NIS2 Directive

The NIS2 Directive (EU 2022/2555), which came into force in January 2023 and required member state transposition by October 2024, is the second generation of the EU's network and information security framework. It significantly expands the scope of the original NIS Directive, broadening the range of sectors covered (now including manufacturing, digital infrastructure, and managed service providers), tightening security obligation requirements, and strengthening enforcement. NIS2 requires covered entities to implement risk management measures, report significant incidents to national authorities (typically CSIRTs or competent authorities) within strict timeframes, and ensure supply chain security. Non-compliance can trigger fines of up to €10 million or 2% of global turnover.

NIS2 and the CRA are complementary but distinct frameworks. NIS2 focuses on organisational obligations for service operators — how they manage their own network and information systems. The CRA focuses on product obligations for manufacturers — the cybersecurity properties of products with digital elements placed on the EU market. An IoT manufacturer that also operates a cloud platform may be subject to both: the CRA for its devices, and NIS2 for its platform operations. The CRA expressly provides that its requirements do not prejudice NIS2 obligations. Where both apply, manufacturers must ensure their vulnerability handling and incident notification processes satisfy both frameworks' requirements, which have slightly different timelines and notification channels.

Both NIS2 and the CRA require incident reporting, but to different bodies and on different timelines. Under NIS2, essential and important entities must notify their national competent authority or CSIRT of significant incidents within 24 hours (early warning) and 72 hours (fuller notification). Under the CRA, manufacturers must notify ENISA directly of actively exploited vulnerabilities within 24 hours of becoming aware, and provide fuller details within 72 hours. When a security incident also constitutes an actively exploited vulnerability in a product, a manufacturer subject to both frameworks may need to notify both their national NIS2 authority and ENISA simultaneously. Coordinating these notifications through a unified PSIRT process is strongly recommended.

Supply chain security is a prominent theme in both NIS2 and the CRA. NIS2 Article 21 requires covered entities to address the security of their supply chain, including relationships with direct suppliers and service providers. The CRA extends this by requiring manufacturers to address the security of components — including open source components — incorporated into their products. Manufacturers subject to NIS2 as service operators face a compound obligation: ensuring their own supply chain (as an NIS2 entity) and ensuring the security of the components in their products (as a CRA manufacturer). Maintaining a current SBOM for all products greatly assists in satisfying both obligations, as it provides evidence of component visibility and supports rapid response when upstream vulnerabilities are disclosed.