CRA & NIS2: Opportunity or Upheaval for Swiss Exporters

We look at Swiss exports, the products and services affected and the measures required to adapt to the new regulations - including an overview of the relevant categories of goods and specific recommendations for action.

Behind the scenes of the Cyber Resilience Act (CRA)

The CRA is an EU regulation that for the first time defines general cyber security standards for all products with digital elements. This also includes software products, IoT devices and digital industrial goods. The aim is to make the European market more secure and to forearm products against cyber threats.

The most important aspects of the CRA are:

• Companies must prove that their products are secure before they are marketed in the EU. This includes security assessments, tests and the provision of updates throughout the entire product life cycle.
• Violations can be sanctioned with fines of up to €15 million or 2.5% of global turnover.
• Swiss companies that export to the EU must fulfil these requirements if they are to retain market access.

Find out now if your company is CRA compliant in the marketplace. Find out where you fall short with a CRA Gap Analysis. In four steps, you can pave the way for your company's EU compliance and secure European market access for your cybersecure products.

CRA reporting obligations: timetable and specifications

The Cyber Resilience Act (CRA) was published in the Official Journal of the EU on 20 November 2024 and has been officially in force since 10 December 2024. Following a transitional period, the Regulation will take full effect from 11 December 2027 onwards, with specific reporting obligations for manufacturers already applying from 11 September 2026.

The specific reporting obligations are listed below based on their reporting period:

• Early warning messages: Manufacturers must send an initial report to the relevant authorities within 24 hours of becoming aware of an actively exploited vulnerability or a serious security incident.
• Detailed reports: A detailed report on the vulnerability must be submitted within 72 hours, including information on the nature of the vulnerability, affected products, countermeasures and recommendations for users.
• Final reports: A final report with a complete description of the measures taken must be submitted by no later than 14 days of countermeasures becoming available.

NIS2 in practice: Requirements, deadlines and national differences

The tightened NIS2 Directive expands the original NIS Directive and increases the requirements for cyber security in important and critical sectors.

The main aspects of the more stringent NIS2 requirements are:

• Extended scope of application, i.e. NIS2 now also applies to digital services such as software development and digitalised healthcare products in addition to energy and transport.
• Organisations must implement robust risk management, report security incidents within 24 hours and conduct regular audits.
• Management is directly responsible for compliance.
  

The NIS2 Directive was adopted in December 2022 and was required to be transposed into national law by 18 October 2024. Some Member States have met this deadline, while others are still working on it.

It is important to note that the implementation of the NIS2 Directive is proceeding differently in the individual EU Member States and that the legislative processes are at different stages. Irrespective of this, companies should achieve conformity with the NIS2 requirements if they have not already done so.

NIS2 compliance – it couldn’t be easier

Use the NIS2 gap analysis to establish whether your company fulfils the minimum requirements. You will receive a transparent report showing any outstanding measures. How do you implement them? The NIS2 gap analysis also provides you with clear recommendations for action.

Swiss made and EU-compliant: goods that are affected!

Switzerland is one of the world’s leading exporters of high-tech products and services.

According to the Federal Statistical Office (FSO), exports include key technologies that are subject to special regulation under the CRA and NIS2:

• Machines, apparatus and electronics: Intelligent control systems for production plants; sensors and IoT-enabled components for industrial applications; electronic control units for energy and building technology
• Medical technology: Networked medical devices such as heart monitors and insulin pumps; laboratory equipment with digital controls
• Precision instruments: Digital control systems for optical instruments; automated production instruments; chemical-pharmaceutical products; biotechnological production systems with digital monitoring components
• IT and software solutions: Export of platforms for data analysis, cyber security software and cloud services; SaaS solutions for production optimisation and monitoring
• Building digitisation and infrastructure: Services for the implementation of smart building systems; automated energy management tools
• Industry-related services: Support in maintaining and securing production facilities; advice on cyber security requirements along the supply chain

These products and services reflect the most important Swiss export segments, as detailed in the export statistics of the FSO (Federal Statistical Office) for 2023.

Overview of the relevant measures for Swiss companies

• Conformity analysis i.e. companies should check all products and services for compliance with regulatory requirements. This analysis includes: reviewing cyber security standards for IoT and IT products. Ensuring that security gaps in digitalised industrial goods are eliminated.
• Security by Design and certifications. Integration of security standards directly into the development process for new products. Using established certifications such as ISO/IEC 27001 to demonstrate compliance with CRA and NIS2.
• Setting up risk management processes. Identify vulnerabilities in your products and systems on a regular basis. Develop clear protocols for dealing with cyber incidents. Use tools that continuously recognise threats and vulnerabilities.
• Security updates and patch management. Establish a process for regular updates to close security gaps quickly. Use tools to manage software patches.
  
• Adaptation of supply chains. Establish secure supply chains in which cyber security requirements are clearly defined for all players. Monitor third-party providers, especially in software development.
  
• Awareness and further training. Organise regular training courses on cyber risks for employees. Establish internal centres of excellence for cyber security.
  
• Proactive collaboration, analyses and discussions. Use industry-specific networks to obtain information on regulatory updates. Collaborate with EU partners to fulfil compliance requirements at an early stage.
  
• Reporting obligations. Operate a vulnerability reporting system to send reports to the relevant authorities within the required timescales.

The ABC of recommended actions: From audits to certificates

1. Carry out product audits: Check existing products and components for cyber security requirements.
2. Integrate security features: Implement “Security by Design” in new products.
3. Certify services: Obtain certificates such as ISO/IEC 27001 to demonstrate compliance with the requirements.
4. Strengthen partnerships: Work closely with suppliers and customers to fulfil cyber security requirements along the supply chain.

With a proactive approach, Swiss companies can not only overcome regulatory hurdles, but also increase the demand for secure products and services.

Conclusion: Take advantage of CRA and NIS2 as an opportunity

The comprehensive requirements of the CRA and the NIS2 Directive affect a large number of exported Swiss products and services, particularly in the areas of digital industry and medical technology. Swiss companies should work towards compliance with these Directives in order to secure their market position in the EU.

The requirements of the Cyber Resilience Act and the NIS2 Directive are complex, but also offer great opportunities. Companies that invest in cyber security at an early stage and adapt their processes will not only secure their market position, but also create trust among customers and partners. A CRA Gap Analysis identifies where your organisation falls short of the new EU standard and guides you through the 4 steps to becoming CRA compliant.

Interested in specific measures? We are able to provide support.

To help you meet your CRA requirements, InfoGuard has over 350 experts at your disposal, be it with our Risk Management & Compliance Services or 24/7 Cyber Defence & Incident Response Services from our ISO 27001-certified Cyber Defence Center (CDC) in Switzerland. Get in touch with us – our cyber security experts will be happy to help you.

Caption: with AI generated image