For years, cybersecurity regulations lagged behind innovation. Companies built faster, smarter, more distributed systems, but regulators were slow to respond. But that era is over.
With the EU’s NIS2 Directive and Cyber Resilience Act (CRA), the rules of engagement have fundamentally changed. Security is no longer a matter of best practice – it’s a legal, operational, and competitive necessity. And nowhere is this shift more disruptive than at the edge, where AI, data, and critical infrastructure converge.
Recent Incidents That Changed the Conversation
If anyone still doubts that cyber incidents ripple far beyond the company that gets hit, the last few months delivered a harsh reality check. Modern infrastructure is deeply interconnected, and a single compromised node can trigger disruption across entire sectors, regions, and supply chains. Two recent events illustrate exactly why NIS2 and CRA are arriving not a moment too soon.
The Collins Aerospace Incident
In September 2025, a ransomware attack targeting a third-party provider disrupted airport operations across Europe. Collins Aerospace, whose MUSE system powers automated check-in kiosks and baggage drops, became the unexpected chokepoint. A Russian-speaking group called Everest claimed responsibility, though attribution remains unverified.
What isn’t in doubt is the impact.
Airports in Berlin, Brussels, and Heathrow felt the shock immediately. Dublin and Cork followed through cascading effects. Digital procedures fell back to manual operations, creating queues, delays, and cancellations. The breach didn’t stay at Collins; it propagated through the aviation ecosystem and temporarily rewired how critical infrastructure functioned.
This is exactly the type of scenario NIS2 is meant to prevent: a single weak link disrupting multiple essential services across borders.
The Jaguar Land Rover Shutdown
Just weeks earlier, the UK experienced what has been called the most damaging cyberattack in its history. On August 31, a coordinated attack forced Jaguar Land Rover to shut down its entire IT infrastructure. Production lines went silent until early October.
The financial fallout was severe, part of a reported £485 million loss for the period, but the broader consequences were even more telling. JLR’s supply chain, heavily reliant on just-in-time delivery, was thrown into chaos. Many small and midsize suppliers lost their primary customer overnight and were pushed to the edge of bankruptcy.
Three well-known English-speaking groups: Scattered Spider, Lapsus$, and ShinyHunters jointly claimed responsibility. These groups are infamous for highly convincing phishing campaigns, and early signs suggest social engineering may have been the initial vector.
While the full scope of data exposure remains unclear, leaked screenshots showed internal domains, debugging logs, and even backend source code – a stark reminder of how deeply attackers can penetrate modern development environments.
The Pattern We Can No Longer Ignore
Two major incidents, two different industries, but one unmistakable truth: attacks don’t stop at the victim’s door. They travel up and down the supply chain, jump borders, and move from private sector disruption to national-level impact in a matter of hours.
And that’s exactly why NIS2 and CRA matter. They shift us away from the illusion that cybersecurity is an isolated, internal responsibility. In 2025 alone, we’ve already seen how a single breach can become an economic event, not just a corporate one.
If Europe needed a wake-up call, it got several.
The Regulatory Wake-Up Call
NIS2 and CRA are the EU’s way of drawing a line in the sand.
The first – NIS2, which took effect in October 2024, extends mandatory cybersecurity measures to a much wider range of sectors and entities: not just energy grids and hospitals, but also manufacturers, telecom operators, and digital infrastructure providers. It demands continuous risk management, incident reporting within 24 hours, and direct accountability of executive leadership.
The second – CRA, set to apply from 2027, takes aim at the very fabric of connected technology. Any “product with digital elements” sold in the EU, from industrial controllers to AI-enabled sensors, must now be secure by design. That means vendors are legally responsible for patching vulnerabilities, maintaining updates, and providing transparency over what’s inside their software – down to every library and dependency via a Software Bill of Materials (SBOM).
These aren’t optional frameworks or checklists. They’re enforceable mandates, carrying fines of up to 2–2.5% of global annual turnover. For context, that’s the same magnitude as GDPR. And just like GDPR reshaped data protection worldwide, NIS2 and CRA are poised to redefine cybersecurity globally.
Why Edge and AI Are in the Crosshairs
Edge computing and AI systems sit at the center of this regulatory storm for one simple reason: they’re where digital meets physical.
Factories, transportation systems, smart cities, and telco networks now depend on distributed nodes that process data in real time, often far from the cloud, in environments where uptime and safety are non-negotiable.
Yet these systems are inherently complex and fragmented. Each node might run its own Linux instance, AI model, or Kubernetes cluster; many operate offline, and most rely on third-party components that evolve faster than traditional patching cycles can handle.
A single vulnerability in an edge device can cascade across thousands of endpoints. When that device also hosts AI workloads, say a predictive maintenance model or an object detection pipeline, an attacker could poison data, tamper with models, or hijack GPU resources to run cryptominers.
Until now, this risk was often accepted as a by-product of innovation. Under NIS2 and CRA, it’s a liability.
From Voluntary to Mandatory Cyber Resilience
What’s revolutionary about these laws is not that they promote better security – it’s that they eliminate the option of bad security.
NIS2 makes it explicit that organizations must have detection and response capabilities, continuous monitoring, and controlled access across their digital infrastructure, including edge sites. Incident reports can no longer sit buried in SOC queues for days; operators have just 24 hours to notify national authorities of a breach.
Meanwhile, the CRA forces product builders to think like security engineers from day one. Every connected device, every AI controller, every embedded sensor must ship with clear documentation, built-in vulnerability management, and a secure update mechanism that works throughout the product’s lifetime.
Together, they connect both sides of the equation, vendors and operators, into one continuous chain of responsibility. Manufacturers can’t simply ship and forget. Operators can’t assume that security is “someone else’s job.” Both are now accountable for resilience from design to decommissioning.
The End of the “Black Box” AI Era
AI systems complicate compliance because they’re dynamic by nature. Models evolve. Data drifts. Code retrains itself. Traditional “snapshot” certification approaches, once and done, no longer work.
CRA directly challenges this model's opacity. It requires transparency into the digital components of a system, ongoing monitoring, and vulnerability disclosure within 24 hours. In practice, that means organizations deploying AI must maintain traceability: which model version is running, what data it was trained on, and how updates are validated.
When combined with NIS2’s real-time incident response obligations, AI systems at the edge must now be auditable, explainable, and secure at runtime – not just during design reviews.
This is forcing a cultural shift inside engineering teams: from build fast and fix later to build secure and evolve responsibly.
Supply Chain Transparency Becomes Non-Negotiable
If there’s one word that captures the spirit of both NIS2 and CRA, it’s visibility.
Every connected device and AI system today is part of a vast digital supply chain. A single firmware component might depend on hundreds of third-party packages, each a potential attack vector.
The CRA mandates full transparency into these dependencies through SBOMs, continuous vulnerability monitoring, and lifetime patching commitments. NIS2 goes even further – holding critical operators accountable for the security posture of their suppliers.
This means an unpatched library or outdated edge appliance isn’t just a technical flaw anymore – it’s a compliance violation that can cost millions. It also means the old habit of treating third-party security as “out of scope” is officially over.
Real-World Implications
Consider a few scenarios.
A smart manufacturing line uses edge AI for visual quality inspection. The AI controller falls under CRA as a product with digital elements, and the factory itself is an “important entity” under NIS2. If a vulnerability is found in the AI runtime, both the vendor and the operator must act – patch, document, and report, within strict timelines.
Or a telecom provider deploying GPU-accelerated nodes for 5G analytics. Under NIS2, its network functions are critical infrastructure. Any compromised node becomes a reportable incident. If those nodes use third-party AI accelerators, CRA applies to the hardware suppliers too.
Even public transport systems, increasingly reliant on connected ticketing and SCADA control, must now maintain continuous runtime protection and forensic logging – requirements that align directly with NIS2 and CRA’s security-by-design principles.
The takeaway is clear: compliance isn’t confined to data centers anymore. It’s everywhere data lives and moves.
Turning Regulation into Advantage
The good news? These changes, though demanding, create an enormous opportunity for those ready to adapt.
Organizations that embrace NIS2 and CRA early will gain not only legal compliance, but market differentiation. Demonstrating verifiable cyber resilience – auditable logs, AI-assisted runtime defense, automated patching, built-in compliance reporting – becomes a powerful trust signal to customers and regulators alike.
That’s why forward-looking players are embedding autonomous, AI-native security into their edge infrastructure. They’re deploying lightweight, inline agents that inspect every packet and system call in real time, even offline. They’re using AI to detect anomalies, generate instant remediation playbooks, and maintain audit-ready reports for NIS2 or CRA review.
In short: they’re not reacting to the new rules – they’re building the future around them.
What This Really Means
NIS2 and CRA represent more than new regulations – they mark the beginning of a new cybersecurity era.
One where security is continuous, automated, and provable, where every connected product is accountable for its own resilience and compliance drives innovation rather than stifling it.
For edge and AI ecosystems, this is the moment of truth. The boundaries between IT, OT, and AI are dissolving, and with them, the illusion that security can be bolted on later.
The future belongs to those who can secure intelligence itself – inline, autonomous, and compliance-ready by design.
That’s not just a regulatory requirement. It’s the new definition of trust.
