Compliance Is Becoming More Complex – With IGLOS It Stays Simple

The cybersecurity compliance landscape is changing fast with new regulations such as NIS-2, the EU Cyber Resilience Act (CRA) and standards like IEC 62443. What used to be a periodic box-ticking exercise has turned into an ongoing, high-stakes responsibility. Organisations now face shorter reporting deadlines, stricter technical requirements, and greater accountability at the management level.

For manufacturers of embedded and industrial systems, this raises an important challenge: How can they stay compliant without slowing down development or increasing risk? A secure and reliable software foundation starting with the operating system is crucial to meet regulations.

In this blog post, we focus on NIS-2 and explain how manufacturers can be a step ahead by using IGLOS an industrial grade operating system by Linutronix when developing products used in affected sectors.

The EU Directive 2022/2555, also known as NIS-2, introduces mandatory cybersecurity rules for network and information systems across the EU.1 It replaces the older NIS-1 Directive and has the goal to:

• Strengthen the resilience of organizations against cyber attacks
• Reduce supply-chain risks
• Improve cooperation during security incidents

In Germany, the Bundestag adopted the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) on 13 November 2025. 2

Who Is Affected by NIS-2?

NIS-2 mainly applies to operators of network and information systems in certain sectors. These are divided into essential and important entities. 3

Essential Entities:

• Energy (electricity, gas, etc.)
• Transport (air, rail, water, road)
• Banking
• Financial sector
• Healthcare (hospitals, emergency services)
• Drinking water and wastewater
• Digital infrastructure (cloud, data centers, etc.)
• ICT service management (B2B providers, …)
• Public administration
• Space

Important Entities:

• Postal and courier services
• Waste management
• Chemical industry
• Food industry
• Manufacturing (electronics, machinery, medical, etc.)
• Digital service providers
• Research

Affected Groups

Operators of such systems (e.g., energy companies, hospitals, ISPs, cloud providers):

Operators are mainly responsible for:

• Keeping their systems and services secure
• Implementing technical and organizational measures
• Reporting incidents and managing supply-chain risks
• Showing proof of compliance

Suppliers (e.g., hardware, software, embedded systems suppliers):

Suppliers are not directly regulated by NIS-2, but they are still very important. If a operator uses e.g. their product they should:

• Provide security documentation
• Deliver SBOMs
• Offer trust guarantees and conformity evidence

Service and Digital Service Providers (e.g., hosting companies, telecom operators, DNS providers):

If they provide critical or important services, they also need to:

• Follow operator requirements
• Support supply-chain risk management

NIS-2, CRA, and IEC 62443: How They Relate

• NIS-2: Cybersecurity and reporting requirements for critical/important sectors
• EU Cyber Resilience Act (CRA): Security rules for digital products across their lifecycle
• IEC 62443: International standard for industrial automation security

Many aspects of NIS-2 correspond to topics also addressed by the IEC 62443] as outlined below. As the development process of Linutronix is certified according to IEC 62443-4-1 and with our experience building a IEC 62443-4-2 certified product based on IGLOS, we are well prepared for supporting your NIS-2 compliance strategy.

Together, this builds a security framework for organizations, technology, and product development. 4

NIS-2 Core Requirements

Article 21 demands “appropriate and proportionate technical, operational and organizational measures” based on the current state of the art. Key areas include:

21(2)(a) – Policies on risk analysis and information system security

IEC 62443:

• Addressed by multiple IEC 62443-4-1 elements:
  
  • 4-1 Practice 1 – Security Management
  • 4-1 SR-2 – Threat Model

IGLOS:

• Holistic security risk assessment integrated into the development process
• Development process certified according to IEC 62443-4-1 by TÜV SÜD

21(2)(b) – Incident handling

IEC 62443:

• 4-1 Practice 6 – Management of security-related issues

IGLOS:

• Continuous CVE tracking and assessment in the customer’s context
• Application of upstream security patches
• Submission of fixes for open-source components when needed

21(2)(c) – Business continuity (backup, disaster recovery, crisis management)

IEC 62443:

• 4-2 FR 7 – Resource Availability

IGLOS:

• Denial-of-service protections
• Backup & restore capabilities
• Additional product-level availability features

21(2)(d) – Supply chain security

IEC 62443:

• 4-1 SM-9 – Security requirements for externally provided components
• 4-1 SM-10 – Custom developed components from third-party supplier

IGLOS:

• Automated and manual assessment of open-source components
• Review of maintenance quality, testing practices, and security-conscious design

21(2)(e) – Security in acquisition, development, maintenance; vulnerability handling & disclosure

IEC 62443:

• Addressed in multiple IEC 62443-4-1 areas, including:
  
  • 4-1 SM-1 – Development process
  • 4-1 SI-2 – Secure coding standards
  • 4-1 Practice 6 – Management of security-related issues

IGLOS:

• Fully aligned with IEC 62443 development processes
• Covers both process-level controls (e.g., vulnerability handling) and product features (e.g., hardened A/B update mechanism)

21(2)(f) – Procedures to assess the effectiveness of cybersecurity risk-management measures

IEC 62443:

• 4-1 Practice 5 – Security verification and validation testing
• Regular external audits (e.g., TÜV SÜD) required for certification

IGLOS:

• Comprehensive multi-layer security testing
• IGLOS-based product certified by TÜV SÜD

21(2)(g) – Basic cyber hygiene and cybersecurity training

IEC 62443:

• 4-1 SD-4 – Secure design best practices
• 4-1 SM-4 – Security expertise

IGLOS:

• Strong internal cybersecurity expertise and training culture at Linutronix

21(2)(h) – Cryptography and encryption policies

IEC 62443:

• 4-2 CR 3.4 – Software and information integrity
• 4-2 CR 4.3 – Use of cryptography

IGLOS:

• Secure boot
• Protected root filesystem and updates
• Encrypted data partitions and secure storage

21(2)(i) – Human resources security, access control, asset management

IEC 62443:

• 4-2 FR 1 – Identification and authentication control
• 4-2 CR 7.8 – Control system component inventory

IGLOS:

• Building blocks for secure authentication, inventory, and asset management
• Integration depends on customer system context

21(2)(j) – Multifactor authentication, secure communications, emergency communication systems

IEC 62443:

• 4-2 CR 1.1 Enhancement 2 – Multifactor authentication for all devices.

IGLOS:

• Support for FIDO2 and other MFA technologies
• Actual integration depends on the customer environment

IGLOS Supports the Full Lifecycle

IGLOS supports your product across its entire lifecycle, guiding you toward thorough and traceable compliance with NIS-2, CRA, and IEC 62443. By handling the cybersecurity and regulatory preparation and maintenance, it helps you maintain ongoing readiness and clear audit trails, freeing you to concentrate more on your core areas of expertise and innovation.

References:

[1]: https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[2]: https://www.bundestag.de/dokumente/textarchiv/2025/kw46-de-nis-2-1123138

[3]: https://www.enisa.europa.eu/sites/default/files/2024-10/presentation-nis2-cybersecurity-conference-brussels-1.pdf

[4]: https://symmedia.de/de/navigating-nis2-compliance-using-iec-62443-standards-to-strengthen-cybersecurity/

 Photo by Peter Conrad on Unsplash