NIS2 and CRA
- magnuskindberg0
- Aug 13
- 6 min read
Getting your organization ready for the new directives
Introduction
What do they mean and who is affected?
Getting Your Organization Ready for NIS2 & CRAThe EU is raising the bar for cybersecurity, and the deadlines are coming fast. From October 2024, the NIS2 Directive will begin reshaping how critical and important organizations manage cyber risks. And by mid-2026, the Cyber Resilience Act (CRA) will make security-by-design a legal requirement for any product with digital elements sold in the EU.
These aren’t minor updates. They mean:
More industries in scope — from healthcare to manufacturing.
Tighter security controls — both technical and organizational.
Stricter reporting deadlines — incidents reported within 24 hours.
CE marking at risk — non-compliant products can’t be sold in the EU.
Whether you’re a technology provider, manufacturer, or service operator, the message is clear: start preparing now or face fines & sales bans.
Network and Information Systems Directive 2 (NIS2)
NIS2 is the EU’s updated cybersecurity directive, designed to strengthen resilience across critical and important entities, from energy and transport to manufacturing and digital services. It expands the scope of the original NIS directive, introducing stricter security requirements, supply chain oversight, and stricter incident reporting timelines.
In short: more industries, higher standards, faster reporting.
Applies to essential sectors (energy, transport, healthcare, finance, infrastructure etc)
Technical and organizational security measures
Mandatory incident reporting
Management responsible for cybersecurity
Indirect impact on suppliers though supply chain requirements
Cyber Resilience Act (CRA)
The CRA is focused on the cybersecurity of products with digital elements. It requires manufacturers, developers, and distributors to ensure their products meet strict security requirements throughout their entire lifecycle, from design to end-of-life.
Think of it as “security by design” made law.
Applies to all products with digital elements sold in the EU
Requires secure design and development (e.g. encryption, secure boot, authentication)
Securely updatable products throughout their lifecycle
Mandatory documentation and SBOM (Software Bill Of Materials)
No CE marking if not meeting the requirements
100 000 organisations in the EU are affected by NIS2¹
30% of companies know the details of NIS2/CRA²
50% say they lack resources to meet the demands²
Timeline for implementation
NIS2 | Jan 2023 Directive adopted by EU | Oct 2024 Deadline to transpose into national law | From 2025 -> Organizations must comply: Risk of sanctions or fines |
2023 | 2024 | 2025 -> | |
CRA | Jan 2024 Regulation formally adopted by EU | 2024-2026 24-month transition period for manufacturers and suppliers to prepare | Mid 2026 CRA enforceable: Products must meet requirements for CE marking and sale in the EU |
2024 | 2025 | 2026 -> |
Requirements by the directives
Which areas need to be covered?
Risk Management | Incident Management | Security by Design | Documentation & SBOM | |
What’s required? | Organizations (NIS2) and manufacturers (CRA) must proactively identify and assess potential cyber risks to systems or products, including vulnerabilities, supply chain dependencies, and potential attack surfaces. | Especially under NIS2, organizations must detect, analyze, and respond quickly to security incidents, and report serious ones within 24 hours. | CRA demands security features like encryption, authentication, and secure boot are built into products from the start. | CRA requires a complete technical file documenting cybersecurity measures and a Software Bill of Materials (SBOM) listing third-party components; NIS2 requires documentation of security processes and risk assessments. |
Why it matters | Without structured risk analysis, you can’t prioritize mitigation efforts or comply with regulatory requirements on security planning. | Early detection and response reduce downtime, limit damage, and fulfill mandatory incident reporting obligations. | Retroactively adding security is costly and error-prone; secure-by-design reduces vulnerabilities and is explicitly mandated for product CE marking under CRA. | Without clear documentation, organizations and manufacturers cannot prove compliance, leaving them exposed to regulatory and customer demands. |
Secure Coding & Testing | Secure Communication & Boot | Competence & Training | |
What’s required? | Both NIS2 (for critical systems) and CRA (for products) expect code to be developed using secure coding practices and verified with proper testing. | CRA demands secure firmware updates, secure boot to prevent unauthorized code execution, and encrypted/authenticated communications between devices and servers. | Both standards require that staff and management have sufficient knowledge to fulfill their cybersecurity responsibilities — NIS2 explicitly requires management accountability. |
Why it matters | Vulnerabilities introduced during development are a major cause of successful cyberattacks; secure coding and thorough testing reduce this risk. | Insecure bootloaders or unprotected communication channels are prime targets for attackers to compromise a product or its users. | Even the best tools are ineffective if staff lack the knowledge to implement, maintain, and respond appropriately to cyber threats. |
Overview per area
NIS2 | CRA | |
Risk Management | Required | Required |
Incident Management | Required | (Recommended) |
Security by Design | (Recommended) | Required |
Documentation & SBOM | Required | Required |
Secure Coding & Testing | Required | Required |
Secure Communication & Boot | (Recommended) | Required |
Competence & Training | Required | Required |
Ways to comply with the directives - Tools and training
Our Partners
Training Courses
Embedded Development | Functional Safety | Security | Software Quality |
|
Complying with the regulations
NIS2 | CRA | |
Risk Management |
| |
Incident Management | Not required, could be valuable to get better monitoring with Tracealyzer and Trace32 | |
Security by Design | ||
Documentation & SBOM | ||
Secure Coding & Testing | ||
Secure Communication & Boot | ||
Competence & Training |
Solutions Provided by Nohau
Risk Management | Incident Management | Security by Design | Documentation & SBOM |
| Tracealyzer & TRACE32: Offer deep insights into runtime behavior of embedded systems, helping detect anomalies and investigate the root cause of incidents. Instrumental for meeting NIS2’s requirement for rapid detection and analysis. |
|
|
Secure Coding & Testing | Secure Communication & Boot | Competence & Training |
|
|
|
Results and value
Proactive Security:
Build secure products and systems from day one with secure coding, testing, and Security by Design practices.
Reduce vulnerabilities early through SAST, SBOM, and Unit testing.
Empower teams with training to understand and prevent risks.
Regulatory Compliance
Meet NIS2 and CRA requirements with verified processes, secure products, and proper documentation.
Avoid fines, sales bans, and reputational damage.
Reactive Resilience
Detect, analyze, and resolve incidents faster.
Document and prove your response for regulatory and customer audits.
Business Value
Deliver products and services that customers trust.
Strengthen your brand as a reliable, security-conscious partner.
Differentiate yourself in the market with demonstrable cybersecurity excellence.
Conclusion
Compliance is not optional, it’s a competitive advantage.
By integrating NIS2 and CRA requirements into your processes today, you’re not just avoiding penalties, you’re building trust and resilience.
Nohau helps organizations and manufacturers:
Identify and fix vulnerabilities early with SAST, SBOM, and unit testing tools.
Implement secure-by-design practices from the first line of code.
Train teams and management to meet regulatory demands with confidence.
Document compliance for audits, customers, and CE marking.
Start your compliance journey now with our training courses and security tools to stay ahead of NIS2 and CRA
Comments