Compliance Guides
EU cybersecurity rules for non-EU manufacturers: does NIS2 apply, or the Cyber Resilience Act?
If you manufacture outside the EU and sell into it, three regimes can reach you: NIS2, the Cyber Resilience Act, and your customers’ supply-chain requirements. Here is which one applies.

Photo: Homa Appliances / Unsplash
New to the topic? Start with What sovereign compliance actually means.
If your company manufactures outside the EU and sells into it, three separate regimes can reach you, and they are easy to confuse. NIS2 governs entities and reaches you if you carry out activities in the Union in a listed sector. The Cyber Resilience Act (CRA) governs products and reaches any manufacturer placing a product with digital elements on the EU market — no European establishment required. And your European customers, bound by their own supply-chain requirements, will push security terms down your contracts regardless. None of the three cares where your headquarters is.
The mistake most non-EU manufacturers make
The common assumption is: “We’re headquartered in Shenzhen / Seoul / Taipei / Austin. Our staff and revenue are overseas. EU rules are our importer’s problem.”
That is wrong three times over. EU cybersecurity law is built around market access, not corporate residence. If your product reaches a European buyer, at least one of these regimes reaches you — and the penalties are calculated on your global revenue, not your European revenue. The same pattern runs through EU law more broadly, as we set out in non-EU company selling into the EU.
The three levers, side by side
| NIS2 | Cyber Resilience Act | Supply-chain pressure | |
|---|---|---|---|
| What it regulates | The entity — how your company secures its own networks and systems | The product — how the thing you sell is secured, across its lifecycle | Your contracts with EU customers |
| Trigger | Operating in one of 18 listed sectors, providing services or carrying out activities in the Union | Placing a product with digital elements on the EU market | Selling to an in-scope EU entity |
| Needs an EU establishment? | Generally yes, or services provided in the Union (certain digital providers must appoint an EU representative) | No. Market access alone is the trigger | No |
| Maximum fine | €10M / 2%of group worldwide turnover (essential); €7M / 1.4% (important) | €15M / 2.5%of worldwide turnover for breaching essential requirements or Articles 13–14 | Loss of the contract |
| Legal instrument | Directive (EU) 2022/2555 — national transposition | Regulation (EU) 2024/2847 — directly applicable | Contract |
Lever 1 — NIS2: does it reach you as an entity?
NIS2 covers 18 sectors. The one that catches hardware makers is in Annex II: manufacture of computer, electronic and optical products, alongside electrical equipment, machinery, medical devices, motor vehicles, and other transport equipment. Network and telecoms equipment manufacturers sit squarely in that category. (For the full sector-and-size test, see does NIS2 apply to my business.)
Two consequences follow:
You would be an important entity, not an essential one. Annex II entities face reactive (ex post) supervision and a maximum fine of €7 million or 1.4% of total worldwide annual turnover, whichever is higher.
The turnover base is your whole group. Article 34 sets the fine against the worldwide turnover of “the undertaking to which the entity belongs” — the parent, not the European sales subsidiary. A group with €20 billion of global revenue faces a theoretical ceiling in the hundreds of millions, however small its EU footprint. The same logic runs through the size test: NIS2 uses the EU SME definition, which counts linked and partner enterprises, so your parent’s headcount and turnover are attributed to your European entity. You cannot be “a small company in Europe” if you are a large company anywhere.
But— and this is the nuance that matters — NIS2 binds entities that provide services or carry out activities within the Union. If you have a European subsidiary, branch, or service operation, assume you are in scope. If you are a pure exporter with no EU presence, shipping hardware to an EU importer, NIS2 may not bind you directly at all. That does not make you safe. It just means the regime that bites is the next one.
Lever 2 — the Cyber Resilience Act: this is the one that reaches a pure exporter
The CRA is the regime most non-EU manufacturers underestimate, because it does not care where you are established. It applies to products with digital elements— hardware or software with a direct or indirect data connection — made available on the Union market, including components placed separately on the market. If your product has firmware and connects to anything, it is very likely in scope.
- Definition
- Product with digital elements (Cyber Resilience Act)
- Hardware or software with a direct or indirect data connection, made available on the EU market — including components placed separately on the market. If a product has firmware and connects to anything, it is very likely within the CRA’s scope, regardless of where its manufacturer is established.
The dates are closer than people think. The CRA entered into force on 10 December 2024. Its main requirements apply from 11 December 2027 — but the reporting requirements under Article 14 apply from 11 September 2026, and they apply to products already on the market, not just new ones. A device you shipped in 2019 that is still in use and carries an actively exploited vulnerability falls within the reporting duty.
What the CRA requires of a manufacturer:
- Security by design and vulnerability handling across the product lifecycle (Annex I).
- A software bill of materials (SBOM) in a commonly used, machine-readable format.
- Security updates, provided free of charge, for a defined support period.
- Reporting, from 11 September 2026: actively exploited vulnerabilities and severe incidents, to ENISA and the relevant national CSIRT — early warning within 24 hours, a fuller notification within 72 hours, and a final report within 14 days (for a vulnerability, once a fix is available).
- Technical documentation, conformity assessment, an EU declaration of conformity, and CE marking — from 11 December 2027.
Product classes decide how hard the conformity route is. Default products self-assess. Importantproducts (Annex III, Class I and II — for example password managers, operating systems, network interfaces, connected toys) require harmonised standards or a notified body. Criticalproducts (Annex IV — for example smartcards) require mandatory certification.
The penalties. Up to €15 million or 2.5% of worldwide annual turnover, whichever is higher, for breaching the essential cybersecurity requirements or the manufacturer requirements in Articles 13 and 14. Lower ceilings apply to other infringements and to supplying incorrect information to authorities. And the practical sanction is sharper than the fine: market surveillance authorities can order a non-compliant product off the EU market. For an exporter, loss of market access is the real penalty.
One important carve-out.Products already covered by sector-specific EU rules — medical devices, motor vehicles, and aircraft— sit outside the CRA and are governed by their own regimes. A carmaker’s cybersecurity duties come from vehicle type-approval law, not the CRA. A network-equipment maker’s come squarely from the CRA.
Lever 3 — your customers will regulate you even if the law does not
NIS2 Article 21(2)(d) requires in-scope entities to manage supply-chain security, including the security of their direct suppliers and service providers. Telecoms operators, cloud providers, data centres, and energy and transport operators are essential entitiesin Annex I — the most heavily supervised tier there is.
So even if neither NIS2 nor the CRA binds you directly today, your European customers are legally required to push security requirements onto you: contractual security clauses, evidence requests, vendor assessments, audit rights, vulnerability-disclosure commitments. For many non-EU suppliers this is the first and most tangible way EU cybersecurity law arrives — not as a letter from a regulator, but as a clause in a renewal.
And one lever that is not about compliance at all
Separately from all of the above, EU member states may restrict or exclude specific suppliers from sensitive infrastructure — particularly 5G and telecoms networks— on national-security grounds, under the EU’s coordinated 5G security approach. These decisions are made at national level and are not compliance questions: a vendor can be fully NIS2- and CRA-compliant and still be excluded from a national network on security-policy grounds. If you supply telecoms infrastructure into Europe, treat this as a separate risk track with its own logic, and take specialist advice.
So which applies to you?
| Your situation | What reaches you |
|---|---|
| No EU entity; you export products with digital elements | CRA (directly) + supply-chain pressure from EU customers |
| You have an EU subsidiary, branch, or service operation in a listed sector, and the group is above the size test | NIS2 (as an important entity, fined on group worldwide turnover) + CRA + supply-chain pressure |
| You make medical devices, vehicles, or aircraft | Sector-specific rules instead of the CRA; NIS2 may still apply to you as an entity |
| You supply telecoms infrastructure | All of the above, plus national security-based supplier restrictions |
What to do about it
- Inventory every product with digital elementsyou place on the EU market — including components sold separately and products shipped years ago that are still in use.
- Build SBOM-based vulnerability monitoring now. You cannot meet a 24-hour reporting window for an actively exploited vulnerability if you cannot see your own components. The September 2026 date is the binding one.
- Classify each product— default, important (Annex III), or critical (Annex IV) — because that decides your conformity route and lead time.
- Check your EU entity against NIS2— sector, and the size test including linked enterprises.
- Read your EU customer contracts. The supply-chain clauses are arriving whether or not the regulators do.
- Appoint the right EU roles: an authorised representative where you use one, and make sure your importer’s and distributor’s duties are actually being met — their failures land on your product.
How COMPLY.Reg helps
COMPLY.Reg is a regulatory compliance platform that uses AI to work out which of these regimes applies to you and turn each into a concrete set of requirements: it extracts the individual NIS2 Article 21 measures, the CRA’s Annex I essential requirements and Article 14 reporting duties, maps them to your controls, and tracks the evidence that proves each one — with a person reviewing the result before it counts. It is built for European companies and for companies outside Europe that must meet European requirements to do business in the EU. Your source documents stay on your own systems, and your compliance data is processed in the EU. Not sure which other EU regimes are in play? Start with which EU regulations apply to your company.
Frequently asked questions
- Does NIS2 apply to companies outside the EU?
- It can. NIS2 reaches entities that provide services or carry out activities within the Union in one of its 18 sectors. Certain digital providers offering services in the EU without an establishment must appoint an EU representative. And because the size test counts linked and partner enterprises, a large non-EU parent cannot rely on a small EU subsidiary to stay out of scope.
- Does the Cyber Resilience Act apply to non-EU manufacturers?
- Yes. The CRA applies to products with digital elements made available on the EU market, regardless of where the manufacturer is established. Market access is the trigger; no EU establishment is required.
- What is the difference between NIS2 and the CRA?
- NIS2 regulates entities — how your organisation secures its own networks and systems. The CRA regulates products — how the things you sell are secured. A hardware manufacturer with an EU operation can be caught by both, in different ways.
- Is the fine based on our EU revenue or our global revenue?
- Global. NIS2 fines are calculated on the total worldwide annual turnover of the undertaking to which the entity belongs, and CRA fines on worldwide annual turnover. The size of your European business does not cap the penalty.
- What is the first CRA deadline?
- 11 September 2026 — the requirement to report actively exploited vulnerabilities and severe incidents, within 24 hours of becoming aware. It applies to products already on the market, not only to new ones.
Sources
- NIS2 — Directive (EU) 2022/2555 (Annexes I–II; Art. 20, 21, 23, 32, 34)
- Cyber Resilience Act — Regulation (EU) 2024/2847 (Annex I; Art. 13, 14, 64; Annexes III–IV)
- European Commission — Cyber Resilience Act (application dates)
- Commission Recommendation 2003/361/EC — the EU SME definition (linked and partner enterprises)