EURANET logo coral blu

Industrial Cybersecurity

Today's production lines increasingly consist of connected cyber-physical systems that integrate software, firmware, sensors, and digital platforms.
In this scenario, a software vulnerability is not only a cybersecurity risk. It can also compromise the operational safety of machines, disrupt production, and, in severe cases, create risks to operator safety.

To tackle these new challenges, the European Union has introduced a framework of three regulations that represent the pillars of an ecosystem aimed at industrial resilience, approaching cyber risk from complementary and interconnected perspectives:
Industrial Cybersecurity 1a
DNIS2 Directive (UE 2022/2555), strengthens the operational resilience of organizations.
Cyber Resilience Act - CRA (UE 2024/2847), ensures the cybersecurity of digital products and softwares.
Regolamento Macchine (UE 2023/1230), protects the physical safety of operators.
Industrial Cybersecurity 3level arrowsEN
ORGANIZATION
Responsibility of the OPERATOR
DIGITAL PRODUCT
Responsibility of the SOFTWARE/PLC MANUFACTURER
SAFETY
Responsibility of the MACHINE MANUFACTURER
Software is becoming one of the most critical elements in industrial risk management, as it is simultaneously part of safety (Machinery Regulation), part of the digital product (CRA), and part of the organization's IT/OT environment (NIS2).
As a result, the industrial sector is undergoing a significant transformation: cybersecurity is no longer just an IT issue but is becoming an essential requirement for machine safety and access to the European market.

European NIS2 Directive

The European NIS2 Directive (EU 2022/2555), transposed into Italian law through Legislative Decree No. 138/2024, marks a significant shift in the way cybersecurity is conceived, managed, and governed within organizations. It applies to the machine operator/user, and its focus is the security of the organization's networks and information systems.
Among the key developments introduced by NIS2:
The introduction of direct, non-delegable legal responsibility for management bodies, subject to sanctions.
Risk assessment extended to the entire supply chain, with particular attention to critical suppliers.
Strict reporting deadlines for cyber incidents (24 h / 72 h / 1 month).
The measures required by NIS2 must be fully operational by 1 October 2026.

Euranet Services for NIS2 Compliance

With Euranet, the NIS2 compliance journey becomes a guided process. Starting with a gap analysis against NIS2 requirements and the ACN framework, we define a clear, organization-specific roadmap and support the implementation of the required measures, including cyber risk and incident management, the definition of management roles and responsibilities, and supplier risk controls.

Applicability assessment and identification of critical services

Evaluation of the organization's maturity level against NIS2 requirements and the ACN framework

Definition of a clear roadmap aligned with the organization's risk profile

Support in implementing the required measures

Discover how Euranet can guide your compliance journey

Cyber Resilience Act - CRA

The Cyber Resilience Act - CRA (Regulation EU 2024/2847) applies to hardware and software products with digital elements made available on the European Union market, including software and hardware components marketed separately.
The Regulation introduces new obligations for hardware and software manufacturers, including:
Security of products with digital elements throughout their entire lifecycle.
Security-by-design approach.
Identification, monitoring, and documentation of vulnerabilities and product components, including through SBOMs.
Reporting obligations for actively exploited vulnerabilities and severe incidents to ENISA and CSIRT within strict deadlines (24h/ 72 h/ 14 days/ 1 month).
Mandatory detection and reporting of cybersecurity incidents.
Mandatory CE marking.
All CRA requirements must be in place by December 2027, with the first compliance deadlines taking effect in 2026 and penalties for non-compliance.

Euranet's CRA Compliance Services

The absence of a structured compliance framework can lead to delays, unexpected costs, and penalties. This is why Euranet provides ongoing support to help organizations maintain compliance over time and prepare for potential audits.

In particular, Euranet supports organizations through a continuous consulting approach: starting with a training workshop, we identify the scope of applicability, analyze products and software, assess cybersecurity risks, and develop remediation and incident reporting plans. This process leads to the definition of a Cybersecurity Management System that supports the implementation of the required measures, including product requirements (Annex I) and organizational obligations.

Hands-on Workshop
(3h+3h/online or on-site): training on CRA and preliminary compliance assessment

CRA scope:
identification of the products, software, and digital components falling within the scope of the Regulation

Software analysis:
identification and documentation of vulnerabilities, SBOM, software licenses, cybersecurity risks etc. with the option to integrate CAST Software Intelligence solutions

Product cyber risk analysis:
attack scenarios, potential impacts, security measures, residual risk etc.

Remediation plan:
product remediation to reduce risks, improve the security architecture, strengthen configurations, implement updates, enhance access controls, etc.

Vulnerability handling and
incident reporting:

definition of a process to manage vulnerabilities, reports, patches, customer communications, and severe incidents

Cybersecurity Management System:
implementation of a structured system of roles, procedures, controls, evidence, periodic reviews, and continuous improvement

Discover how Euranet can guide your compliance journey

Schedule a Workshop to get started with CRA compliance

Machinery Regulation

With the adoption of the Machinery Regulation (EU) 2023/1230, cybersecurity has become an integral part of the health and safety requirements for machinery within the European Union. The Regulation introduces an obligation for manufacturers to protect the digital systems of machinery against alterations that could compromise safety (security by design in support of safety). The objective is to ensure that no digital compromise creates a risk to people's health and safety.
The Regulation will become applicable on 20 January 2027. From that date, manufacturers will be required to demonstrate compliance by implementing technical and organizational measures, including:
Access control and authentication for control systems.
Protection of the integrity of software and safety-related data.
Traceability of modifications through logging systems.
Secure software update procedures.
Clear cybersecurity requirements in the user manual.
Identification and documentation of software security vulnerabilities affecting safety.
Risk assessment and implementation of appropriate risk mitigation measures.
These elements must be documented in the machine's Technical File as evidence of conformity for the certification authorities, becoming an integral part of the CE marking process.

Medical Devices

Manufacturers of medical devices are also subject to strict requirements to ensure the cybersecurity of embedded softwar, essential for protecting the availability, integrity, and confidentiality of data.
In particular, these requirements are set out in:
EU Medical Device Regulation (MDR) – Regulation (EU) 2017/745.
FDA regulatory requirements for Medical Devices and Cyber-risk Management.
EURANET & CAST
Organizations that adopt an integrated approach to software security will be better prepared to address emerging regulatory and technological challenges.
Thanks to its partnership with CAST Italia, Euranet supports manufacturers of machinery with digital components and medical devices in managing the growing regulatory complexity of cybersecurity through the structural analysis of industrial and embedded software.
By combining Euranet's expertise in asset protection and cybersecurity standards and regulations with CAST's technology, organizations can prevent operational risks and measure software productivity and security.
Standard di riferimento:
Watch the highlights of Euranet & CAST’s webinar to learn more about NIS2, CRA and the Machinery Regulation.
Standard di riferimento:
Compliance is not a one-time event but a continuous process. Euranet supports you with a clear and structured path towards a verifiable cybersecurity architecture and long-term resilience in the global marketplace.
Euranet © – All rights reserved
Euranet S.r.l. Registered Office: Via Boccaccio 20, 20123 Milan, Italy – Operational Office: Via Cavour 5, 27043 Broni (PV), Italy – Share Capital €64,100 fully paid-up – VAT No. 12270030153 – Registered with the Milan Companies Register, REA MI-1544390
crossmenu