Navigating Europe’s Digital Regulatory Landscape: Cyber Resilience Act, NIS2, and the EU Data Act

Executive Summary

Europe’s regulatory environment for connected products and industrial data is evolving rapidly. Three key regulations; the Cyber Resilience Act (CRA), NIS2 and the EU Data Act, are reshaping how manufacturers design, secure, and manage connected devices and the data they generate.

• Cyber Resilience Act (CRA): Requires products with digital elements to be secure by design, continuously monitored for vulnerabilities, and capable of safe updates. Non-compliance risks fines of up to €15 million or 2.5% of global turnover, along with potential removal from the EU market.
• NIS2 Directive: Mandates strong cybersecurity resilience across operations, rapid incident reporting, robust supply chain risk management, and executive accountability for lapses.
• EU Data Act: Governs access, sharing, and portability of industrial data, compelling manufacturers to provide user access, enable third-party sharing, and implement technical and contractual safeguards while protecting trade secrets.

These regulations bring operational and compliance challenges, but also strategic opportunities. Manufacturers who integrate regulatory readiness into product design, operations, and customer engagement can strengthen trust, unlock data-driven innovation, and differentiate in the marketplace. Moreover, platforms like Cumulocity enable seamless compliance, embedding security, data governance, and incident management directly into daily operations.

Ready to start building IoT solutions that change the game?

Start fast.

Scale easily.

Evolve with the market.

Contact our IoT experts

Introduction: The Evolving European Digital Framework

Connected equipment is now ubiquitous, from factory automation and medical devices to building management systems and energy grids. Connectivity brings efficiency, predictive insights, and automation, but also introduces risks: expanded attack surfaces, complex data flows, and heightened regulatory scrutiny.

Europe’s regulatory approach is harmonized, focusing on three complementary pillars. These being CRA, EU Data act and also NIS2.

For manufacturers operating in Europe, compliance with these pillars is mandatory. Proactive adoption, however, turns regulatory obligations into a foundation for operational resilience, customer trust, and competitive advantage. Integrating these rules early in product and service design can also streamline operations, reduce risk, and prepare manufacturers for future regulations.

Regulation Snapshots

Cyber Resilience Act (CRA)

Scope & Objectives: The CRA applies to all products with digital elements, including embedded software, IoT devices, and industrial machinery. Its primary goal is to ensure security by design and secure product lifecycles, shifting responsibility for cybersecurity firmly onto manufacturers.

Key Obligations:

• Embed secure-by-default configurations, including strong authentication, encrypted communications, tamper resistance, and secure boot mechanisms
• Implement vulnerability management programs across first-party, third-party, and open-source components
• Establish coordinated vulnerability disclosure (CVD) policies for proactive reporting of weaknesses
• Conduct conformity assessments; self-assessment is allowed for standard products, while critical products require third-party evaluation
• Maintain a support period of at least five years, ensuring ongoing security updates

Timelines & Enforcement:

• Entered into force: Dec 2024
• Vulnerability reporting applies: Sept 2026
• Full compliance mandatory: Dec 2027

Penalties: Fines of up to €15 million or 2.5% of global turnover, with potential market withdrawal.

Implications for Manufacturers: Compliance affects R&D, supply chains, and post-market support, requiring security integration into development, supply chain risk assessments, and customer-facing updates. Early adopters can differentiate through secure, reliable products and enhanced customer trust.

Example Scenario: A manufacturer producing smart industrial sensors must track all software libraries, deploy secure updates automatically, and maintain audit trails of vulnerabilities. Platforms like Cumulocity enable fleet-wide monitoring, automated updates, and reporting, reducing manual effort and compliance risk.

Read the full CRA white paper.

EU Data Act

Scope & Objectives: The EU Data Act applies to any connected product or service generating data in Europe. Its objectives include:

• Unlocking industrial data for broader reuse

• Empowering users to control and port their data

• Preventing lock-in through service unbundling

• Protecting trade secrets while encouraging transparency

Key Obligations:

• Ensure user access to data by default or upon simple request without undue delay
• Facilitate third-party data sharing securely, allowing operators or service providers controlled access to device-generated data
• Support service unbundling, letting users separate hardware from value-added services
• Implement data classification and trade secret policies, documenting refusals where disclosure could cause economic harm
• Maintain audit trails and secure APIs to support compliance and transparency

Timelines:

• Regulation in force: Jan 2024
• General applicability: Sept 2025
• Design-for-accessibility: Sept 2026

Opportunities for Manufacturers: The Data Act opens avenues for innovation and monetization:

• Monetize value-added services while maintaining baseline data access
• Develop a third-party ecosystem to foster innovation
• Enhance customer trust through transparent, user-centric practices

Example Scenario: A factory deploying smart robotics must allow operators to export operational data to third-party analytics services seamlessly. Cumulocity provides secure APIs, role-based access, and audit logs, enabling compliance while unlocking insights and service opportunities.

Read the full EU Data Act white paper.

NIS2 Directive

Scope & Objectives: NIS2 extends cybersecurity obligations to essential and important service providers, including manufacturers whose products operate in the EU. Its goals include:

• Strengthen cybersecurity resilience across critical sectors
• Mandate rapid incident reporting within 24 hours
• Enforce supply chain risk management and executive accountability

Key Obligations:

• Detect, assess, and report significant cybersecurity incidents promptly
• Maintain oversight of suppliers and partners, embedding security requirements in contracts
• Conduct continuous audits, risk assessments, and staff training to embed security into operations
• Ensure executive accountability, with board-level oversight and personal liability for negligence

Timelines & Enforcement:

• In force: Jan 2023
• Enforcement underway; fines up to 2% of global turnover for non-compliance

Example Scenario: A manufacturer with globally deployed smart meters must detect anomalies in real time. Using Cumulocity, operators monitor device status, deploy patches over the air, and automatically log incidents, ensuring rapid regulatory reporting and executive oversight.

Read the full NIS2 white paper.

Common Themes & Intersections

Across CRA, the EU Data Act, and NIS2, several recurring themes define the regulatory landscape.

Security & Resilience by Design: CRA embeds security into the product lifecycle; NIS2 extends it across operations; the Data Act ensures data access occurs securely. Together, these regulations indicate that cybersecurity and data governance are core to product and operational strategy. Manufacturers should see this as a chance to standardize security and monitoring processes across products and services, embedding resilience into everyday operations.

Supply Chain Accountability: Manufacturers must secure their own systems and manage risks from third-party components and services. This includes monitoring open-source libraries (CRA), enabling controlled data access (Data Act), and overseeing supplier cybersecurity practices (NIS2). Continuous oversight and robust partner agreements are essential because compliance is only as strong as the weakest link.

Transparency & Data Governance: Users, regulators, and third parties expect visibility into how devices collect, store, and share data. Clear classification frameworks, audit trails, and role-based access controls balance openness with protection of trade secrets and sensitive information. Implementing these controls early in the product lifecycle also reduces the risk of compliance gaps and simplifies audits.

Executive & Cross-Functional Accountability: NIS2 introduces personal liability for executives, while CRA and the EU Data Act require close coordination across IT, compliance, legal, and product teams. Compliance is therefore a strategic responsibility embedded at every organizational level, requiring governance, training, and clear reporting lines.

Challenges for Equipment Manufacturers

Manufacturers face several practical hurdles in navigating CRA, the EU Data Act, and NIS2. Overlapping obligations across cybersecurity, data access, and incident reporting create operational complexity. Many organizations rely on legacy systems that need upgrades to support secure updates, data portability, and end-to-end supply chain visibility. Coordinating cross-functional teams (including IT, product development, legal, and compliance), adds another layer of challenge, particularly when responsibilities span multiple regions and regulatory jurisdictions.

Maintaining detailed audit trails, documentation, and evidence for regulatory reporting adds further operational overhead. Manufacturers must track software changes, device configurations, and third-party access while ensuring seamless ongoing operations.

Despite these challenges, organizations that adopt a holistic, strategic approach can transform regulatory demands into opportunities for operational improvement, risk reduction, and enhanced customer trust.

Opportunities & Benefits

Compliance can deliver tangible advantages when approached strategically. Embedding security and resilience into products and operations reduces the likelihood of breaches, recalls, and costly downtime, strengthening both operational stability and brand reputation. Transparent data access and governance policies fosters trust with users and enables collaboration with third-party service providers.

Additional benefits include:

• Data-driven innovation: Secure, controlled data sharing supports new analytics services, predictive maintenance, and ecosystem partnerships.
• Customer trust and engagement: Open, user-centric approaches enhance relationships and encourage adoption of digital services.
• Market differentiation: Early adoption positions manufacturers as leaders in security, compliance, and operational excellence.

By integrating regulatory requirements into operations and product design, compliance becomes a foundation for growth and innovation rather than a cost or burden.

Strategic Recommendations

A cohesive approach is essential for successfully navigating CRA, the EU Data Act, and NIS2. Manufacturers should start by auditing their connected product portfolios to identify in-scope products and the data they generate. Evaluating device management, software update pipelines, and data-sharing infrastructure helps to identify compliance gaps.

Strengthening supply chain oversight is equally important. Organizations should maintain SBOMs, continuously monitor third-party risk, and incorporate security clauses into contracts. Policies and governance frameworks (including executive accountability, data classification, and trade secret protection) must be updated to align with regulatory obligations.

Technology enables operationalization of these strategies. Platforms like Cumulocity embed security, data governance, and incident management directly into daily workflows, transforming compliance from a manual effort into a proactive capability. This blended approach ensures compliance is operationalized, not siloed, providing both regulatory security and operational efficiency.

How Cumulocity Helps Manufacturers Meet Regulation Requirements

Cumulocity offers an integrated platform to support compliance across CRA, the EU Data Act, and NIS2, while enhancing operational efficiency. Key capabilities include:

• Device & Data Visibility: Track device status, SBOMs, and data flows across fleets.
• Secure Updates & Incident Response: Automate OTA updates with rollback support and real-time alerting.
• Supply Chain & Ecosystem Management: Partner whitelisting, credential management, and role-based third-party access control.
• Compliance Documentation & Audit Support: Maintain audit trails, generate reports, and simplify conformity assessments.

Manufacturers can leverage Cumulocity for real-world use cases such as deploying updates across thousands of devices, enabling secure third-party access to device-generated data, and detecting anomalies in real-time with regulatory-compliant incident reporting.

By combining technology with governance and operational processes, manufacturers can reduce manual compliance effort, mitigate risk, and turn regulatory obligations into strategic advantages.

Take the Next Step

Regulatory readiness begins with visibility, control, and proactive engagement. Manufacturers should:

• Engage Experts: Map current operations against CRA, Data Act, and NIS2 requirements.

• Leverage Technology: Implement secure device management, automated compliance workflows, and data governance via Cumulocity IoT.

• Access Resources: Explore the full white papers for deeper guidance:

• • Cyber Resilience Act - High Level Explainer

  • Cyber Resilience Act - Deep Dive

  • EU Data Act - High Level Explainer

  • NIS2 Directive - High Level Explainer 

  • NIS2 Directive - Deep Dive

Compliance is more than avoiding fines; it is an opportunity to build trust, enhance operational excellence, and achieve market leadership. Manufacturers that act now are better positioned to meet regulatory obligations, innovate confidently, and differentiate themselves in a competitive landscape.