Four Security Standards That Mechanical Engineering Companies Need to Know About in 2025

Your roadmap for navigating the EU Data Act, Cyber Resilience Act, NIS2 and IEC 63442

Lara Rißland

November 1, 2024

Products

The year 2024 marks a critical turning point for manufacturers of components, devices, and machinery in the Industrial Internet of Things (IIoT). Four major European Union security standards are either coming into force or taking center stage, establishing clear minimum requirements to enhance IoT cybersecurity. These new standards will not only strengthen defenses but also place a greater responsibility on manufacturers, operators, and integrators to ensure compliance. From now on, products must meet these standards to maintain a foothold in the EU market.

The regulations at the forefront include the EU Data Act, the Cyber Resilience Act (CRA), the Network and Information Security Directive (NIS2), and the international standard IEC 62443, which focuses on cybersecurity for industrial communication networks and systems. The goal? To safeguard IoT devices by ensuring confidentiality, integrity, authenticity, and availability, making them resilient against cyber threats.

Ignoring these standards poses serious risks. Failing to comply could open doors to hacking attempts, security breaches, productivity loss, and even harm your company's reputation. Financial penalties and legal consequences may follow, alongside the risk of data loss, manipulation, and unauthorized access, which can ultimately impact revenue and customer trust.

Now is the time to reassess and upgrade your approach to IoT device security to face both current and future challenges. Explore this resource to stay informed on what these changes mean for manufacturers of components and devices. Here you will find everything you need to know on this subject as a manufacturer of components and devices.

The new laws and their effects

EU Data Act

What is the EU Data Act?

The EU Data Act is a new regulation that lays down uniform rules for access to data, switching cloud suppliers, and interoperability requirements in the EU. It applies to both personal and non-personal data and aims to remove barriers to the use and reuse of non-personal data, especially data generated by networked products and related services. The aim is to create a market for data in the EU and to promote the flow of data.
When does the EU Data Act come into force?

The EU Data Act was ratified by the European Council on November 27, 2023¹ and entered into force at the beginning of January 2024. There is a transitional period of 20 months until September 12, 2025, after which the Data Act will become directly applicable law throughout the EU.
Which products are affected by the EU Data Act?

The EU Data Act affects many connected products that collect and transmit data. These include smart appliances, wearables, cars, robots and medical devices. Connected services and cloud services are also covered. Manufacturers and data collectors must fulfil the requirements, even if they are based outside the EU.

Access to data and consumer rights

The EU Data Act not only regulates access to, but also the use of data generated by IoT devices. Consumers are given the right to access their data in real time and use it for value-added services such as predictive maintenance. This not only promotes transparency, but also strengthens their position in terms of having control over their own data.

Fostering competition in the after-sales market

An important focus of the EU Data Act is the creation of a single market for the free movement of data within the EU. Manufacturers could be obligated to share certain data with repair or service providers. This could lead to more competition in the after-sales market, as consumers would have more choice and better access to services.

Data security and location restrictions

The act also contains provisions on data security, including a ban on storing or processing certain data outside the EU. This is intended to protect sensitive information and at the same time promote the development of interoperability standards to facilitate the reuse of data in various sectors of industry.²

What does the EU Data Act mean for mechanical engineering companies as well as component and device manufacturers?

For manufacturers of IoT devices, the introduction of the EU Data Act means increased compliance responsibility. This includes not only ensuring data access for users, but also ensuring comprehensive protection of their data and compliance with data security. Addressing these requirements will be decisive for companies to avoid fines and remain competitive in the evolving data-driven economy of the EU.

In order to comply with EU data protection law in the future, manufacturers must ensure that their products and related services are accessible to customers and that the data generated by the products and they way the data is used are transparent. In addition, they must design their products in such a way that customers can access the data and share it with third parties.³

Cyber Resilience Act (CRA)

What is the Cyber Resilience Act?

The European Cyber Resilience Act (CRA) is a proposal for a legal framework to lay down cybersecurity requirements for hardware and software products offered on the market in the European Union. It is intended to ensure that manufacturers take security seriously throughout the entire life cycle of a product and create conditions that enable users to take cybersecurity in consideration when choosing and using products with digital elements.⁴
When does the Cyber Resilience Act come into force?

The Cyber Resilience Act (CRA) was passed in October 2024. Publication of the legal text in the Official Journal of the European Union is imminent (as of November 2024). The CRA will officially come into force 20 days after this publication. The requirements will then be phased in so that all new products will have to comply with the CRA requirements by the end of 2027 at the latest.⁴
Which products are affected by the CRA?

All digital products sold in the EU from the end of 2027 must comply with the CRA requirements. There are exceptions for medical devices, vehicles, civil aviation and national security products, as well as free open source software.

The Cyber Resilience Act is a groundbreaking step in EU legislation, representing the world’s first draft law focused specifically on the cybersecurity of products with digital elements, particularly in IoT. Although still in draft form, this regulation aims to establish minimum standards and require continuous updates to enhance cybersecurity and protect digital products, including IoT devices.

Focus on security-by-design

At the core of the CRA is the “secure-by-design” approach. This means that manufacturers need to integrate cybersecurity measures from the earliest stages of product development. Cybersecurity isn’t an afterthought – it’s woven into every phase, from development through the product’s entire lifecycle. The goal? To create products that are secure from the outset, rather than relying on later-added security measures.

Manufacturer responsibility over the entire life cycle

The CRA shifts the responsibility for digital product cybersecurity directly onto businesses, especially manufacturers. This involves embedding cybersecurity throughout the product development and software lifecycle. It also includes documenting potential risks, continually monitoring vulnerabilities, and quickly responding to security incidents as they arise.

Specific security requirements for IoT devices

To protect personal and financial data, the CRA sets out specific security requirements for IoT devices. Basic requirements include banning the use of standard and weak passwords, ensuring software update support, regularly checking for security vulnerabilities, and safeguarding stored personal and financial data. Additionally, consumers are granted the right to manage and delete their data.

Product categories and assessment procedures

The draft law proposes classifying products into two categories: critical and non-critical. Critical products will require third-party assessments, while non-critical products only need the manufacturer to self-certify compliance with the act. This differentiation ensures that higher-risk products undergo more rigorous testing.

What does the Cyber Resilience Act mean for mechanical engineering companies as well as component and device manufacturers?

For component and device manufacturers, the CRA introduces a significant shift in how they develop and market digital products. It mandates improving the security of products with digital components from the design and development stages through the entire lifecycle, covering hardware and software updates as well as new product versions. Beyond that, it creates a unified cybersecurity framework, increases transparency of product security features, and enables both businesses and consumers to safely use products with digital elements.

Non-compliance with the act’s requirements could lead to substantial penalties of up to €15 million or 2.5% of annual revenue.⁷

Network and Information Security Directive (NIS2)

What is NIS2?

The NIS2 directive is an EU-wide piece of legislation that provides legal measures to improve the overall level of cybersecurity in the EU by ensuring readiness and cooperation between member states and requiring the most important players in key industries to implement security measures and report incidents.⁸
When does NIS2 come into force?

In Germany, the national NIS2 Implementation Act is expected to come into force by March 2025. The law was presented as a cabinet draft in July 2024 and is still undergoing the federal legislative process. Across other European countries, NIS2 implementation timelines and legislative procedures vary, with each member state working to incorporate the directive into their national law, typically by early 2025. Specific dates may differ depending on each country's legislative processes.
Which products are affected by NIS2?

The NIS 2 Directive affects operators of critical infrastructures such as the energy, transport, water and healthcare sectors as well as digital infrastructures. Providers of digital services, public administrations and important supply chains are also covered by the regulation. It applies to companies with at least 50 employees and an annual turnover of at least 10 million euros.

The NIS2 directive defines a broad scope of application that covers various sectors. Manufacturers of components and devices as well as mechanical engineering companies must deal with NIS2 in particular if their products are considered critical or important within the meaning of the directive. This will significantly expand the scope compared to the existing NIS. This includes classification of the type of institution as “essential” and “important” as well as the size and revenue of the company. This can be the case if they have valuable data that makes them attractive targets for cyber attacks. The use of networked IoT devices represents an increased risk of attack.

NIS2 security checks and monitoring

NIS2 relies on comprehensive implementation of security checks to minimize the risk of cyber attacks. This includes the implementation of holistic and stringent security measures as well as increased monitoring. The directive places great emphasis on identifying vulnerabilities, strengthening security, maintaining vigilance, and preventing cyber damages to systems and data.

What does NIS2 mean for mechanical engineering companies as well as manufacturers of components and devices in critical infrastructures?

Prioritizing supply chain security: Manufacturers must assess the security of their supply chain and mitigate risks. This includes measures to secure suppliers, partners and contractors.
Focus on risk management: Manufacturers who are classified as “important” must introduce mandatory risk management processes. This may require investment in new tools and additional specialist staff.
Increased collaboration with IT service providers: To meet NIS2 requirements, manufacturing companies must work more closely with IT service providers. This can lead to higher costs and changes in business models.⁹

Companies in critical infrastructures in particular need to take NIS2 compliance seriously. Failure to comply may result in significant fines, which can amount to EUR 10 million or 2% of revenue.

International series of standards on cyber security for industrial communications networks and systems (IEC 62443)

What is IEC 2443?

IEC 62443 is an international series of standards that deals with cyber security for industrial technology in automation and control systems. It contains guidelines for securing industrial control systems (ICS) and operational technology (OT) networks and was originally developed for the industrial process industry, but is now applicable to a wide range of industries. The standards take a risk-based approach to cybersecurity and provide a framework for systematically evaluating, mitigating, and managing cybersecurity risks in industrial automation and control systems to ensure the reliability and security of critical industrial processes and infrastructure.¹⁰
When does IEC 62443 come into force?

The IEC 62443 series of standards has been developed over time and the individual sections have been published and introduced step by step at different times. For example, the IEC 62443-4-1 standard, which sets process requirements for the safe development of products for industrial automation and control systems (IACS), was published in February 2018.

What does IEC 62443 mean for component and device manufacturers?

IEC 62443 is an important guideline for manufacturers in the field of industrial automation to meet growing cybersecurity challenges. The integration of effective risk management, the implementation of secure development practices from the start, and the possibility of product certification and supply chain protection are key aspects that help manufacturers offer the highest quality and security products. Lifecycle management in accordance with IEC 62443 ensures that products meet the highest security standards not only when they are launched but throughout their life cycle. Overall, the standard provides manufacturers with a clear structure and guideline to make their products resistant to cyber attacks and ensure the integrity of industrial automation systems.

IEC 62443 is divided into four parts:

General: The first part describes the basic nomenclature, concepts, models and guidelines that apply to the complete series of standards.
Policies and Procedures: The second part focuses on methods and processes related to IEC security. The requirements for security training for various roles in the industry, such as operators, integrators and service providers, are defined here.
System: The third part deals specifically with the assessment of security risks for system design and risk management and provides a systematic approach for preventing and managing security risks in industrial automation and control systems.
Component and system requirements: This last part describes the detailed requirements for secure product development and the security-related features of IEC components.¹²

3 tips for component and device manufacturers to meet these safety standards

Building Security into Development from Day One

Security isn’t just a box to check; it’s the foundation for reliable development. By embedding security in every stage of your design and development, you catch potential risks early. The IEC 62443 standard, especially Part 4-1, “Secure Product Development Lifecycle Requirements,” is key for this approach. This standard guides secure practices in both hardware and software development and applies to both new and existing products.

Empower Your Team Through Ongoing Training

Regular training sessions keep your team up-to-date on the latest security practices and technologies. Encouraging cross-functional teamwork boosts awareness and helps your team stay proactive in addressing threats.

Simplify Security with an IoT Device Management Solution

With the KontronGrid IoT device management solution, you can monitor devices worldwide within a secure, cloud-based edge environment. Using Oracle Cloud Infrastructure (OCI), our solution aligns with the rigorous cloud security standards set by the C5 catalog from Germany’s Federal Office for Information Security. Published in 2016, the C5 standard is now a benchmark for both national and international cloud suppliers, supporting companies in meeting compliance and regulatory needs with high security and reliability.

Security as a Competitive Edge in the IoT Market

As the European Commission sets new security standards for IoT, security has become a defining factor for manufacturers, operators, and integrators. Companies that prioritize compliance and integrate security standards into their development processes not only meet legal requirements but also build customer trust.

The future of IoT belongs to those who see security as an opportunity, not an obstacle. The latest regulations catalyze a more secure, resilient IoT landscape. Embracing these standards is more than compliance—it’s a pathway to long-term success in our interconnected world.

Contact us

Let's talk about how IoT device management can help you with compliance!

¹ https://www.consilium.europa.eu/en/press/press-releases/2023/11/27/data-act-council-adopts-new-law-on-fair-access-to-and-use-of-data/; 09.01.2024

²ec.europa.eu/commission/presscorner/detail/en/ip_23_3491 ; 09.01.2024

³https://www.eu-data-act.com/; 09.01.2024

⁴https://www.european-cyber-resilience-act.com/; 09.01.2024

⁵https://ec.europa.eu/commission/presscorner/detail/en/IP_23_6168 ; 09.01.2024

⁶www.lexology.com/library/detail.aspx ; 09.01.2024

⁷ https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-factsheet ; 09.01.2024

⁸https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf ; 09.01.2024

⁹https://nis2directive.eu/nis2-release-date/; 09.01.2024

¹⁰https://nis2directive.eu/manufacturing/; 09.01.2024

¹¹ https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards ; 09.01.2024

¹²www.iec.ch/blog/understanding-iec-62443 ; 09.01.2024