NIS 2 & CRA for pharmaceutical packaging: Why digital resilience is now becoming a management task

Cyber-attacks, system failures and digital vulnerabilities are no longer purely an IT issue. With the Network and Information Security Directive (NIS 2) and the Cyber Resilience Act (CRA), the EU is making digital security a binding part of the regulatory framework – with clear obligations, fixed deadlines and responsibility at management level. 

This creates a new reality for manufacturers and distributors of pharmaceutical products: IT security no longer only affects systems, but also products, processes and the entire life cycle. This article clearly and concisely explains how NIS 2 and CRA affect the world of pharmaceutical packaging and what matters now.

What is NIS 2?

The NIS-2-Directive is part of the European strategy to strengthen cybersecurity. The aim is to better protect companies against digital risks and increase the resilience of critical and economically relevant infrastructures within the EU. Compared to previous regulations, the scope has been significantly expanded – both in terms of the industries affected and corporate responsibility.

Who is affected by NIS 2?

The NIS 2 Directive came into force at EU level in 2023 and is currently being transposed into national law. In addition to traditional operators of critical infrastructures, numerous relevant sectors of the economy are also covered by the Directive, including:

• Pharmaceutical manufacturers
• Companies along the pharmaceutical supply chain
• Providers of digitally supported production and packaging processes
• Organizations with networked systems, machines or IT infrastructures

The decisive factor is not only the industry, but whether a company is considered affected according to the expanded criteria of the NIS 2 Directive.

What obligations arise from NIS 2?

NIS 2 emphasizes the need for cooperation and information exchange between Member States in the event of cyber incidents. For the first time, specific organizational and technical measures are mandatory:

• Structured risk management measures
• Obligation to report security incidents within 24 hours
• Clearly defined responsibilities and documentation

Particularly relevant: Responsibility lies explicitly at management level. Violations are punishable by fines of up to €10 million or 2% of global annual turnover. 

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is an EU regulation aimed at strengthening the cybersecurity of products with digital elements. Unlike NIS 2, the CRA is not primarily aimed at organizations and companies, but at products themselves. The aim is to systematically reduce digital vulnerabilities and create a uniform level of security in the European single market.

To whom is the CRA relevant?

The Cyber Resilience Act was passed at EU level in 2024 and is set to become binding in 2027. However, the obligation to report security issues will already come into force in July 2026. The CRA affects all companies that develop, manufacture, distribute or market products with digital elements. These include, among others:

• Manufacturers of machines and systems with software components
• Providers of networked packaging solutions
• Companies with software or firmware components in their products
• Distributors and importers within the EU

The decisive factor here is not the industry, but whether a product is directly or indirectly connected to network components.

What obligations arise from the CRA?

The CRA obliges companies to take cybersecurity into account throughout the entire product life cycle, for example in development, implementation, maintenance and beyond. Key requirements are:

• CE marking including software as proof of CRA compliance
• Possible third-party audits for particularly critical products
• Immediate validity without national implementation

Particularly relevant: Violations are punishable by fines of up to €15 million or 2.5% of global annual turnover. 

What do NIS 2 and CRA mean in the field of pharmaceutical packaging?

The full scope of the regulation only becomes apparent when NIS 2 and CRA are considered together. While NIS 2 places responsibility on the organization, CRA focuses directly on the product. For pharmaceutical packaging solutions, this means that digital components, software, interfaces and networked systems are becoming more of a regulatory focus. Cybersecurity becomes part of product compliance, quality requirements and long-term operational safety.

Companies that address the new requirements at an early stage can actively shape digital resilience. They create transparent decision-making bases, strengthen the stability of their systems and position themselves as reliable partners within the supply chain – with the aim of building trust and giving customers, authorities and business partners a long-term sense of security. 

How are NIS 2 and CRA monitored – and what are the risks?

NIS 2 applies to companies with 50 or more employees and an annual turnover of €10 million in a total of 18 defined sectors. The CRA applies regardless of company size, as it is an EU-wide regulation that directly relates to products with digital elements and regulates their security throughout their entire life cycle.

In Germany, the Federal Office for Information Security (BSI) monitors compliance with NIS 2 requirements. The BSI can carry out both ad hoc and regular checks and is also authorized to order unannounced inspections.

Sanctions are provided for in the event of violations of the requirements of NIS 2 and CRA. Depending on the nature and severity of the violation, these can have significant financial consequences. The most effective protection against sanctions lies in the early classification of one's own involvement, the structured implementation of regulatory requirements, and comprehensible and complete documentation.

Ensuring digital resilience – with Uhlmann as your partner

Early orientation, clear decision-making criteria and sustainable planning security are key advantages when dealing with NIS 2 and CRA. Structured classification of regulatory requirements reduces risks, avoids subsequent changes under time pressure and strengthens your own compliance and trustworthiness in the long term.

Uhlmann supports pharmaceutical companies in assessing digital risks holistically, classifying regulatory requirements in a practical manner and sensibly integrating cybersecurity aspects into packaging solutions, production environments and existing processes. The aim is to combine technical security, regulatory compliance and economic viability in a way that is reliable, EU-compliant and future-proof. 

• NIS 2 and CRA establish digital security as a binding part of the EU legal framework
• NIS 2 addresses organization, responsibility and management level
• The CRA is aimed at products with digital elements
• Digital security equally affects packaging solutions, systems and software
• Cybersecurity becomes part of product conformity and quality requirements
• Reporting obligations will take effect from July 2026
• Violations can lead to significant financial penalties
• Early classification creates clarity, planning security and stability