Industrial Cyber Security: Cyber security in manufacturing
Productivity rises when machines and systems go digital and get connected. So does the likelihood of cyber attacks. No wonder, then, that new products have to satisfy ever more stringent cyber security requirements. Long-term business success hinges on companies’ ability to guard against cyber threats. This is not just about complying with regulations such as the EU Cyber Resilience Act (CRA), EU NIS 2 and the Delegated Act of the Radio Equipment Directive (RED); it is also about protecting the resilience of your and your customers’ networks. Let us accompany you on this journey. Opt for a pragmatic security solution that suits your needs and is tailored to match your risks.
Connected systems – a challenge for cyber security in Industry 4.0
Espionage, sabotage, extortion, and even physical damage, connected systems and devices in industrial environments (IIoT) are increasingly exposed to cyber threats. Attacks can shut down entire production lines or render digital mahinery unusable on a wide scale The consequences: Significant financial losses, massive reputational damage, and a sustained loss of trust from customers and partners. Many industrial companies are aware of the risks posed by cybercrime but underestimate the actual risk potential and their own vulnerability. False security assumptions that can prove costly.
To decisively counter this growing threat and strengthen the resilience of the industrial sector, the EU has tightened its regulations. Three directives are particularly relevant for operators and manufacturers in the industrial sector: NIS2 Directive, already transposed into national law in October 2024, sets new standards for network and information security. The Radio Equipment Directive (RED) is also already in force. However, the RED Delegated Act added mandatory requirements in August 2025. The Cyber Resilience Act (CRA), adopted in October 2024, will become binding from 2027 and transform the cybersecurity of digital products.
EU regulations CRA, NIS 2 and RED in detail
Designing and integrating CRA-compliant cyber security systems
The Cyber Resilience Act (CRA) aims to protect connected products from unauthorized access and manipulation throughout their lifecycle. It applies to manufacturers as well as suppliers and importers of products with digital elements that are sold in the EU. In the B2B sector, numerous components for industrial, environmental and energy technology are affected by this regulation, for example sensors, control systems, software and hardware products with a direct or indirect data connection to another device or network.
The CRA requires vendors of digital products destined for industrial use to assess, implement, and verify cyber security in a structured, risk-based manner at all stages of the value chain. That, in turn, requires a secure engineering process, comprehensible instructions, machine-readable software bills of materials (SBOMs), risk analytics, and vulnerability management throughout the lifecycle. If vendors’ offerings fall short of these requirements, the CE mark and thus the access to the European market will be denied. In addition, rectification, product recalls or fines may be imposed.
Do you make a product equipped with digital components? Then talk to us. We will be delighted to advise you on how to comply with the CRA in the best and most pragmatic of ways. We would be equally happy to handle the cyber security side of product engineering for you. Count on us to deliver results that satisfy regulatory provisions and comply with standards such as the internationally recognized IEC 62443.
NIS 2 – cyber security for hardened IT/OT operations
The NIS 2 directive is a broadened initiative to strengthen the security of networks and information systems within the European single market. Companies that operate in “essential and important facilities” in critical sectors such as mechanical engineering, energy, health, and food are subject to this directive. It can also apply to vendors of automation solutions, controllers, and sensors used by systems and machinery manufacturers.
NIS 2 requires a structured approach to cyber security for IT/OT operations and sets out measures to prevent or minimize the impact of security incidents. Companies that are subject to it must increase their protection against cyber attacks, comply with specific security standards, and keep their systems up to date.
Is your organization subject to the NIS 2 directive? We will gladly advise you on the best strategy and practices for complying with NIS 2 together with the national requirements and standards of ISO 27001. The first step is a cyber security check-up, for example, based on DIN SPEC 27076.
RED: Cyber security for connected radio devices
The EU RED Delegated Act for Cybersecurity (RED DA) applies to all manufacturers of products with radio interfaces (e.g. WiFi, Bluetooth, radar, …) or of products that have such interfaces permanently installed. The RED DA places additional requirements on the cyber security of these products.
According to RED, wirelessly networked machines such as control systems and robots in production must be adequately protected against hacker attacks, both for their own protection and to protect neighboring networks. In addition, there must be no operational interruptions due to cyber attacks. The new EN 18031 standard sheds light on what can be considered appropriate in this context. Radio products that have not been developed in compliance with RED may no longer receive CE labeling and therefore may no longer be marketed in the EU.
Do you fall under the RED DA? If so, we will be happy to advise you on how you can pragmatically implement the RED requirements.
In our article, we’ll share why more manufacturers are affected than expected, show how to demonstrate compliance with the RED DA directive and explain what matters most when implementing the key standard EN 18031.
Our cyber security services for your production – set up to tackle challenges in an efficient, pragmatic way
We consider your individual requirements, technical constraints and legacy processes – from cyber security strategy consulting, process and methodology consulting to cyber security risk assessment, concepts, software development and testing. Of course, we always take current regulations such as UNECE r155/156, EU CRA, NIS2, RED, ISO/SAE 21434, IEC 62443, TS 50701 into account.
Our consulting services empower you to proactively identify and mitigate security risks. Together, we craft a tailored security strategy that holistically safeguards your IT/OT infrastructure. From risk analysis and vulnerability management to supplier management – we support you every step of the way. With our hands-on approach, we implement a comprehensive security concept that boosts your resilience against cyber threats and attacks.
Our comprehensive cyber security engineering services help you implement robust security measures practically and efficiently. We start with a thorough risk assessment – identifying potential damage scenarios, modeling attack paths, and systematically uncovering vulnerabilities through detailed analyses. Based on these insights, we create a tailored security concept that outlines the necessary protective mechanisms. We then implement these requirements technically, building a reliable and resilient software foundation. To ensure long-term security, we continuously verify the effectiveness of these measures with cyber security tests.
