Cybersecurity for Hardware & IoT SMEs: NIS2 and the Cyber Resilience Act (CRA)¶

Building a great piece of hardware or an innovative IoT device used to be about functionality and design. Today, if your product connects to a network, it is a target. And governments are no longer politely asking you to secure it—they are legally demanding it.

With the enforcement of the EU NIS2 Directive and the rollout of the Cyber Resilience Act (CRA), hardware manufacturers and software vendors are suddenly facing enterprise-grade security mandates.

The Supply Chain Security Squeeze¶

Much like ESG regulations, cybersecurity laws operate on a flow-down model.

Under the NIS2 Directive, critical infrastructure entities (like energy, healthcare, and transport companies) are required to secure their entire supply chain. If your SME sells a smart thermostat to a hospital, or software to an energy grid, you must prove your security posture to them.

Simultaneously, the Cyber Resilience Act (CRA) mandates that hardware and software products with digital elements must undergo rigorous cybersecurity risk assessments before they can receive a CE mark and enter the EU market.

Proving You Are Secure¶

To sell into the enterprise or B2B space, you need more than a promise that your product is secure. You need verified documentation, such as an ISO 27001 ISMS Certificate, a CRA Risk Assessment, and a robust vulnerability disclosure policy.

Managing these documents manually via email attachments is a major red flag to enterprise procurement teams.

How Sustalium Helps You Pass Security Audits¶

Sustalium turns your cybersecurity documentation into a competitive asset that satisfies procurement officers and regulators alike.

• The CRA Risk Assessment Wizard: Don't know where to start with the Cyber Resilience Act? Sustalium features a guided Wizard that helps you generate the mandatory CRA Cybersecurity Risk Assessment and EU Declaration of Conformity.
• The ISO 27001 Verifier: If you have invested in an ISO 27001 certification, you need clients to trust it. Sustalium securely hosts your verified certificates on a public URL. Instead of emailing PDFs that can be easily forged, you share a dynamic, verifiable link proving your Information Security Management System is compliant.
• Avoiding Fines & Blocking: By centralizing your security declarations and CE marks into one digital product passport, you ensure that market surveillance authorities and enterprise buyers can instantly verify your legal compliance, keeping your products moving.

Frequently Asked Questions¶

What is the EU Cyber Resilience Act (CRA)?

The CRA is an EU regulation that introduces mandatory cybersecurity requirements for hardware and software products with digital elements. Manufacturers must assess cybersecurity risks, ensure products are delivered without known exploitable vulnerabilities, and provide security updates for a defined period.

How does NIS2 affect small businesses?

While micro and small enterprises are generally excluded from the direct scope of NIS2, they are heavily impacted indirectly. "Essential" and "Important" entities must assess the cybersecurity practices of their suppliers. If an SME cannot prove its security posture (e.g., via ISO 27001), they will likely lose B2B contracts.

Do I need a CE Mark for software?

Yes, under the CRA (and the EU AI Act), standalone software and hardware with digital elements require a CE Mark accompanied by an EU Declaration of Conformity proving that the product meets essential cybersecurity requirements.

How much does it cost to manage my cybersecurity compliance docs?

Using Sustalium, you can generate and host verified cybersecurity declarations and risk assessments for just €10 per document, on a simple pay-as-you-go basis with no recurring subscriptions.