NIS2 & CRA: What companies need to know now

The IT security world remains exciting! With the new NIS2 directive and the Cyber Resilience Act (CRA), companies are facing important changes. Those who prepare now will save themselves stress and potentially high costs later. Here is a detailed overview.

NIS2: An update for more security

The NIS2 directive is intended to help companies improve their IT security standards. It was originally due to come into force by March 2025, but delays suggest that it is more likely to be the end of 2025 or even 2026. Nevertheless, waiting is not a strategy. Getting to grips with the new requirements early on will help to avoid time pressure and unexpected costs.

What does NIS2 mean in concrete terms?

Improved cyber hygiene: Companies must ensure that basic IT security standards are adhered to in order to protect themselves against attacks.
Stronger security processes: Binding specifications for risk management and response plans in the event of security incidents are being introduced.
Supply chain control: responsibility for the security of IT service providers and suppliers is becoming increasingly relevant.

Companies with more than 50 employees or a turnover of more than 10 million euros should pay particular attention to this topic. IT security affects not only the company itself, but also partners and service providers. Being unprepared can result in high penalties.

Cyber Resilience Act: More security for digital products

The CRA has been in force since December 2024 and brings new requirements for networked products. From 2027, manufacturers must ensure that their software and hardware meet the highest security standards from the outset.

The most important aspects:

Security by Design: IT security must already be taken into account during the development of a product. Vulnerabilities should be avoided from the outset.
Security by default: Devices and software must be configured securely by default. Users should not have to activate security options themselves first.
Documentation (SBOM): A detailed list of all software components used (software bill of materials) must be created to ensure transparency and security control.
Reporting obligation: Manufacturers are obliged to report any security vulnerabilities discovered to the relevant authorities as quickly as possible.

These requirements are not mere bureaucracy, but a real benefit for IT security in Europe. Companies that manufacture IoT and connected products in particular should get to grips with the new requirements early on.

Why acting now is important

Compliance with NIS2 and CRA is not optional. Late implementation can not only increase security risks, but also result in high penalties. However, with early and structured preparation, implementation can be easily mastered.

Practical tips for preparation:

Review and adapt IT security strategy:** Existing processes should be regularly reviewed and optimised.
Establish asset management:** A detailed overview of IT systems and networks is essential for effective security measures.
Sensitise employees:** Training and awareness programmes help to strengthen IT security in the long term.
Review supplier and service provider obligations:** Security requirements should be integrated into contracts and audits.
Conduct regular security checks:** Tests and audits help to identify and rectify vulnerabilities at an early stage.

Conclusion: Take action now!

NIS2 and CRA are coming, and companies should not put them on the back burner. Addressing compliance and IT security at an early stage minimises risks, increases competitiveness and strengthens the trust of customers and partners.

Now is the right time to review processes, optimise IT security and prepare strategically for the new regulations. This will keep a company secure and well positioned for the future.