The new EU regulations drastically tighten the requirements for companies. Find out which measures you must implement now to minimize cyber risks and avoid penalties: The European Union is intensifying its efforts to increase cyber security and protect critical infrastructures with two key legal acts: the NIS2 Directive (Network and Information Security Directive 2) and the Cyber Resilience Act (CRA)While NIS2 tightens regulatory requirements for companies and organizations regarding cybersecurity, the CRA aims to ensure security requirements for digital products throughout their entire lifecycle.
The NIS2 Directive presents clear and strict requirements to companies, particularly with regard to risk management, reporting obligations and management responsibilities.
The NIS2 Directive applies to a wide range of critical and important companies, including:
✔ Energy suppliers and water management
✔ Health and financial sectors
✔ Digital infrastructures and IT service providers
✔ Logistics, transport and production companies
✔ Public administration and research institutions
Companies must implement robust risk management measures to minimize cyber threats. The key requirements:
- Risk Management & Governance:
- Companies must implement structured cyber risk management processes and security risks must be assessed
- Crisis management & business continuity:
- Emergency plans to ensure business operations in the event of cyber attacks are mandatory, as is the introduction of regular tests and simulations
- Access management & authentication:
- Companies must introduce strict access restrictions and multi-factor authentication (MFA), critical systems are only accessible to authorized persons
- Encryption & Data Protection:
- Sensitive data must be secured with current encryption technologies
- Incident response & reporting obligations:
- Companies must have a cyber emergency strategy and there is a reporting obligation for security incidents
While NIS2 focuses on organizational security measures, the Cyber Resilience Act (CRA) Manufacturers and suppliers of digital productsto consider cybersecurity right from the design stage.
Companies must meet the following requirements:
- Ensuring secure development (“Security by Design”)
- Provide regular security updates
- Report security vulnerabilities to authorities within 24 hours
- Conduct safety tests before market launch
The new EU requirements of the NIS2 Directive and the Cyber Resilience Act (CRA) pose considerable challenges for companies. While NIS2 primarily regulates organizational and operational cybersecurity measures in critical and important sectors, the CRA focuses on the product security of digital devices and software. Both sets of rules aim to prevent cyberattacks, minimize security gaps and better prepare companies for cybersecurity incidents.
Companies must now revise their IT security strategy, implement new processes and clarify internal responsibilities in order to meet the new requirements and avoid high penalties. As an experienced service provider, we help you implement all the necessary measures - from risk analysis to technical implementation and training of your teams! Contact us for individual advice.
English 
Deutsch