In my new blog post, I highlight the importance of the current EU regulations for companies. I emphasize that companies not only need to be aware of NIS2, RED, CRA and Data Act, but also need to take proactive measures to comply with these regulations and meet their requirements. In addition, I am available to advise companies on how to implement these regulations effectively.
Disclaimer: Please note that the following information is subject to change and does not constitute legal advice.
What EU regulations do companies need to prepare for now?
The EU has announced a number of changes to make old and new products on the market more cyber secure. These include NIS2 (Network and Information Security Directive), the Radio Equipment Directive (RED), the Cyber Resilience Act (CRA) and the Data Act. Read more in our blog post How the Security Upgrade Kit helps companies comply with global regulations. Companies are under pressure to act as they are directly affected by these regulations, in the case of NIS2 and RED even with their new systems and devices (greenfield) and with the already installed base (brownfield), which must be retrofitted to avoid severe risks.
NIS2 – The focus is on information and cyber security
NIS2 particular emphasis on the protection of essential infrastructure, such as utilities, public authorities, and banks. Although there is currently no national implementation in Germany (in certain countries there is), the NIS2 Directive has been in force since 18th of October 2024.
Affected companies face severe penalties of up to 2% of their global annual revenues for failing to update their systems and processes.
NIS2 Deep Dive
- Directive – 2022/2555 – EN – EUR-Lex
- Understanding the NIS2 regulation – Global Security Mag Online
- The NIS2 Directive: A high common level of cybersecurity in the EU
For further insights, I would also recommend the informative blog post titled EU Regulation NIS2; Don’t Get Caught Off Guard! by my colleague Alexander Summerer.
RED – Compliance is the key to CE marking
RED establishes the legal framework governing the operation of all radio equipment at frequencies up to 3,000 GHz. It is presented in the form of a directive. Exceptions to this directive include self-built amateur radio systems, systems on board aircraft and ships, and pure test modules.
The Radio Equipment Act of June 27, 2017, transposed RED into national law in Germany. This act defines the basic requirements for:
- Medical compatibility (“Protection of the health and safety of users”, Article 3.1a)
- Electromagnetic compatibility (“freedom from interference”, EMC, Article 3.1b)
- Efficient use of radio frequencies (Article 3.2)
The CE marking on the product confirms that the manufacturer has complied with the regulations. Products covered by the RED must bear this mark in order to be placed on the market. In 2022, the RED was supplemented by a delegated regulation covering aspects of cybersecurity that primarily concern radio equipment connected to the internet. After a transitional period, compliance with these amendments will be mandatory from August 1, 2025 for the affixing of the CE marking and the placing on the market of products subject to the RED.
RED Deep Dive
- RED – Directive – 2014/53 – EN – EUR-Lex
- Radio Equipment Directive (2014) – Wikipedia
- RED – Radio Equipment Directive (RED): An Essential Guide
The Cyber Resilience Act (CRA)
The CRA applies to all products with digital elements and is intended to create the conditions for the development of secure digital and networked products. It is also intended to enable users to make a selection of products with regard to their cyber security. The CRA has the legal status of a regulation (EU2022/0272). Following the adoption of the CRA at the end of October 2024 and the publication of the legal text in the Official Journal of the European Union, the CRA came into force in all EU member states on December 11, 2024. The CRA will be implemented in various stages from the end of 2024 to 2027. Compliance with the regulation will be a further requirement for CE marking of the products concerned.
CRA Deep Dive
- CRA – European Commission – Cyber Resilience Act
- CRA – Regulation – 2024/2847 – EN – EUR-Lex
- CRA – Federal Office for Information Security: Cyber Resilience Act
Data Act
The Data Act is a key component of the Regulation on harmonized rules for fair access to and use of data, which was adopted by the Council of the EU on November 27, 2023. The Data Act was published in the Official Journal of the European Union on December 22, 2023, and is scheduled to come into force in the European Union on September 12, 2025. The objective of the Data Act is to foster a competitive data market by enhancing the accessibility and usability of data, particularly industrial data. This will encourage data-driven innovation and increase the availability of data. For businesses, manufacturers, service providers, and individual users, the Data Act establishes new requirements concerning rights, responsibilities, and access to data. It also aims to safeguard European companies against unfavorable contract terms in data sharing contracts, thereby enabling small businesses to engage more actively in the data market.
Data Act Deep Dive
- Data Act – Regulation – EU – 2023/2854 – EN – EUR-Lex
- Data Act explained | Shaping Europe’s digital future
- Data Act enters into force: what it means for you – European Commission
What are the consequences of NIS2, RED, CRA & Data Act for companies?
With NIS2 and RED, it’s is almost too late for the affected companies, as both directives are already in force and apply regardless of national implementation. There is very little time left to implement the cybersecurity extensions for RED by August 1, 2025 and Data Act by September 12, 2025.
My advice: Overall, my brief review of the most prominent EU regulations shows that there is a need for companies to act quickly in order to remain competitive with their embedded systems and products.
How Swissbit can support your company in the process of implementation
For companies and their managers who are now thinking about the next steps, the focus should be on fast and effective solutions in order to maintain their competitiveness. As the following graphic illustrates, Swissbit offers a comprehensive solution for all the regulations mentioned in the text within our product portfolio.
While our FIDO products, primarily the iShield Key series, are used in the course of NIS2, our embedded security products are ideally suited for regulations such as RED, CRA and Data Act. Convince yourself of our solution expertise and contact me directly by email at roland.marx@swissbit.com to discuss your next steps. By the way: a community forum is available for all interested parties, where we provide additional information and promote the direct exchange of experiences.
Does that sound interesting to you? Convince yourself of our expertise and contact us.
Disclaimer: This article is sourced from the official Swissbit website. As official partners of Swissbit, we have obtained permission to utilize both articles & resources for further updates with regards to Swissbit’s products.
