• OPENVAS REPORT
  • Greenbone Basic
  • Buy Here
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
Greenbone
  • Products
    • Hardware Appliances
      • Greenbone Enterprise 6500
      • Greenbone Enterprise 5400
      • Greenbone Enterprise 650
      • Greenbone Enterprise 600
      • Greenbone Enterprise 450
      • Greenbone Enterprise 400
      • Greenbone Enterprise 150
      • Greenbone Enterprise 35
    • Virtual Appliances
      • Greenbone Enterprise EXA
      • Greenbone Enterprise PETA
      • Greenbone Enterprise TERA
      • Greenbone Enterprise DECA
      • Greenbone Enterprise CENO
      • Greenbone Enterprise 25V
    • OPENVAS REPORT
    • Greenbone Basic
      • Greenbone Basic: Order
    • Greenbone Cloud Service
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Greenbone Web App Scanning
    • Self-Learning Courses
    • Documents
  • Events
    • Webinars
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Cyber Attacks Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • IT Security
      • Open Source Vulnerability Management | IT Security Solutions from Greenbone
      • Attack Vector Timeline
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • Hardware Appliances
    • Virtual Appliances
    • OPENVAS REPORT
    • Greenbone Basic
      • Greenbone Basic: Order
    • Greenbone Cloud Service
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
      • Roadmap and Lifecycle
    • Buy Here
  • Service & Support
    • Technical Support
    • Greenbone Web App Scanning
    • Self-Learning Courses
    • Documents
  • Events
    • Webinars
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Cyber Attacks Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • IT Security
      • Open Source Vulnerability Management | IT Security Solutions from Greenbone
      • The Vulnerability Timeline
      • Attack Vector Timeline
  • Deutsch
  • English
  • Italiano

Cyber Resilience Act and NIS2 – identify vulnerabilities in time and optimize protective measures

There is no legal definition of cyber resilience. Loosely interpreted, the term can be defined as a company’s resistance to hacker attacks and preparation for the failure of system-relevant components.

Cybercrime poses one of the greatest threats to companies, notes the BSI in its 2022 Situation Report. It is therefore crucial for the success and survival of companies to be prepared for these threats and to build up appropriate cyber resilience.

To establish a general resilience against cyber attacks in Europe, the EU has launched the Cyber Resilience Act (CRA) and NIS2.

We have been supporting our customers in achieving the best possible security standard for 15 years. We see the new standardization through the Cyber Resilience Act as an opportunity and are happy to help our customers use it for even more security.

More

Cyber Resilience Act and NIS2: What are their goals?

With the Cyber Resilience Act, or CRA for short, the EU Commission provides for new binding security requirements for products with digital elements. This applies both to products that are sold to end consumers, but also used in the company for production, sourced as intermediate products and processed further and are thus part of supply chains. The CRA provides for a number of measures to enhance the cybersecurity of products.

The new European cybersecurity regulations for industrial companies, such as the Cyber Resilience Act or NIS-2, may seem complex at first. However, these regulations can be your allies when it comes to effectively protecting against cyber attacks.

Cyber Resilience Act – for which companies is the CRA relevant?

The new regulations affect all companies that manufacture products with digital elements. In addition, there are obligations for distributors and importers. There are no size-based exemptions.

Which products does this affect?

The European Commission proposes to establish risk-adequate cybersecurity measures for the above-mentioned products in the phases of design, development and production as well as during marketing and use.

In doing so, the European Commission differentiates according to the criticality of the products:

  • Non-critical products with digital elements (e.g., storage media, graphics programs).
  • Class I: critical products with digital elements (e.g. browsers, password managers, firewalls, microcontrollers),
  • Class II (e.g., routers or firewalls for industrial use, IoT devices),
  • As well as highly critical products with digital elements

What does that mean in practice?

The European Commission estimates that about 90 percent of products will fall into the non-critical category. Manufacturers and distributors dealing in critical products will be subject to stricter requirements, particularly with regard to conformity assessment, which will be based on harmonized EU standards. Compliance with the standards will be indicated by the CE marking on the product, with national market surveillance authorities monitoring proper implementation.

Infographic showing how the Cyber Resilience Act categorizes products into default, critical Class I, and critical Class II based on risk level and assessment requirements

Source: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-factsheet

What requirements does the Cyber Resilience Act place on affected companies?

The CRA defines lifecycle security requirements:

  • Reporting known vulnerabilities and known exploits to ENISA within 24 hours.
  • Reporting of incidents to product users, including remediation actions
  • Reporting identified vulnerabilities in third-party elements to the appropriate third-party vendors

Product vendors must provide:

  • Software Bill of Materials (SBoM) of the products.
  • Vulnerability scan showing no vulnerabilities in order to obtain CE certification
  • Continuous vulnerability scans,
  • Process and infrastructure for documenting and reporting product vulnerabilities.

Companies are called upon by the Cyber Resilience Act to carry out vulnerability analyses and external audits on a regular, permanent and sustainable basis. We can help you comply with the requirements. The Greenbone Vulnerability Management product series, the Greenbone Enterprise Appliances, enable compliance with the CRA on premise or in the cloud.

More

Who does NIS2 affect?

Public and private entities in 18 critical sectors with at least 50 employees or at least EUR 10 million in annual revenue and annual balance sheet must follow the new NIS2 rules.

NIS-2 Directive: Increasing cybersecurity for companies from the KRITIS sector

The NIS-2 directive, an important part of the EU’s digital strategy “Shaping Europe’s Digital Future“, aims to enhance cybersecurity across Europe. It aims to better protect organizations and critical infrastructure from cyber threats and ensure a high level of security across the EU. The directive came into force on January 16, 2023, and EU member states have until October 17, 2024, to incorporate the rules into their national laws.

Which categories of economic sectors does NIS2 affect?

“Essential/essential” (very critical) sectors and “important/important” (other critical) sectors.

Sectors such as energy, transport, finance, healthcare, digital infrastructure and public administration fall into the first category, while the second category includes manufacturing, postal services, chemicals and more.

Which companies within these sectors are covered by the directive is determined by each country’s laws.

For affected companies, the NIS-2 directive brings new responsibilities. They must report cybersecurity incidents to authorities based on certain criteria:

  • Early warning: notification within 24 hours of an incident.
  • Incident notification: Notification within 72 hours of an incident.
  • Interim Report / Intermediate Report.
  • Incident progress report / Progress Report: in case of unresolved incidents, one month after incident notification.
  • Final Report: within one month of incident notification or one month after completed incident treatment.
  • Voluntary reporting is an option.

Companies must also actively manage risk and comply with standards for network and system security, incident handling, crisis management, secure supply chains and asset management. The protection mechanisms and technologies used must be up to date. Countries could even introduce certification requirements to demonstrate compliance.

In Germany, the NIS-2 directive will lead to adjustments in the existing IT Security Act 2.0 or a possible new law. German CRITIS operators with an established information security management system (ISMS) and reliable cybersecurity technology are well prepared and likely need only minor adjustments. This directive sets the stage for a more robust cybersecurity landscape across all industries.

When do the guidelines go into effect?

CRA

The European Parliament and the Council are examining the currently submitted proposal for the Cyber Resilience Act.

Once adopted, economic operators and member states will have two years to adapt to the new requirements.

The obligation to report actively exploited vulnerabilities and incidents will apply after one year.

The Commission will regularly monitor compliance with the new cybersecurity rules for the EU and sanction non-compliance if necessary.

NIS2

The NIS-2 Directive was published in the Official Journal L333 of the European Union on 27.12.2022. On January 16, 2023, the new NIS2 Directive entered into force. The EU member states have 21 months, i.e. until October 2024, to transpose the directive into national law. From this date, the provisions will apply to all affected companies

We can help you comply with the requirements.

Contact us

Search Search

Table of contents

Cyber Resilience Act and NIS2 – identify vulnerabilities in time and optimize protective measures

1 Cyber Resilience Act and NIS2: What are their goals?

1.1 Cyber Resilience Act – for which companies is the CRA relevant?

1.2 Which products does this affect?

1.3 What does this mean in practice?

2 What requirements does the Cyber Resilience Act place on affected companies?

3 Who does NIS2 affect?

3.1 NIS-2 Directive: Increasing cybersecurity for companies from the KRITIS sector

3.2 Which categories of economic sectors does NIS2 affect?

4 When do the guidelines go into effect?

4.1 CRA

4.2 NIS2

Develop process?

We would be happy to work with you to develop your individual vulnerability management process – tailored to your systems, your structures and your requirements.

Contact now

Test us!

Greenbone Basic
Our entry-level enterprise product for 2,450 € per year

Test 14 Days Free of Charge

Products & Solutions

  • Hardware Appliances
  • Virtual Appliances
  • OPENVAS REPORT
  • Greenbone Basic
  • Greenbone Free
  • Greenbone Cloud Service
ISO9001-EN

Service & Support

  • Technical Support
  • Greenbone Web App Scanning
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management | IT Security Solutions from Greenbone
ISO27001-EN

About us

  • About Greenbone
  • Blog
  • Newsletter
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Media Contact
  • Careers
  • Partners
  • Security Response
  • Imprint

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2025
  • Link to LinkedIn
  • Link to Mail
Scroll to top Scroll to top Scroll to top