Compliance with the NIS-2 Directive, the Cyber Resilience Act (CRA), and IEC 62443 presents various challenges for companies. However, these regulations also offer advantages. Early adaptation can not only minimize regulatory risks but also gain competitive advantages through an improved cybersecurity strategy.
In the future, companies must establish effective risk management focused on network security, access control, and incident response.
(Image: Softing Industrial)
The increasing digitalization of industrial processes not only brings efficiency improvements but also new challenges in terms of cybersecurity. Two key regulatory frameworks of the European Union, the NIS-2 Directive (Network and Information Security Directive 2) and the Cyber Resilience Act (CRA), set new standards for protecting industrial automation systems. These regulations have significant implications for companies in the automation industry, particularly with regard to security, compliance, and operational continuity.
NIS-2: New Requirements for Critical Infrastructures
The NIS-2 Directive strengthens the cybersecurity of critical and essential services in the EU. It builds on the original NIS Directive from 2016 and extends its scope to a larger number of companies, including:
Operators of critical infrastructures (energy, transportation, healthcare
Manufacturers and operators of industrial automation systems
Providers of digital services (cloud, data centers, IoT platforms
The main obligations of the NIS-2 Directive for industrial automation companies include:
Enhanced security measures: Companies must establish effective risk management focused on network security, access control, and incident response.
Reporting obligations: Security incidents must be reported to the relevant authorities within 24 hours.
Supply chain security: The security of suppliers and partners is more strongly regulated to minimize vulnerabilities throughout the entire supply chain.
The implementation of the NIS-2 Directive requires industrial automation companies to ensure close collaboration between IT and OT security departments, as well as the integration of security concepts into existing operations.
In addition to NIS-2, the Cyber Resilience Act (CRA) establishes new standards for the cybersecurity of products with digital elements. Manufacturers of industrial control systems and IIoT devices are particularly affected. The CRA mandates:
Security by Design: Security features must already be considered during the development phase.
Vulnerability management: Companies are required to identify and address known security vulnerabilities.
Long-term update obligations: Security updates must be provided over a defined period.
These requirements aim to enhance the security of industrial automation systems and minimize the risk of cyberattacks.
IEC 62443: A Proven Security Standard for Automation
In addition to NIS-2 and CRA, the international standard series IEC 62443 also plays a key role in cybersecurity for industrial automation. This standard offers a structured approach to securing automation systems and includes:
Risk-based security concepts: Companies can adapt security measures according to their individual threat scenarios.
Network segmentation: Separating critical and non-critical systems reduces the attack surface.
Identity and access management: The authentication and authorization of users and machines are improved.
Secure communication: Data is transmitted through encrypted channels to prevent tampering and eavesdropping.
IEC 62443 can support companies in efficiently implementing the requirements of NIS-2 and CRA while establishing a robust cybersecurity strategy.
Challenges And Opportunities for the Industry
Compliance with NIS-2, CRA, and IEC 62443 presents various challenges for companies:
Legacy systems: Older control and automation solutions often do not meet the new security requirements and need to be updated.
Increased administrative effort: Implementing new processes for cybersecurity monitoring can be complex.
Training requirements: Employees must be trained in handling new regulations securely.
At the same time, the new regulations offer significant advantages:
Increased security and resilience: Companies can better protect themselves against cyberattacks.
Trust and competitive advantage: Companies that invest in cybersecurity early can position themselves as reliable partners.
Standardized security processes: A unified security strategy simplifies collaboration within global supply chains.
Implementation of IEC 62443-4-1 at Softing Industrial
Over the past five years, Softing Industrial has increasingly received customer inquiries regarding certification according to IEC 62443-4-1. This part of the specification outlines the requirements for a secure product development process for component manufacturers in the field of industrial automation.
In January 2022, Softing Industrial began expanding its processes to meet these requirements. In June 2023, the company received certification according to the IEC 62443-4-1:2018 standard for its locations in Haar near Munich, Nuremberg, and the development site in Cluj, Romania. The certification process was conducted by TÜV Süd. Since then, the company has been integrating these process expansions into all product developments and implementing the security requirements for components described in IEC 62443-4-2.
Network Segmentation
Softing Industrial offers the Smartlink HW-PN, a product that simplifies the securing of Profinet networks.
(Image: Softing Industrial)
As outlined above, network segmentation is a key aspect of IEC 62443. The specification recommends dividing communication networks for industrial automation into zones and conduits. These conduits are secured at the transitions between zones to protect against potential attacks. Segmentation can be implemented using standard IT products such as firewalls or more specific products tailored to OT environments.
Softing Industrial offers the Smartlink HW-PN, a product that simplifies the securing of Profinet networks. It establishes a secure access point for applications to Profinet networks and provides suitable interfaces for the following application areas:
Asset Management
Network Monitoring
Process Analysis (IIoT, NOA)
Asset management applications, such as Emerson AMS Device Manager, access Profinet devices via the Smartlink HW-PN to configure parameters and monitor their status. The Smartlink HW-PN provides an FDI communication interface based on the secure communication protocol OPC UA. Communication between the asset management application and the Smartlink HW-PN can be protected and encrypted using certificates. Only authorized application instances can connect to the Smartlink HW-PN via this northbound interface.
On the south side, within the Profinet network, the Smartlink HW-PN acts as a Profinet Supervisor and establishes a "Device IO" connection to the Profinet devices. This allows authorized applications transparent access to the Profinet devices, regardless of the Profinet controller used.
The hardware architecture of the Smartlink HW-PN ensures a secure separation between the northbound application network and the southbound Profinet network. The Ethernet interfaces are managed by separate operating system instances. These separate instances only communicate with each other via a shared memory area, preventing any IP-level access from the north side to the south side.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
A complex firewall configuration for application access to the Profinet-Profinet network is no longer necessary with the Smartlink HW-PN.
Real-Time Inventory of Networks
For the secure operation of networks in industrial automation, it is also essential to know which devices with which firmware versions are installed. Theoretically, this should be known from system planning. However, the actual installed state often differs from the planned state ("As-Built" vs. "As-Planned"), especially when the systems have been in operation for a few years.
Softing Industrial offers a network monitoring application for Profibus—and starting in January 2026, also for Profinet networks—with the Plantperfect Monitor product. This application utilizes Softing Industrial Smartlink products to access the network, enabling a real-time inventory of devices installed in the network and establishing a basis for secure operation.
Conclusion
NIS-2, CRA, and IEC 62443 mark an important step towards a more secure and resilient industry. Companies in industrial automation must prepare for extensive security requirements, encompassing both technical and organizational measures. Those who adapt early can not only minimize regulatory risks but also gain competitive advantages through an enhanced cybersecurity strategy.
:quality(80)/p7i.vogel.de/wcms/37/9f/379f62914fcef347331e271270e3f755/ad1i8940-4368x2456v1.jpeg "(Source: SIMTOS)")
:quality(80)/p7i.vogel.de/wcms/a4/3c/a43c87e306c4b61c9afc01beec500296/-bcm8149-3936x2213v1.jpeg "(Source: TMBA)")
:quality(80)/p7i.vogel.de/wcms/10/11/1011a37522d84917f003e58d93b5aa58/0129426354v1.jpeg "Producing hydrogen where the raw material is available in vast quantities: In the sea! Researchers at Bremerhaven University of Applied Sciences now want to get this off the ground. They believe that offshore hydrogen production is more favorable than on land ... (Picture: ©Shawn Hempel - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/68/4b/684b0fdf046c2ce50f85f2962e4a5c4e/0128861342v1.jpeg "Consistent pricing is a prerequisite for success in the retrofit business. (Picture: ©bakhtiarzein - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/ec/78/ec78a17c244d3aed1f27b95af980c490/0129438580v1.jpeg "According to the Microsoft study, 29 percent of employees use AI agents without the approval of their IT department or superiors. (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/8a/1e/8a1e6f65e2a0233007e1308a0bc42891/org-blobs-user-response-file-output-3964257d-ad39-4188-854f-cb9f073d1d06-plugin-output-call-xpdfkdgybtu3axwxtgikmroc-1536x864v1.png "(Source: AI-generated)")
:quality(80)/p7i.vogel.de/wcms/f8/f1/f8f13c6a36ecc58af66cdcd16733b262/pexels-googledeepmind-17485706-1920x1079v1.jpeg "(Source: Google DeepMind)")
:quality(80)/p7i.vogel.de/wcms/c5/c2/c5c2fbe38a551a5ac9e8201aa3044e95/0129369094v1.jpeg "The big tech companies are outbidding each other with triple-digit billion investments in AI development. (Picture: ©Shuo - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/a7/34/a73475e9638e032c32288f53006abab7/newsimage417867-2665x1500v1v1.jpeg "Combination of a model from a scanning electron microscope image (left) with a section of the underlying crystal structure of a studied MXene with precisely controlled surface terminations. (Image:B. Schröder/HZDR)")
:quality(80)/p7i.vogel.de/wcms/d2/1a/d21a9b3e1333f306ffd6421e84f9e3d0/semiconductor-20image-20courtesy-20of-20gelest-3000x1688v1.jpeg "In a new collaboration, IBM will test the performance of Gelest precursor materials for dry resist EUV lithography, generating results that aim to guide Gelest on materials research and speed innovation toward smaller devices. (Source: Gelest)")
:quality(80)/p7i.vogel.de/wcms/f5/c6/f5c6cefa374d48138dc702821d41c7c6/greenspeed-visual-home-1500x843v1v1.jpeg "The EU Green Speed project is laying the foundations for cleaner and more competitive production of lithium-ion batteries in Europe. (Image:greenSPEED Consortium / VIRTUAL VEHICLE)")
:quality(80)/p7i.vogel.de/wcms/ba/d0/bad011e604599660b5b2cdd50eb44755/stefanie-arnold-152236-4500x2530v1v1.jpeg "Materials researcher Stefanie Arnold wants to make energy storage more environmentally friendly with the help of hollow carbon spheres. (Image:Saarland University)")
:quality(80)/p7i.vogel.de/wcms/e7/01/e701127d385ceffd0f86b3294f2a3c6d/0129354681v1.jpeg "Parking towers can be a space-saving solution, as the Munich-based company VePa Vertical Parking shows. The start-up has implemented an automated paternoster parking system in Munich's Werksviertel district. (Image:SEW-Eurodrive)")
:quality(80)/p7i.vogel.de/wcms/04/5c/045cb66bca1a642c56fc405ab96213dd/0129353500v1.jpeg "CATL's new sodium-ion battery is to be used in future car models of various Changan brands. They underwent rigorous testing in Yakeshi. (Image:Changan)")
:quality(80)/p7i.vogel.de/wcms/ce/ce/cecefd66fe6478ab996f9e975779b9e0/0129426378v1.jpeg "Electrifying losses! Ford, like so many other car companies, has miscalculated its electric car strategy. Now the US car manufacturer has to accept losses in the 2-digit billion range and is therefore setting a new course ... (Image:Ford)")
:quality(80)/p7i.vogel.de/wcms/89/e2/89e2226e826f23fb666222b66c737531/0129393966v1.jpeg "Chinese car manufacturers and suppliers want to produce small batches of brake-by-wire systems this year. (Image:Chery)")
:quality(80)/p7i.vogel.de/wcms/72/e8/72e82e7be7eb9c7f3fe6e7bd6442b95d/0129427931v1.jpeg "Strategic: EPC licenses eGaN technology to Renesas (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/7b/73/7b736ec0a4a0f7298b65edadc633bb97/0129365186v1.jpeg "Old form factor, new technologies: Ahmed Shihab, Chief Product Officer at Western Digital, shows the physical drive, which is designed to hold up to 140 TB, at Innovation Day. (Image:Western Digital)")
:quality(80)/p7i.vogel.de/wcms/de/30/de30109024cc88d5a9f546a881542789/0129416855v1.jpeg "Starting signal for sub-2nm innovation made in Europe: The Belgian research institute Imec has announced the launch of the European NanoIC pilot line with a clean room expansion of 2000 square meters. (Image:imec)")
:quality(80)/p7i.vogel.de/wcms/02/50/02507ce2e6225bb6816c8805bd98da71/0129407664v1.jpeg "Thanks to a new type of sensor, hydrogen can also be reliably detected in humid environments. (Image:freely licensed)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:quality(80)/p7i.vogel.de/wcms/c5/e3/c5e3bf8a6db0e9c6956d38cbd1d83a93/0126320451v1.jpeg "The AIM13 series from EFCO includes seven fanless IPC models, all equipped with at least 2 x GbE with PoE. For both PoE and the additional AI hardware accelerator, a supply voltage of 9...36 V DC is sufficient for the internal power supply. (Image:EFCO)")
:quality(80)/p7i.vogel.de/wcms/18/fe/18fea5d28ddb2900571729dc660c7c6f/0124187813v1.jpeg "Companies should act now and make cyber security an integral part of their strategy. (Image:Johannes - stock.adobe.com / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/56/a0/56a0b540c47f6131d98539ff0648dcee/0128235887v1.jpeg "New EU laws such as the Cyber Resilience Act and NIS-2 require companies to systematically protect their digital infrastructure. (Picture: ©AD - stock.adobe.com)")