Regulations & Standards
Critical deadlines
Cost savings through integration
Production facilities communicate with ERP systems, the cloud, and with one another. PLC systems, which used to operate in isolation, are now accessible across OT/IT boundaries. This connectivity drives efficiency—but also creates vulnerabilities. Legislators are responding with a wave of new regulations that require manufacturers and operators to systematically integrate cybersecurity into their products, processes, and organizational structures.
The EU Machinery Directive, the Cyber Resilience Act, and the EU AI Act require "secure by design," SBOMs, and lifelong security maintenance.
NIS-2 and CER require risk management, reporting obligations, and personal liability of management for organizations with 50 or more employees.
ISO 27001 and IEC 62443 are increasingly being specified as minimum requirements in requests for proposals and supplier qualification processes.
Cybersecurity as a mandatory security objective. "Secure by Design" becomes a legal requirement for all machine products.
Mandatory SBOMs, vulnerability management, and free security updates for all connected products.
Risk management, reporting requirements, and personal liability of management. The most immediate obligation.
Connected machines equipped with condition monitoring generate personal data. Fines of up to 4% of annual revenue.
AI used as a safety component in machines is considered high-risk. Strict documentation and transparency requirements apply.
Physical resilience as a complement to NIS 2. Protection against natural disasters, sabotage, and hybrid attacks.
The technical gold standard for OT security. Recognized compliance with NIS 2, the EU GDPR, and the CRA.
ISMS standard and de facto market access requirement. Covers the majority of NIS 2 requirements.
24-hour reporting requirement for cyberattacks effective April 2025. Fines of up to CHF 100,000 effective October 2025. The minimum ICT standard comprises 106 measures based on the NIST CSF—mandatory for the electricity sector (effective July 2024) and the gas sector (effective July 2025). Machinery manufacturers that supply Swiss KRITIS operators are indirectly bound by supplier requirements. Directly mapped to ISO 27001 and NIST CSF.
Risk management complies with all 9 frameworks
ISO 27001 and IEC 62443 are increasingly being specified as minimum requirements in requests for proposals and supplier qualification processes.
Access control covers 8 out of 9 regulations
Both call for "Secure by Design." A unified SDL process addresses security functions and vulnerability management simultaneously.
Incident response is relevant to 7 regulations
Cyber and physical resilience through joint risk analyses, reporting requirements, and BCM. A single approach instead of duplicate assessments.
ISO 27001:2022 as a methodological framework. Addresses most of the organizational requirements of all regulations.
Expansion to include IEC 62443 for OT controls and the Secure Development Lifecycle. Covers the EU GDPR, CRA, and NIS 2.
Integration of data protection TOMs and AI compliance into the existing management system.
CER physical security requirements, if you or your customers are classified as a critical infrastructure facility.
I will analyze your current compliance status and show you the most efficient path to compliance.
SecureComply GmbH
Islerenweg 5a
8708 Männedorf
info@securecomply.ch
+41 79 746 35 88
