NIS2 and the Cyber Resilience Act: What IoT Operators Must Do Before the Deadlines
- Last Updated: July 17, 2026
IXT
- Last Updated: July 17, 2026



Two pieces of EU law now govern how connected devices are built and operated. NIS2 (Directive EU 2022/2555) requires organizations in sectors the EU treats as important to society to put specific security measures in place and to report significant incidents on a 24-hour, 72-hour, and one-month timeline.
The Cyber Resilience Act (Regulation EU 2024/2847) requires manufacturers of connected products to make them secure by design and keep them secure across their supported life. NIS2 is in force.
The CRA's first hard deadline, vulnerability and incident reporting, lands on 11 September 2026, and it reaches products already in the field. Full CRA requirements follow on 11 December 2027. No single product makes you compliant with either. The work is yours, and the time to start is now.
If your organization runs connected devices, you have a compliance footprint whether you have mapped it or not. Your fleet routes data across cellular networks. It connects field equipment to back-end systems. It gives third-party service technicians remote access to machines in places your security team never visits. Each of those activities now sits inside the scope of EU law, and the accountability runs to the top of the organization.
For decision-makers, this is no longer a question for the security team alone. NIS2 makes management bodies personally responsible for approving and overseeing security measures. The fines reach 10 million euros or 2 percent of global turnover. The reporting clocks are short. And the second of the two laws, the Cyber Resilience Act, carries a deadline most teams have not planned for.
"Security is not a feature. It is a foundation."
Henning Solberg, CTO and co-founder, IXT
NIS2 applies to essential entities across 18 sectors, from energy and water to manufacturing and digital infrastructure. It sets out ten minimum security measures under Article 21. The measures are outcomes, not products. The law tells you what to achieve, not which technology to buy. They cover risk analysis, incident handling, business continuity, supply chain security, access control, encryption, and multi-factor or continuous authentication, among others.
Article 23 sets the reporting timeline. When a significant incident occurs, you send an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month. Meeting those windows depends on one thing above all: knowing an incident has happened in the first place.
Two points raise the stakes for leadership. Article 20 holds management bodies accountable for cybersecurity risk management, which moves the obligation onto the board. And transposition runs through national law, so the exact scope, fines, and reporting routes vary by member state. If you operate across borders, you answer to more than one regime.
Where NIS2 governs how you operate, the Cyber Resilience Act governs what you put on the market. It applies to manufacturers of products with digital elements, meaning hardware and software designed to connect to other devices or networks. Gateways, sensors, controllers, routers, and the equipment behind them all fall inside its scope.
The CRA places three duties on manufacturers. Products have to be secure by design and free of known exploitable weaknesses, with a path for security updates across the supported life. Manufacturers need a documented process for receiving and fixing reported vulnerabilities. And from 11 September 2026, they have to report actively exploited vulnerabilities and severe incidents to ENISA and their national authority within 24 hours, with a fuller report to follow.
Most teams have pinned their planning to 11 December 2027, the date full requirements and CE marking apply. The earlier date is the one to watch. The September 2026 reporting obligation reaches products already placed on the market, not only new ones. Penalties run to 15 million euros or 2.5 percent of global turnover.
Most IoT deployments still rely on a private APN or a VPN to keep traffic off the public internet. It helps. It is not enough for what these laws ask. A private APN does not segment devices from one another. It does not show you what a device communicates with. It does not limit what a contractor reaches once connected. And it does not produce the audit trail a regulator will ask to see.
The result is a familiar gap. You have connectivity, and you do not have visibility, control, or evidence. NIS2 asks for all three. The CRA asks you to prove them across a product's life.
The security model these regulations point toward, often called Zero Trust, rests on a few principles, and none of them depend on a particular vendor.
Read against Article 21, these principles line up with access control, segmentation, incident detection, supply chain access, and continuous authentication. They do not replace the parts of compliance only you own.
One caution. The mapping above is a working guide, not legal advice. Verify the specifics against your compliance team's reading of the national law in each country where you operate.
Article 21 requires essential entities to put appropriate security measures in place to manage risk to their network and information systems. It lists ten minimum measures and describes the outcome each has to achieve, rather than the technology to use.
The CRA entered into force on 10 December 2024. Vulnerability and incident reporting obligations apply from 11 September 2026 and reach products already on the market. Full requirements, including conformity assessment and CE marking, apply from 11 December 2027.
No. Both laws combine technical measures with documentation, governance, and processes you own. A security architecture helps you meet specific technical measures and produce evidence. It does not cover risk documentation, incident response planning, staff training, or supplier governance.
A private APN or VPN keeps traffic off the public internet. It does not segment devices, show what a device communicates with, restrict what a contractor reaches once connected, or produce an audit trail. The model these regulations point toward adds identity-based access, segmentation, real-time visibility, and recorded third-party sessions on top of the connection.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode

Related Articles