Skip to main content

Demystifying the EU cybersecurity puzzle: What NIS2, CRA and CSA mean for your network

Tightening regulations are transforming how operators secure critical infrastructure. Here’s how software automation helps navigate shifting compliance landscapes without operational disruption.

Stephan Lehmann

Europe is rapidly moving toward a more harmonized security posture. The rollouts of the Network and Information Security Directive (NIS2), the Cyber Resilience Act (CRA) and the updated Cybersecurity Act (CSA2) introduce strict management accountability, risk-mitigation obligations and technical requirements that demand immediate attention.

To address vulnerabilities across the digital ecosystem, Europe’s incoming security framework tackles the challenge from two angles: product engineering and operational governance. While the CRA enforces baseline security for connected hardware, NIS2 and CSA2 mandate robust risk management and accountability for the infrastructure operators running those systems.

The Cyber Resilience Act

The CRA targets any product with digital elements. Today, many everyday items, such as smart fridges, have internet connections. But when low-cost components with limited security enter the ecosystem, they can create significant botnet risks.

Consumer appliances and industrial-grade transport systems often rely on the same open-source software libraries, such as OpenSSL. This shared dependency increases exposure, making it critical for every connected product to demonstrate resilience. Under the CRA, hardware and software sold in the EU must meet defined cybersecurity requirements to earn the CE mark by December 2027.

A central element is the Software Bill of Materials, or SBOM. An SBOM provides an inventory of every software component within a device. If a vulnerability is discovered, operators can use SBOM data to identify and remediate affected systems. Our engineering teams are actively generating automated SBOMs across our portfolios to support greater supply chain transparency.

Navigating NIS2

While the CRA targets product vendors, the NIS2 directive directly impacts critical infrastructure operators. They are required to ensure the security of their entire supply chain and therefore pass on strict specifications to device manufacturers, service providers and software providers to minimize vulnerabilities and failures.

The main requirements include:

  • Security standards and certifications: Manufacturers must prove that their devices are developed and manufactured according to recognized standards (e.g., ISO 27001, IT-Grundschutz or BSI C5 for cloud services).
  • Security by design and by default: Products must be designed with a focus on IT security from the development phase (e.g., no standard passwords, minimization of attack surface, encapsulation of services).
  • Vulnerability and update management: Manufacturers must communicate newly discovered security vulnerabilities transparently (coordinated vulnerability disclosure) and provide updates or patches in a timely manner.
  • Transparency through SBOM: To prevent supply chain attacks, operators are increasingly demanding a Software Bill of Materials (SBOM) similar to CRA requirements, listing all components, open source libraries and dependencies in the firmware or software.
  • Access and control rights: Manufacturers must enable operators to verify the security of devices and development environment through (on-site) audits where required.
  • Integrity of hardware and software: Delivery must be tamper-proof (e.g., through cryptographic signatures) and devices must support continuous monitoring within the operator’s infrastructure.

Because it’s an EU directive rather than a centralized law, each member state must transition it into national legislation. This creates regional variation. In Germany, the KRITIS Regulation (KritisV) and the NIS2 Implementation Act (NIS2UmseCG) form the legal basis for requirements that are increasingly defined as mandatory contractual components (service level agreements) between operators and product vendors.

In addition, Germany’s infrastructure ministry, BNetzA has compiled a security requirements catalog, known as SiKa, to be used for self-assessments for critical functions within carrier networks. When a product is identified as providing critical functions, it must be certified by the Federal Office for Information Security (BSI). This applies directly to routers and switches. To establish a compliant path for routing and switching, we evaluated the BSI’s Accelerated Security Certification (BSZ) for our products such as the Ensemble Activator network operating system. The certification can be implemented at short notice, not least because our products are already subject to regular penetration tests.

Europe’s security framework now spans both product engineering and operational governance.

Simplifying compliance through automated orchestration

Meeting regulatory requirements doesn’t have to disrupt daily operational workflows. Our Security Director platform is designed to automate key aspects of NIS2 risk management, replacing manual oversight with software-driven orchestration. It provides:

  • Privileged password management to secure administrative device access
  • Firmware tracking to identify which systems need security patches
  • Certificate lifecycle alerts before critical trust chains expire
  • Automated compliance checks that score device configurations against active security policies

This level of automation becomes even more important in the context of CSA2. The framework strengthens the mandate of ENISA, the EU Agency for Cybersecurity, giving it greater authority to manage centralized vulnerability data and identify high-risk suppliers.

To address overlaps between NIS2, CRA and CSA2, European working groups are also developing a “digital omnibus” to streamline data protection, AI and cloud regulations.

A global shift in network resilience

These compliance strategies also offer clear business advantages beyond EU borders. In the UK, standards remain closely aligned, and the market continues to accept European CE conformance claims for broad market access.

The impact is also evident in the US, where regulatory bodies are moving toward stricter software transparency. As a result, automated SBOM tracking is becoming an increasingly important baseline requirement for secure global procurement.

Turn regulatory pressure into architectural strength

These deadlines shouldn’t be viewed as operational roadblocks. Instead, they provide an opportunity to transition from reactive patching to a more proactive, structured security approach.

By anchoring your network strategy in automated tools like Security Director and partnering with vendors committed to supply chain visibility, you can build a compliant environment where software management and hardware protection work together more effectively. As we continue to enhance our portfolio, we’re helping ensure your infrastructure remains resilient and compliant.