Cyber Resilience Act NIS-2: 2027 Duty Guide

The Cyber Resilience Act and NIS-2 are two regulatory frameworks with one shared interface: the operator's supplier contract. Anyone entering a BSI audit in 2027 without documented CRA conformity from their suppliers risks penalties under both regimes in parallel. This guide separates the duties cleanly and shows what must be operationally in place by the end of 2026.

Cyber Resilience Act NIS-2: Two frameworks, one duty line

NIS-2 (Directive EU 2022/2555) addresses operators. The CRA addresses manufacturers. Both meet where a KRITIS operator procures hardware or software.

NIS-2 obliges essential and important entities to manage risk along the ICT supply chain under Article 21 of the Directive. The CRA shifts part of the burden of proof to manufacturers but does not relieve the operator of its selection and control duties.

For KRITIS operators, the documentation burden doubles. Every procurement decision from 2027 onward must answer two questions: Is the supplier CRA-compliant? Have I, as operator, verified and documented that conformity?

Transition deadlines are staggered. The CRA's main duties take effect in December 2027. Reporting duties for actively exploited vulnerabilities begin in 2026. NIS-2 is implemented in Germany through the NIS2UmsuCG, and the KRITIS Umbrella Act draft (KRITIS-Dachgesetz) supplements the physical resilience dimension. The Bundestag draft 20/9262 details duties for German operators.

The CRA penalty range reaches up to EUR 15 million or 2.5 % of global group turnover. NIS-2 sanctions stack on top, not as alternatives.

Next step: Review KRITIS sectors to check whether your facility falls within scope.

What the CRA concretely demands for deployed hardware

The CRA defines five core duties for every product with digital elements placed on the EU market.

First: security-by-design. Products must not contain known exploitable vulnerabilities at delivery. Factory default passwords and unpatched libraries are a market access ban.

Second: vulnerability management across the expected useful life, minimum five years. Manufacturers must provide patches free of charge, even after the end of commercial life.

Third: SBOM (Software Bill of Materials). Each product carries a machine-readable bill of its software components. Operators must be able to present this SBOM during an audit, so they must request it at procurement.

Fourth: coordinated vulnerability disclosure. Actively exploited vulnerabilities are reported by the manufacturer to ENISA within 24 hours, with a detailed report following after 72 hours.

Fifth: CE marking redefined. No CRA declaration of conformity, no market access from December 2027. Existing hardware in KRITIS facilities is not automatically CRA-compliant; the manufacturer must demonstrate it.

What works: standardised SBOM formats (CycloneDX, SPDX) can be parsed automatically. What does not work: PDF lists without a machine-readable counterpart, which cost time during audit.

NIS-2 supply chain duties: the toughest lever for operators

Article 21 NIS-2 requires risk management across the entire ICT supply chain. This is the operationally most expensive duty in the whole framework.

Contractual clauses on security requirements are mandatory. A supplier contract without clear rules on patch deadlines, reporting duties and audit rights is inadequate under NIS-2, regardless of whether an incident occurs.

Supplier audits must be documented and repeated on a rolling basis. For critical suppliers we recommend annual audits, for standard suppliers every two years. Audit depth follows risk contribution, not contract volume.

Sub-suppliers (Tier 2, Tier 3) fall within the audit duty if they are security-relevant. An operator using a cloud provider that in turn uses a third-party identity management service must audit the entire chain.

When outsourcing to cloud or robotics service providers, operator liability remains. A contractual transfer of security responsibility does not release the operator from the control duty. The BSI is the national reporting point for security incidents and operates the interface to ENISA, as the Federal Ministry of the Interior clarifies.

Next step: Review NIS-2 compliance at Quarero for the contract clauses we provide to KRITIS customers.

Patrol robotics as a CRA-regulated product

Autonomous patrol robots are products with digital elements. The CRA applies in full, in addition to the EU Machinery Regulation. The Machinery Regulation 2023/1230 defines cybersecurity requirements for autonomous machines and complements CRA duties.

The Quarero QR-2 and QR-3 ship with three documented properties: machine-readable SBOM, signed firmware updates and CRA declaration of conformity. The SBOM is in CycloneDX format, firmware signatures are produced via an HSM-backed build pipeline.

Vulnerabilities are reported to ENISA within 24 hours. Patches are rolled out OTA within 72 hours, prioritised for critical CVSS scores from 7.0 upward. The update pipeline is auditable; every installation leaves a signed log entry.

Data flows (video, thermal, LiDAR) stay in the German data centre. No third-country transfer, no SCCs, no Schrems II discussion. That is an architectural choice, not a contractual assurance.

In the RaaS model, Quarero carries the manufacturer's CRA burden and the operational maintenance burden. The operator retains the NIS-2 operator burden: document supplier selection, exercise audit rights, report incidents to the BSI. This allocation is clean because it places responsibility where the control capability lies.

Next step: QR-3 with LiDAR and drone detection for CRA-compliant patrols.

Reporting duties: 24-72-30 as the new cadence

NIS-2 prescribes a three-stage reporting chain. Early warning to the BSI within 24 hours of knowledge. Assessment within 72 hours with initial analysis and measures. Final report after 30 days with root cause analysis.

The CRA runs in parallel: the manufacturer reports an actively exploited vulnerability within 24 hours to ENISA. That is a separate reporting chain, not part of the NIS-2 early warning.

Operators must set up internal reporting chains so that both deadlines can run in parallel. Anyone detecting an incident at a supplier informs the manufacturer (for its ENISA report) and the BSI (for its own NIS-2 report) simultaneously. Sequential action loses the 24-hour deadline.

A missed report is a standalone penalty offence, independent of the damage event. An incident without damage but without a report is sanctionable. An incident with damage but with timely reporting mitigates the sanction.

Drill the reporting chain at least quarterly. Logging must be audit-fast: timestamps, escalation path, persons involved, communication channel. An email thread is not enough; a ticket system with signed entries is.

What works: tabletop drills with real BSI contacts, coordinated in advance. What does not work: theoretical process descriptions that are not retrievable in a real event.

Management liability tightens through the CRA

NIS-2 anchors personal liability of management in §38 BSIG-E for failure to perform risk management. This is not corporate liability but individual liability.

The CRA extends liability to include due diligence in supplier selection. Anyone using a supplier without a CRA declaration of conformity has not, as management, sufficiently documented the selection.

Insurance coverage (D&O) regularly does not cover fines. Most policies explicitly exclude penalties and fines. What D&O does cover are third-party damages claims and legal defence costs. Anyone relying on D&O as full protection has not read the policy.

Reversal of the burden of proof: management must actively demonstrate that due diligence processes were implemented. That is a procedural tightening compared with general management liability under §93 AktG.

Training duty for management is explicitly anchored in NIS-2. An annual training session with documented attendance is the minimum standard. Quarterly briefings by the CISO are the operational norm.

Next step: Review management liability under NIS-2 in detail.

14-week plan for combined CRA-NIS-2 compliance

The following plan was tested with three mid-sized KRITIS operators (energy, water, logistics) between 2024 and 2026.

Weeks 1-3: Inventory. Record all products with digital elements, build a supplier map, classify security relevance (high, medium, low). Result: an asset register with supplier reference.

Weeks 4-6: SBOM request. Send all suppliers a standardised form for SBOM delivery. Renegotiate contract clauses on patch deadlines, reporting duties and audit rights. Suppliers that do not deliver go on the exit list.

Weeks 7-9: Reporting chain. Test BSI and ENISA interfaces. Define internal escalation paths, configure the ticket system, name responsible persons. Reporting paths must function within ≤2 hours from first contact to CISO.

Weeks 10-12: Tabletop drill. Run through an incident scenario, minimum two hours, with management. Log the board-level engagement. Translate observed bottlenecks into an action list.

Weeks 13-14: Audit-fast documentation. Consolidate all processes, contracts and logs into one compliance dossier. Residual risk report to management, signed.

What carries this plan: a dedicated project lead with ≥60 % capacity. What sinks it: side-of-desk handling by an already overloaded CISO.

Next step: Use the KRITIS-Dachgesetz checklist 2026 as an operational template.

What operators must decide now

Five decisions are due by the end of 2026. Each has a cost side and a liability side.

Remove suppliers without a CRA roadmap from the procurement pool. Anyone without a CRA conformity plan in 2026 will not be able to deliver in 2027. That is a procurement risk, not a compliance risk.

Switch to RaaS for security-critical hardware. Robotics, sensors, access systems: in the RaaS model the manufacturer carries the CRA burden operationally. The operator documents the selection decision and the audit right. Total cost of ownership is documented in the guard service TCO comparison against in-house operation.

Test reporting processes with the BSI in production before 2027. A real test report (declared as a drill) shows whether the interface works. The BSI is cooperative in our experience when the operator proactively requests.

Brief the board quarterly in writing. Compliance status, open risks, drills performed. The written format protects in a liability case.

Pilot installation with a CRA-compliant provider. A reference installation in 2026 is cheaper than a large-rollout correction in 2028. Operators just crossing the BSI-KritisV thresholds face the highest pressure to act.

The Robotics-as-a-Service model and NIS-2 compliance at Quarero are the two operational answers to the combined CRA and NIS-2 duty load. Anyone entering the 2027 audit without a documented pilot operation begins the compliance discussion from a poor starting position.

Pilot discussion and CRA supplier review: /nis-2. We take the supplier list in hand, clarify the audit corridor and prioritise the components for which CRA conformity proof will be demanded of the operator in 2027. That is the only preparation measurable within twelve months.