• 11/10/2025
  • Article
  • Automation & digitalization

New rules for cybersecurity – What plant operators and plant manufacturers need to know now

With NIS 2 and the Cyber Resilience Act (CRA), the EU is noticeably tightening the security reins. What does this mean for operators of older plants? Can they continue to use their technology? And how will manufacturers cope with the new product specifications? This article provides clear information – and shows what needs to be done now.

Written by Armin Scheuermann

Graphic comparing NIS 2 and CRA with abstract factory buildings and conductor tracks
NIS 2 and the Cyber Resilience Act CRA have serious consequences for plant operators and machine and plant suppliers.

The island of the blessed has no bridges to the mainland. Production systems are also no longer "islands of the blessed": gone are the days when control systems, control technology and field devices in the process industry ran in isolation and were physically sealed off. No internet connection, no external interfaces – no risk, according to yesterday's thinking. But with remote maintenance, networked systems and IT/OT integration, new areas of vulnerability are emerging – and with them the need to systematically consider cyber security.

Two EU regulations, one big impact

With NIS 2 and the Cyber Resilience Act (CRA), the EU is aiming for a new level of protection in industrial digitalisation – on two levels:

  • NIS 2 obliges operators of so-called "particularly important facilities" (critical importance) and "important facilities" (high economic or social importance) to implement organisational security measures: information security management system (ISMS), risk analyses, reporting processes, awareness programmes and much more.
  • The CRA is aimed at manufacturers: from 17 January 2027, only products with CE marking that include cybersecurity requirements will be allowed on the market.

Both sets of regulations are interlinked – and make it clear that operators need compliant products and manufacturers must deliver them. Those who fail to comply risk not only fines but also operational risks.

NIS 2: Operator obligations with bite

The NIS 2 Directive was actually supposed to be transposed into national law by October 2024. However, the process was delayed in Germany – the implementing law was not passed by the Federal Cabinet until 30 July 2025, meaning that NIS 2 will not come into force in Germany until the end of 2025 at the earliest.

All companies with at least 50 employees or an annual turnover of €10 million in critical sectors are affected. The requirements at a glance:

  • Introduction of an information security management system (ISMS),
  • systematic risk analyses,
  • incident management with reporting obligations,
  • securing the supply chain,
  • technical and organisational security measures.

The penalties are severe: up to €10 million or 2% of turnover for "particularly important institutions", up to €7 million or 1.4% for "important institutions". The consequence: cybersecurity becomes a top priority. Management is personally liable – and failure to comply can result in more than just a fine.

A real-life example illustrates what is at stake: a pharmaceutical company with 85 employees must in future report security incidents immediately – even if no immediate damage has been caused. This requires processes that are often lacking today: from internal alarm plans to legally compliant documentation.

The graphic shows four pillars on the left with new operator obligations under NIS 2, and on the right the silhouette of a person and a judge's gavel
NIS 2 means extensive new obligations for plant operators.

CRA: New rules for digital products

The Cyber Resilience Act brings cybersecurity into the CE marking. From January 2027, only products with digital components that:

  • have secure default configurations,
  • demonstrate effective vulnerability management (including a bill of materials for software components, SBOM),
  • guarantee updates for at least five years,
  • record, document and report security vulnerabilities,
  • meet the new CE requirements.

What does this mean? In future, manufacturers of industrial gateways will have to provide complete documentation of how their products are secured – including a software bill of materials, documented patch management and proof of support. Those who are unable or unwilling to do so risk fines of up to £13 million or 2.5% of their annual turnover.

Operators will also have to adapt: components that are still considered spare parts today must be fully CRA-compliant by 2027 – otherwise they face legal trouble.

Brownfield issues: grandfathering with a catch

Old systems remain permitted in principle – but woe betide anyone who makes a "significant change". That's when the CRA kicks in, and a maintenance project suddenly turns into a complete recertification. This is particularly critical in safety-related areas: anyone replacing a safety PLC there often has to redesign and validate the entire safety system and coordinate it with the authorities.

An example with consequences: an operator replaces an outdated PLC that is no longer available with a current model. What sounds like routine triggers a chain reaction: new software, new documentation, new tests – and, in case of doubt, weeks of downtime because the approval authorities also have to be involved.

Supply chain pressure: OEM ties become a risk

Many operators rely on long-standing OEM components – with maintenance contracts that run for 20 or 30 years. But the CRA puts an end to this: from 2027, manufacturers will no longer be allowed to supply non-compliant products.

A realistic scenario: in 2026, an automation provider announces that it will discontinue its gateway series because CRA compliance is not economically viable. Operators who still have these devices installed in their systems are under pressure to quickly find, test and approve alternative solutions – all while production continues. This is not only technically challenging. It requires forward planning, new contract models and clarity in the distribution of roles.

This results in a clear roadmap for operators and manufacturers alike:

  • Record facilities: Which systems are in use where – and how old are they?
  • Prioritise risks: Which components are critical to safety? Where are bottlenecks likely to occur?
  • Adapt product strategy: Which systems need to be replaced, which can be migrated?
  • Engage suppliers: Hold manufacturers accountable – including update promises and SBOM.
  • Set up organisation: Introduce ISMS, define responsibilities, raise awareness.
  • Utilise cooperation: BSI, industry associations, working groups – sharing experiences saves time and nerves.

Some plant operators are already relying on "security panels" – mixed teams from OT, IT, purchasing and legal. This allows implementation plans to be developed in a structured manner and prioritised realistically.

Conclusion: Security is becoming an infrastructure task

Cybersecurity is no longer a matter for the IT department – it is a key issue for the future security of the entire business. The new EU regulations are bringing enormous momentum to the market. Those who react early will have less stress later on – and a better hand in audits, customer meetings and regulatory authorities. In other words, those who invest now are building resilience. Those who wait are investing in stagnation.

Author

Armin Scheuermann
Armin Scheuermann
Chemical engineer and freelance specialised journalist