The protection of communication protocols in mobile vehicles has become a fundamental requirement to prevent intrusions, manipulations, and unauthorized access that could compromise the functioning of electronic systems or user safety.

New EU Cybersecurity Regulation: What Changes with NIS2 and the Cyber Resilience Act (CRA)

Cybersecurity is officially becoming a legal requirement across the European Union. Two key texts, the NIS2 Directive and the Cyber Resilience Act (CRA) Regulation, redefine obligations, responsibilities, and timelines for companies, digital products, and the supply chain. Below is an overview to understand who is affected, which products fall within the scope, and how to prepare.

NIS2: More Sectors, More Companies, More Responsibilities

What it is
Directive (EU) 2022/2555, known as NIS2, raises the minimum security standards for networks and information systems in Europe. It was transposed in Italy with Legislative Decree 138/2024, effective from October 16, 2024. From this date, Italian authorities have supervisory and enforcement powers.

Who is included
The directive applies to “essential” and “important” entities listed in Annexes I and II: energy, transport, healthcare, water, public administration, digital infrastructure and online services, waste management, chemicals, and the manufacturing of critical products (vehicles, machinery, electrical equipment, computers, electronics). Classification depends on sector, activity, and size (generally from medium-sized enterprises upwards). By April 17, 2025, each Member State must finalize the list of entities involved.

Main obligations

• Risk management and technical/organizational measures (Art. 21)

• Governance and management responsibility

• Supply chain security

• Notification of significant incidents

Sanctions

• Up to €10 million or 2% of global turnover for “essential” entities (critical sectors such as energy, transport, banking, healthcare, water, and certain digital infrastructures)

• Up to €7 million or 1.4% for “important” entities (less critical but still relevant sectors)

Cyber Resilience Act (CRA): “By Design” Requirements for Digital Products

What it is
The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, sets cross-cutting security requirements for all products with digital elements (hardware and software). The requirements aim for “by design” secure products, meaning they are designed with security integrated from the start. The regulation has been in force since December 2024 and will become fully applicable from December 11, 2027, with intermediate deadlines already established.

Key Deadlines

• 11/06/2026 → Compliance and CE marking

• 11/09/2026 → Obligation to report vulnerabilities and incidents to ENISA (European Union Agency for Cybersecurity)

• 11/12/2027 → Full application for new products placed on the market

Requirements for Manufacturers

• Secure design (“secure by default”, meaning secure from installation)

• Vulnerability management and Software Bill of Materials (detailed inventory of all components, libraries, and dependencies, including open source, that make up an application)

• Regular security updates

• Coordinated vulnerability disclosure policies

Product Categories Covered
The CRA distinguishes:

• Important Products (Class I) → identity and access management systems, password managers, browsers, routers, modems, switches, operating systems

• Important Products (Class II) → firewalls, IDS/IPS, hypervisors, container runtimes, secure microprocessors and microcontrollers

• Critical Products (Annex IV) → devices such as smart meter gateways and secure elements

The EU Commission will publish an implementing act by December 2025 with the technical descriptions of the included categories. The CRA also coordinates with the new Machinery Regulation (EU) 2023/1230 regarding the safety aspects of control systems.

NIS2: More Sectors, More Companies, More Responsibilities

What it is
Directive (EU) 2022/2555, known as NIS2, raises the minimum security standards for networks and information systems in Europe. It was transposed in Italy with Legislative Decree 138/2024, effective from October 16, 2024. From this date, Italian authorities have supervisory and enforcement powers.

Who is included
The directive applies to “essential” and “important” entities listed in Annexes I and II: energy, transport, healthcare, water, public administration, digital infrastructure and online services, waste management, chemicals, and the manufacturing of critical products (vehicles, machinery, electrical equipment, computers, electronics). Classification depends on sector, activity, and size (generally from medium-sized enterprises upwards). By April 17, 2025, each Member State must finalize the list of entities involved.

Main obligations

• Risk management and technical/organizational measures (Art. 21)

• Governance and management responsibility

• Supply chain security

• Notification of significant incidents

Sanctions

• Up to €10 million or 2% of global turnover for “essential” entities (critical sectors such as energy, transport, banking, healthcare, water, and certain digital infrastructures)

• Up to €7 million or 1.4% for “important” entities (less critical but still relevant sectors)

Cyber Resilience Act (CRA): “By Design” Requirements for Digital Products

What it is
The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, sets cross-cutting security requirements for all products with digital elements (hardware and software). The requirements aim for “by design” secure products, meaning they are designed with security integrated from the start. The regulation has been in force since December 2024 and will become fully applicable from December 11, 2027, with intermediate deadlines already established.

Key Deadlines

• 11/06/2026 → Compliance and CE marking

• 11/09/2026 → Obligation to report vulnerabilities and incidents to ENISA (European Union Agency for Cybersecurity)

• 11/12/2027 → Full application for new products placed on the market

Requirements for Manufacturers

• Secure design (“secure by default”, meaning secure from installation)

• Vulnerability management and SBOM (Software Bill of Materials – a detailed inventory of all components, libraries, and dependencies, including open source, that make up an application)

• Regular security updates

• Coordinated vulnerability disclosure policies

Product Categories Covered
The CRA distinguishes:

• Important Products (Class I) → identity and access management systems, password managers, browsers, routers, modems, switches, operating systems

• Important Products (Class II) → firewalls, IDS/IPS, hypervisors, container runtimes, secure microprocessors and microcontrollers

• Critical Products (Annex IV) → devices such as smart meter gateways and secure elements

The EU Commission will publish an implementing act by December 2025 with the technical descriptions of the included categories. The CRA also coordinates with the new Machinery Regulation (EU) 2023/1230 regarding the safety aspects of control systems.

Protocol Security: A Strategic Defense

Implementing secure protocols means adopting advanced solutions such as end-to-end encryption, multi-factor authentication, and incident detection systems. These technologies ensure the protection of exchanged data and strengthen the entire network against external threats.

Adopting cybersecurity measures involves investments in research, development, training, and regular updates, but these represent a strategic investment to ensure protection, reliability, and trust in the long term.

Today, security is not an additional cost: it is an integral part of the value of every technological product.

ALMEC integrates security-by-design engineering in control units, gateways, and connected platforms (Diaboard) so that its products comply with legal requirements.

👉 Contact us for a quick assessment of the scope and applicable deadlines for your products and processes: info@almec.net