CRA, CE and NIS-2

What does digital resilience and cybersecurity mean across the supply and value chain?

The EU’s new Cyber Resilience Act (CRA), together with CE conformity and the NIS-2 Directive, promises – and demands – a comprehensive strengthening of digital resilience across the entire supply and value chain. We provide some guidance on how these pieces of legislation work together to shape a secure digital future.

These include:

  • The relationship between CRA (EU Cyber Resilience Act), CE compliance and NIS-2 (EU Network and Information Security Directive)
  • The CRA obligations for manufacturers of products with digital elements and the resulting transparency benefits for CRITIS operators and NIS-2 affected organisations.

Horizontal and vertical regulation: CRA, CE conformity and NIS-2
The CRA, the EU’s Cyber Resilience Act, which is expected to come into force in the second half of 2024, requires manufacturers of products with digital elements to take cybersecurity measures at product level. This horizontal regulation complements the vertical regulation of NIS-2, which focuses on the operational cybersecurity of “essential and important entities”.

Manufacturers have a duty – security transparency for CRITIS operators
The CRA requires manufacturers to test and certify their products not only for physical security and safety, but also for cybersecurity. CRITIS operators and NIS-2 affected organisations will benefit from this security transparency by being able to more easily guarantee the security of the supply chain.

Benefits for operators: The CRA simplifies supply chain security verification
CRA certified precursors make this much easier. The CRA solves the so-called “cuckoo’s egg” problem, where unsafe precursors could compromise the entire security chain. For example, a facility affected by NIS-2 must ensure “supply chain security” as one of several risk management/resilience measures. With manufacturers’ precursors that can prove their CE conformity according to CRA not only in terms of safety, but also in terms of security, the NIS-2-affected organisation can manage this more easily.

Preparations and compliance at Dallmeier: ISO 27001 and more
The CRA will also affect us as a manufacturer at Dallmeier in the future. We are prepared and will comply with the CRA at product level, e.g. through technical cyber security functions and through preventive and reactive vulnerability management via SBOM (Software Bill of Materials). An ISO 27001 certified internal ISMS supports these measures.

CE conformity scheme expanded to include security, four risk classes in CRA
Until now, CE conformity has mainly covered safety, health and environmental protection. The CRA adds security as a new criterion to complete the requirements. The Cyber Resilience Act categorises products with digital elements into four risk classes based on function, intended use and potential impact.

The central tool for compliance with the Cyber Resilience Act will be the conformity assessment mentioned above. This will assess whether a product meets the security and vulnerability management requirements. For non-critical products, a self-assessment by the manufacturer is sufficient. For critical products, a stricter verification procedure applies: for Class I, at least a standardised conformity assessment or an independent third-party audit. For Class II critical products, this security audit by a certified third party is mandatory. Compliant products will receive the CE mark, indicating that they meet the conformity requirements.

These measures significantly increase the security and resilience of digital products, benefiting not only manufacturers but society as a whole.

Further information on Dallmeier's approach on Cybersecurity in CRITIS