The EU Cyber Resilience Act and NIS2: What Irish Product Companies Need to Know

A Donegal manufacturer recently discovered that a critical component in their smart production line, sourced from a third-party vendor, contained a hidden vulnerability. This flaw, unknown to you, is exploited by cybercriminals, leading to a complete shutdown of your production and significant financial losses. This isn't a far-fetched nightmare; it's a growing reality as more products become digitally connected. For Irish product companies — including Donegal and Galway manufacturers — understanding the upcoming Cyber Resilience Act Ireland (CRA) and its relationship with the NIS2 Directive is no longer optional—it's essential for survival and compliance.

Understanding the EU's Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is a landmark EU regulation designed to bolster the cybersecurity of hardware and software products throughout their entire lifecycle. Its primary goal is to ensure that products with digital elements placed on the EU market are secure by design and continue to be secure after they are sold [1]. This means moving beyond reactive security measures to a proactive approach that embeds cybersecurity from the initial design phase.

The CRA applies broadly to manufacturers, importers, and distributors of products with digital elements. This includes a vast array of items, from smart home devices and industrial control systems to operating systems and software applications. If your Irish company manufactures, imports, or distributes any product that connects to a network or processes digital data, the CRA will likely impact you [2].

Key requirements under the CRA include ensuring products are designed and developed with cybersecurity in mind, implementing vulnerability handling procedures, and providing clear security updates for the product's expected lifespan. Manufacturers will also be required to report actively exploited vulnerabilities and incidents to relevant authorities [3]. The CRA is set to become fully applicable by late 2027, with certain reporting obligations starting earlier, making preparation crucial now.

NIS2 Directive: Strengthening Operational Cyber Resilience

While the CRA focuses on the security of products, the NIS2 Directive (Network and Information Security 2) aims to enhance the overall operational cybersecurity resilience of essential and important entities across the EU. It expands the scope of its predecessor, the original NIS Directive, to include more sectors and entities, ensuring a higher common level of cybersecurity across the Union [4].

NIS2 applies to a wide range of sectors deemed critical for the economy and society, including energy, transport, banking, health, digital infrastructure, and certain digital service providers. For Irish product companies, particularly those operating in these critical sectors or providing digital services, NIS2 will impose significant obligations. Even if your company isn't directly in a "critical" sector, if you are a key supplier to one, you might find yourself indirectly affected due to supply chain security requirements [5].

Under NIS2, entities must implement robust cybersecurity risk management measures, including incident handling, supply chain security, network and information system security, and encryption. There are also strict incident reporting obligations, requiring affected entities to notify relevant authorities, such as the National Cyber Security Centre (NCSC) Ireland, of significant cyber incidents within tight deadlines [6]. The Irish government is currently in the process of transposing NIS2 into national law, which will clarify specific national requirements and enforcement mechanisms.

CRA and NIS2: A Unified Approach to Cybersecurity

While the CRA and NIS2 address different facets of cybersecurity, they are designed to be complementary, forming a comprehensive framework for digital security within the EU. NIS2 focuses on the operational resilience of organisations, ensuring they can withstand and recover from cyberattacks. The CRA, on the other hand, targets the inherent security of the products and software that these organisations, and consumers, use [7].

For Irish product companies, this means a dual responsibility. You must ensure that the products you manufacture or sell are secure by design (CRA) and that your internal operations and IT systems are resilient against cyber threats (NIS2). For example, a company manufacturing smart industrial sensors (CRA scope) that also provides a cloud-based monitoring service for these sensors (NIS2 scope) would need to comply with both regulations. The frameworks work in tandem: a secure product (CRA) reduces the attack surface for an organisation, thereby contributing to its overall operational resilience (NIS2).

This integrated approach aims to create a stronger, more cohesive cybersecurity posture across the EU. It addresses the interconnected nature of modern digital ecosystems, where product vulnerabilities can lead to systemic operational failures, and operational weaknesses can compromise product integrity.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

Implications for Irish Product Companies

The combined force of the CRA and NIS2 presents both challenges and opportunities for Irish product companies, especially SMEs. The initial investment in compliance—updating product development processes, enhancing internal cybersecurity, and training staff—can be substantial. However, proactive compliance can also be a significant differentiator, building trust with customers and opening new market opportunities within the EU.

Irish SMEs should start by conducting a thorough assessment of their product portfolio to identify which products fall under the CRA's scope. Simultaneously, evaluate your operational cybersecurity posture against NIS2 requirements, considering your role in critical supply chains. Engage with cybersecurity experts, like a vCISO, to help navigate these complex regulations and develop a tailored compliance roadmap.

Furthermore, it's crucial to stay informed about the transposition of NIS2 into Irish law and any guidance issued by the NCSC Ireland or the Data Protection Commission (DPC), as these will provide specific local context and requirements. The Competition and Consumer Protection Commission (CCPC) may also play a role in enforcing product safety aspects related to cybersecurity [8].

What This Means for Your Business

The digital landscape is evolving rapidly, and with it, the regulatory environment. The EU Cyber Resilience Act and NIS2 Directive are not just bureaucratic hurdles; they are fundamental shifts towards a more secure digital future. For Irish product companies, embracing these regulations proactively will not only ensure compliance but also strengthen your market position, protect your intellectual property, and safeguard your customers.

Ignoring these directives could lead to significant penalties, reputational damage, and operational disruptions. Instead, view them as an opportunity to embed cybersecurity deeply into your business strategy, from product development to daily operations.

References

[1] European Commission. (n.d.). Cyber Resilience Act. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act [2] Intertek. (2024, November 21). What Manufacturers Need to Know About the EU Cyber Resilience Act. Retrieved from https://www.intertek.com/blog/2024/11-21-eu-cyber-resilience-act/ [3] White & Case. (2025, October 10). Cyber Resilience Act: The clock is ticking for compliance. Retrieved from https://www.whitecase.com/insight-alert/cyber-resilience-act-clock-ticking-compliance [4] European Commission. (n.d.). NIS2 Directive: securing network and information systems. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/nis2-directive [5] Lansweeper. (2024, May 31). Understanding NIS2: What Manufacturers Need to Know. Retrieved from https://www.lansweeper.com/blog/cybersecurity/understanding-nis2-what-manufacturers-need-to-know/ [6] GT Law. (2025, August 28). EU NIS 2 Directive: Expanded Cybersecurity Obligations for Key Sectors. Retrieved from https://www.gtlaw.com/en/insights/2025/8/eu-nis-2-directive-expanded-cybersecurity-obligations-for-key-sectors [7] Hyperproof. (n.d.). NIS2 and EU Cyber Resilience Act. Retrieved from https://hyperproof.io/understanding-the-relationship-between-nis2-and-the-eu-cyber-resilience-act/ [8] IAPP. (2025, February 5). Navigating the new EU cybersecurity standards: The NIS2 Directive and Cyber Resilience Act. Retrieved from https://iapp.org/news/a/navigating-the-new-eu-cybersecurity-standards-the-nis2-directive-and-cyber-resilience-act

Not sure if NIS2 applies to you? Find out in 2 minutes with our free NIS2 Scope Check.

How compliant is your business? Check your compliance readiness with our free Compliance Checker.

Related Reading

• NIS2 Fines and Penalties: The Numbers That Should Keep Every Irish Director Awake.
• The 12-Month Cyber Governance Roadmap for a Donegal SME: From Zero to NIS2-Ready.
• Director Liability in the Age of NIS2 and GDPR: A Briefing for Irish Company Directors.

Take the Next Step

If your NIS2 compliance obligations is something you're thinking about, the best starting point is a structured conversation.

Book a free 20-minute call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no scare tactics, just clear advice on what to do next.

Book Your Free 20-Minute Call →

[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland: https://www.dataprotection.ie

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.