Navigating today’s most Important Cybersecurity Regulations

Why compliance matters in cybersecurity regulations

In today’s connected world, data security and network security are no longer just technical concerns — they’re legal and reputational imperatives. As threats evolve and digital infrastructure expands, the regulatory frameworks designed to keep systems secure must keep up. But achieving compliance with these regulations isn’t just about avoiding fines or ticking boxes. It’s about embedding security into every stage of product development and system integration.

In the first two blogs of this series, we explored the human side of cybersecurity — why awareness matters and how to handle vulnerabilities responsibly. Now, we turn our focus to the cybersecurity regulations that define the minimum standard for secure systems.

For property managers, real estate developers, and system integrators alike, the question is simple: would you trust a device that doesn’t meet the latest cybersecurity regulations standards? As, when a manufacturer overlooks mandatory cybersecurity regulations, it raises a much bigger concern — what else might they be neglecting?

Mandatory Regulations: What You Must Follow

Network and Information Security Directive 2 (NIS2): Strengthening Cybersecurity Awareness Across the EU

What is NIS2?
Adopted by the EU in 2022, the Network and Information Security Directive 2 (NIS2) expands mandatory cybersecurity requirements to a broader range of industries, including critical infrastructure, digital services, manufacturers of connected devices, postal/courier services, science, research, and education. Under NIS2, companies must:

• Adopt risk-based security measures for their networks and information systems.

• Report serious security incidents within 24 hours of detection. 

• Implement stricter supply chain security requirements, ensuring that the entire ecosystem – including manufacturers, integrators, and service providers – adheres to robust security practices.

NIS2 plays a crucial role in safeguarding essential services across the EU, enforcing stricter cybersecurity measures and awareness to protect critical infrastructure, including energy grids, water supply systems, and healthcare systems. By doing so, it ensures that everyday essentials—such as electricity, clean water, and medical services—remain resilient against cyber threats, thereby preserving both societal stability and public safety.

Discover more in our blog post: The road to digital security: a look at the EU’s NIS2 directive.

The Radio Equipment Directive (RED): Cybersecurity Requirements for Wireless Devices

What is the RED?

The Radio Equipment Directive (RED), enforced by the European Union, is evolving to introduce mandatory cybersecurity requirements for all wireless and radio-connected devices. This is also relevant for IP-based intercoms and access control systems, as these systems often utilize radio-based technologies for access control, such as RFID card readers or Bluetooth readers. If a device does not comply with the RED, it could face operational disruptions or even be banned from sale in the EU. This includes:

• Ensuring network resilience to prevent unauthorized access.

• Protecting personal data and privacy by requiring manufacturers to implement stronger encryption and authentication.

• Preventing fraud by ensuring devices cannot be exploited through weak security configurations.

Get up to date with our blog: Ready for RED? Complying with the Radio Equipment Directive.

Product Security and Telecommunications Infrastructure (PSTI)

• Declare how long software updates will be available before product end-of-life.

• Disable the use of products with default passwords, ensuring devices enforce the setup of unique passwords.

• Publicly provide means for users and researchers to stay cybersecurity conscious and report potential flaws.

Industry Standards: Going Beyond Compliance

While mandatory regulations set the minimum cybersecurity requirements, industry certifications demonstrate a commitment to higher security standards. Although these certifications are not legally required, they serve as powerful indicators that a company takes cybersecurity awareness seriously and has structured, repeatable processes in place to manage risks. Leading vendors follow frameworks like:

• ISO 27001 – The international standard for Information Security Management
  A globally recognized certification that ensures a company follows structured cybersecurity policies and risk management strategies. 2N hold this certification, displaying our commitment to thorough cybersecurity practices.

• EN 303 645 – A security standard for IoT devices
  A European standard outlining security best practices for connected devices, including secure software updates, password policies, data protection requirements, and many more.

• NDAA Compliance – Ensuring trust for and beyond the U.S. market
  The U.S. National Defense Authorization Act (NDAA) restricts the use of telecommunications and security equipment from certain manufacturers that are considered a cybersecurity risk. Integrators working on government or critical infrastructure projects must ensure that all devices, such as IP cameras, intercoms, and access readers, meet NDAA compliance requirements. However, this is not just a U.S. government requirement; many non-governmental organizations worldwide are voluntarily adopting the same security standards. By excluding untrusted brands, they strengthen the resilience of their systems and ensure long-term cybersecurity.
  
  

Compliance is just the beginning – cybersecurity leadership goes beyond it

While adhering to standards like RED, NIS2, or PSTI is essential, compliance alone does not mean a company is leading in cybersecurity. Regulatory compliance is the minimum requirement – going beyond and understanding the complexity of cybersecurity is what differentiates secure and forward-thinking brands.

Many businesses still view cybersecurity awareness as a compliance-driven necessity rather than a strategic advantage. However, real-world incidents have shown that investing in robust security measures is not just about avoiding fines – it’s about protecting business continuity, customer trust, and even lives.

For system integrators and property managers, choosing the right vendors is crucial. Before making a decision, ask yourself:

• Does the manufacturer provide long-term software support and security updates?

• Are they transparent about vulnerability disclosures and patches?

• Do they exceed legal requirements by adhering to best practices, such as ISO 27001 and EN 303 645?

If the answer is no, it might be time to reconsider your options. Cyber threats don’t wait – why should you?