Industry

We are a manufacturing company. Do NIS2 and the new Cybersecurity Act apply to us?

Yes. If you are a manufacturing company, it is likely that the NIS2 directive and its Czech implementation (the new Cybersecurity Act) apply to you. These regulations target organizations operating critical or important infrastructure and may also affect manufacturers within key supply chains. We recommend conducting an assessment to determine whether your company falls under these rules and to prepare for any cybersecurity obligations.

Further information: NÚKIB Guide to the New Cybersecurity Act

Besides NIS2, it’s important to monitor other upcoming EU regulations that will significantly impact manufacturing firms:

RED: Effective August 1, 2025, the delegated act introduces cybersecurity requirements for all radio equipment connected directly or indirectly to the internet—ranging from industrial devices to consumer electronics.
Cyber Resilience Act (CRA): Effective December 11, 2027, with incident reporting obligations starting September 11, 2026. Applies to all products with digital elements and requires manufacturers to report major cybersecurity incidents and actively exploited vulnerabilities to ENISA or national authorities.

! Manufacturing companies should begin preparing for these regulations now—including assessing current products, implementing security measures, and ensuring compliance. Early preparation will help minimize risk and ensure a smooth transition to the new cybersecurity standards.

Which legislation and standards apply to the industry?

A variety of legislative frameworks and technical standards apply to both organizations and products:

Legislation:

NIS2 + new Cybersecurity Act – defines obligations for medium and large enterprises in key sectors (including manufacturing)
Cyber Resilience Act (CRA) – applies to all digital products placed on the EU market (including software, devices, and combined solutions)
RED Delegated Act – supplements the Radio Equipment Directive with cybersecurity requirements for wireless products (effective from August 1, 2025)
AI Act – upcoming EU regulation for AI systems, defining requirements based on risk levels (especially in areas like production control, quality, or predictive maintenance)

Standards:

ISO/IEC 27001 – Information Security Management System (for organizations)
IEC 62443 – Cybersecurity for industrial control systems and components (also applies to product development)
EN 18031 – Product vulnerability assessment and security testing (relevant for RED)
ETSI EN 303 645 – Baseline standard for consumer IoT cybersecurity
ISO/IEC 42001 – New international standard for AI system management, focused on transparency, risk management, and auditability

!!!Note: Management systems like ISO/IEC 27001 or the new Cybersecurity Act apply only to organizations—not products. Product and device security requires entirely different approaches, primarily based on IEC 62443.

How to address cybersecurity in industry?

Cybersecurity in the industrial sector must be approached comprehensively—both at the organizational infrastructure level (IT/OT systems) and at the product level for items placed on the market.

It’s essential to distinguish between security management systems (e.g., ISO/IEC 27001 or the new Cybersecurity Act based on NIS2), which apply solely to organizations and their processes. These systems, however, do not demonstrate or prove the security of specific products!

Ensuring product security, especially those with digital elements, requires:

Secure development (ideally according to IEC 62443-4-1)
Vulnerability testing (e.g., IEC 62443-4-2 and EN 18031)
Assessment of product compliance with legal requirements (particularly CRA and RED)
Preparation of technical documentation and CE marking (for RED)
CB certificates for IEC 62443-4-1 and IEC 62443-4-2 (globally recognized)

EZÚ offers both organizational and product-related services and helps manufacturers and suppliers manage the full lifecycle of cybersecurity—from initial GAP analysis, tailored training, and pre-assessments to successful certification.

Name	Domain	Purpose	Expiry	Type
pll_language	it.ezu.cz	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.	1 year	HTTP
elementor	it.ezu.cz	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.	never	HTTP

Name	Domain	Purpose	Expiry	Type
_ga	it.ezu.cz	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.	2 years	HTTP
_gid	it.ezu.cz	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.	1 day	HTTP
_gat_UA-88740921-10	it.ezu.cz	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.	1 minute	HTTP

We are a manufacturing company. Do NIS2 and the new Cybersecurity Act apply to us?

Which legislation and standards apply to the industry?

How to address cybersecurity in industry?

Menu

Useful information