Most companies treat NIS-2 and the Cyber Resilience Act as two separate workstreams. Legal handles one, IT handles the other. The problem: both laws are the EU's regulatory response to a structural failure — the absence of cyber supply chain security across industry. And they converge at the same point — precisely where most companies aren't looking: when a microcontroller gets programmed.
That's not an IT problem. It's a manufacturing problem. And it has a deadline. The European Commission confirmed this with the Tech Sovereignty Package of 3 June 2026: the new Chips Act II introduces far-reaching information obligations along the supply chain, further increasing the documentation pressure on all manufacturers of connected products.
What Does NIS-2 Require From Your Supply Chain?
NIS-2 requires companies in critical sectors — including automotive, mechanical engineering, and industrial electronics — to demonstrate verifiable security measures across their entire supply chain. In practice: if you cannot prove that your suppliers are handling components securely, you are liable. Audits, documentation, and end-to-end component traceability are not optional — they are mandatory.
What Does the Cyber Resilience Act Require From Your Product?
The Cyber Resilience Act goes further and reaches directly into the product. From September 2026, manufacturers must actively report exploited vulnerabilities to ENISA within 24 hours. By December 2027, full conformity is required: Secure by Design, complete SBOM, full lifecycle responsibility. Penalties of up to €15 million or 2.5% of global annual revenue make inaction an expensive choice.
The Blind Spot Is on the Production Floor
NIS-2 and the CRA ask the same fundamental question — from two different directions. NIS-2 asks: can you prove your supply chain is trustworthy? The CRA asks: can you prove your product is trustworthy? The answer to both begins at the same point: when a microcontroller gets programmed. Anyone who does not control and document that moment cannot substantiate either answer.
The common instrument is the Chain of Trust.
What Is a Chain of Trust — and Why Do You Need It for Both Laws?
A Chain of Trust is the complete, cryptographically secured audit trail of everything that has happened to a component — from first contact with key material and firmware to the finished, programmed product. Every step is documented, every handover verified. For NIS-2, it is proof that your supply chain is intact — from component to delivery. For the CRA, it is proof that your product is intact — from secure firmware programming to end of lifecycle. The two cannot be separated. And both can be fulfilled through a single, coherent approach.
Where Does the Chain of Trust Break Today?
That is precisely what the CRA and BSI TR-03183 require — and implicitly so does NIS-2. And that is precisely what is missing when firmware is transferred without encryption, flashed manually, and installed without any proof of programming. The Chain of Trust breaks silently, invisibly — and most companies only notice when an auditor asks.
Why "We Have a Firewall" Is Not an Answer
Most companies have a firewall. Many have an ISMS. Both protect the network — but not the moment the product comes into existence. Cybersecurity doesn't start at the first network packet. It starts when the MCU gets programmed — before the product even exists. Anyone who does not control and cryptographically document that moment has a gap in their Chain of Trust that no downstream security system can close. A firewall protects what is already on the network. The Chain of Trust secures what is coming onto it.
Chain of Trust Requires Three Levels
btv technologies is not itself a regulatory addressee of these laws — but btv sits at precisely the process steps where the evidence is created that customers need for their own compliance. And btv is the only partner that covers the Chain of Trust end-to-end: from the packaging unit in the supply chain to the individual component after programming. Not as a compliance service provider, but because transparency is the foundation of every engagement.
Supply Chain: TAK® Creates Traceability at Packaging Unit Level
NIS-2 demands verifiable transparency across suppliers and components. btv technologies' TAK model tracks all relevant data as a matter of course: origin, lot, movement, and location of every packaging unit across the entire supply chain. Customers working with btv already have this data — and can use it for their NIS-2 documentation requirements without any additional effort. Transparency isn't an add-on at btv. It's how the work gets done.
Storage: Every Packaging Unit Stays Fully Documented
Components held in storage represent a regulatory risk that most companies underestimate — because documentation obligations apply here too. btv goes beyond IEC 62435 and documents every packaging unit completely: from intake through every intermediate step — conditioning, repacking, quality inspection — through to release. All processes are traceable, all data retrievable on demand. As a TISAX-certified partner, btv also meets the automotive industry's requirements for information security across the supply chain. Companies that store inventory with btv have NIS-2 and CRA traceability built in — without building a separate system to support it.
Programming: btv SEEL® — Maximum Security, Full Traceability
btv SEEL® is a high-security programming process: key material, firmware, and certificates are processed exclusively in RAM and never stored persistently — no access to content, no attack surface. At the same time, every component movement is tracked: which component received which firmware and which certificate is documented at serial number level and retrievable at any time. This isn't a special feature — it's btv standard. Companies that programme with btv get CRA-compliant SBOM, BSI TR-03183 documentation, and 24-hour recall readiness included as default.
What happens if the programming process itself is compromised? Incorrect firmware in the field, stolen intellectual property, a security audit that cannot be substantiated — these are not theoretical scenarios. btv SEEL® addresses exactly this: the customer receives not only a record of what was programmed, but the assurance that the process itself could not have been compromised. That is the difference between documentation of a process and integrity of a process.
When Do You Need to Act?
The CRA reporting obligation kicks in less than four months from now. NIS-2 has been national law since October 2024. And the new EU Product Liability Directive makes clear: anyone who cannot reconstruct lot, software version, and delivery history in a liability case risks not a targeted recall — but a complete one.
What Is the First Concrete Step?
The fastest path to clarity: a structured gap analysis. Where does your Chain of Trust break today? Supply chain, storage, or programming — or all three? btv answers that question in a 30-minute conversation with concrete next steps.
