Written by Armin Scheuermann
The island of the blessed has no bridges to the mainland. Production systems are also no longer "islands of the blessed": gone are the days when control systems, control technology and field devices in the process industry ran in isolation and were physically sealed off. No internet connection, no external interfaces – no risk, according to yesterday's thinking. But with remote maintenance, networked systems and IT/OT integration, new areas of vulnerability are emerging – and with them the need to systematically consider cyber security.
With NIS 2 and the Cyber Resilience Act (CRA), the EU is aiming for a new level of protection in industrial digitalisation – on two levels:
Both sets of regulations are interlinked – and make it clear that operators need compliant products and manufacturers must deliver them. Those who fail to comply risk not only fines but also operational risks.
The NIS 2 Directive was actually supposed to be transposed into national law by October 2024. However, the process was delayed in Germany – the implementing law was not passed by the Federal Cabinet until 30 July 2025, meaning that NIS 2 will not come into force in Germany until the end of 2025 at the earliest.
All companies with at least 50 employees or an annual turnover of €10 million in critical sectors are affected. The requirements at a glance:
The penalties are severe: up to €10 million or 2% of turnover for "particularly important institutions", up to €7 million or 1.4% for "important institutions". The consequence: cybersecurity becomes a top priority. Management is personally liable – and failure to comply can result in more than just a fine.
A real-life example illustrates what is at stake: a pharmaceutical company with 85 employees must in future report security incidents immediately – even if no immediate damage has been caused. This requires processes that are often lacking today: from internal alarm plans to legally compliant documentation.
The Cyber Resilience Act brings cybersecurity into the CE marking. From January 2027, only products with digital components that:
What does this mean? In future, manufacturers of industrial gateways will have to provide complete documentation of how their products are secured – including a software bill of materials, documented patch management and proof of support. Those who are unable or unwilling to do so risk fines of up to £13 million or 2.5% of their annual turnover.
Operators will also have to adapt: components that are still considered spare parts today must be fully CRA-compliant by 2027 – otherwise they face legal trouble.
Old systems remain permitted in principle – but woe betide anyone who makes a "significant change". That's when the CRA kicks in, and a maintenance project suddenly turns into a complete recertification. This is particularly critical in safety-related areas: anyone replacing a safety PLC there often has to redesign and validate the entire safety system and coordinate it with the authorities.
An example with consequences: an operator replaces an outdated PLC that is no longer available with a current model. What sounds like routine triggers a chain reaction: new software, new documentation, new tests – and, in case of doubt, weeks of downtime because the approval authorities also have to be involved.
Many operators rely on long-standing OEM components – with maintenance contracts that run for 20 or 30 years. But the CRA puts an end to this: from 2027, manufacturers will no longer be allowed to supply non-compliant products.
A realistic scenario: in 2026, an automation provider announces that it will discontinue its gateway series because CRA compliance is not economically viable. Operators who still have these devices installed in their systems are under pressure to quickly find, test and approve alternative solutions – all while production continues. This is not only technically challenging. It requires forward planning, new contract models and clarity in the distribution of roles.
This results in a clear roadmap for operators and manufacturers alike:
Some plant operators are already relying on "security panels" – mixed teams from OT, IT, purchasing and legal. This allows implementation plans to be developed in a structured manner and prioritised realistically.
Cybersecurity is no longer a matter for the IT department – it is a key issue for the future security of the entire business. The new EU regulations are bringing enormous momentum to the market. Those who react early will have less stress later on – and a better hand in audits, customer meetings and regulatory authorities. In other words, those who invest now are building resilience. Those who wait are investing in stagnation.
