. Prepare reporting processes or adapt existing implementations for this purpose
  4. Establish security concepts, information security management (e.g. based on ISO/IEC 27001 or IEC 62443) including business continuity management
  5. Implement risk management in the defined area of application

Whether CRA, NIS-2 or the CER Directive: If companies do not comply with the regulations, the EU states can impose fines. In the case of the CRA, for example, these fines amount to up to 15 million euros or 2.5 percent of annual turnover. This makes a structured and holistic (cyber) security strategy all the more important. In addition to technical measures such as securing networks and devices, this also includes looking at securing company processes and raising awareness of the issue among employees.

Contact request

Contact:

Alexander Schlensog

Steffen Heyde

Do you have any questions or comments about this article? Then contact us using the contact form on the right!

Seite 1
Submit
* Required fields
Logo

secuview is the online magazine of secunet, Germany's leading cybersecurity company. Here you will find news, trends, viewpoints and background information from the world of cybersecurity for public authorities and companies. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.

 

In addition to the online magazine, secuview is published twice a year as a journal, which you can subscribe to free of charge in printed form or download as a PDF.

secuview is the online magazine of secunet, Germany's leading cybersecurity company. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.

© 2025 secunet Security Networks AG