14.10.2025

Turning regulation into a competitive edge for critical infrastructure operators

Data networks Energy industry Infrastructure and digitalization News Smart City Smart Mobility

The EU’s new cybersecurity directives NIS2.0 (Network and Information Security Directive 2), the CER Directive (Critical Entities Resilience Directive), and the CRA (Cyber Resilience Act) are changing the operating environment for critical infrastructure. They will require organizations within the critical infrastructure sector to strengthen their cybersecurity and preparedness measures.

The regulation consists of three complementary parts:

CRA focuses on the cybersecurity of products and software. Its goal is to ensure that products available on the EU market (IoT devices, SCADA systems, software, etc.) are secure. Key requirements include:

Products must meet essential cybersecurity requirements.
Vulnerability management and security updates throughout the product lifecycle.
Compliance assessment before placing products on the market (CE marking).
Reporting incidents to authorities.
Considerations for service production.

NIS2 emphasizes cybersecurity and risk management, aiming to improve cyber resilience at the EU level. Its key requirements include:

Implementation of technical, operational, and organizational security measures.
Reporting incidents within 24 hours.
Monitoring the security of the supply chain.
Accountability of executive management for cybersecurity.
Supervision and enforcement.

NIS2.0 came into force in Finland under the Cybersecurity Act (124/2025) on May 8, 2025.

CER, in turn, focuses on physical and operational resilience for critical entities. Its goal is to address physical threats, ensuring continuity of services in the event of natural disasters, terrorism, and similar incidents. Key requirements include:

Risk assessment (including physical and cyber threats)
Implementation of resilience measures and business continuity plans
Reporting significant events affecting service continuity

CER came into force in Finland under the Act on the Protection and Resilience of Critical Infrastructure (310/2025) on July 1, 2025.

Cybersecurity and resilience: the foundation of critical infrastructure organizations

Requirements are often perceived merely as costs that increase the complexity of systems and processes. In reality, it’s not just about complying with regulations; when implemented correctly, these requirements can become a strategic competitive advantage for an organization.

Properly executed cybersecurity significantly reduces the risk of disruptions, saving costs in the process. It can also strengthen customer trust and enable the development of new business models. The key question is whether regulatory obligations are seen as a burden or as an opportunity to reinforce the company’s position in the market.

Cybersecurity and cyber resilience directly impact business continuity, reliability, and reputation. Operating in critical environments requires both tolerance to disruptions and rapid recovery from them. From an organizational perspective, this is an essential part of the value chain, from production to customer service.

Now is the right time to ask: do we see regulation as an expense, or do we turn it into a competitive advantage?

Nodeon is an experienced technology expert in critical infrastructure

If you need assistance with designing secure technical solutions, system integrations, or real-time monitoring and maintenance of your entire infrastructure, get in touch!

Explore our telecommunications and cybersecurity services