Cybersecurity is becoming law, and we will all feel the effects!

The European Union has drawn up a comprehensive cybersecurity strategy to increase digital resilience and limit the consequences of cyber incidents. Although this new legislation sets challenging goals, I believe that the investments involved are worthwhile. But what are these challenges? And what does this mean for you as a citizen, operator or manufacturer? 

Network and Information Security (NIS) 

The increase in cyber attacks has created a need to update the NIS Directive (NIS). The new NIS2 Directive requires more operators to protect their systems against cyber attacks and will be implemented in the United Kingdom in the form of the Cyber Security Act (Cbw) – expected in the third quarter of 2025. This is a crucial step, as it not only increases the responsibility of operators, but also covers the security of the supply chain. This means that manufacturers must do their part, which I consider a necessary step in protecting our society against cyber attacks.  

Organisations covered by the Cbw will be subject to, among other things, registration requirements, duty of care, reporting requirements and supervision. These measures will undoubtedly lead to higher investment costs and administrative burdens, but they are essential for ensuring the security of our digital infrastructure. 

Cyber Resilience Act (CRA)

The CRA requires manufacturers to develop products with digital elements that are directly or indirectly connected to another device or network in accordance with the “secure by design” principle. This is a progressive approach that ensures security is built into products from the outset. This law sets requirements that must be met when marketing hardware and software products for their entire life cycle of at least five years! This means that manufacturers are not only responsible for the initial security of their products, but also for actively reporting and effectively handling exploited vulnerabilities and incidents.  

From 11 December 2027 (for CE marking), compliance with the CRA will be mandatory, which will have a significant impact on all existing products within the European Union, including IT products and products for home use. Although this will lead to higher costs and complexity, I believe this approach is crucial for protecting our society and strengthening trust in digital products. 

Conclusion

NIS2 and CRA increase digital resilience, but require considerable effort and investment. This additional effort, which affects the entire chain, results in higher investment costs, increased complexity and higher administrative burdens.  

From December 2027, products that have not been developed in accordance with the “secure by design” principle may only be sold for repair purposes. There is therefore a good chance that existing designs for new machines and installations will have to be sent back to the drawing board. It is therefore wise to switch to secure products now.  

Although the costs and complexity are increasing, these measures are essential for protecting sensitive information, ensuring business continuity and strengthening customer confidence. In short, investing in cybersecurity is an investment in the future and the security of every organisation! 

Follow my free webinar on cybersecurity for OT and learn more about cybersecurity legislation, such as NIS2, CRA and the new Machinery Regulation.

Stay up to date with the latest news:

Check out our other success stories:

Why not take a look at these trainings we offer: