How IXT Zero Trust Addresses NIS2 and the Cyber Resilience Act

The short overview

NIS2 (Directive EU 2022/2555) requires essential and important entities to put specific technical security measures in place. The Cyber Resilience Act (Regulation EU 2024/2847) requires manufacturers of connected products to make them secure by design and keep them secure across their support life.

IXT Zero Trust maps to technical measures under NIS2 Article 21(2): access control, network segmentation, incident detection, supply chain access control, audit trail, and continuous authentication for remote sessions.

IXT delivers Zero Trust at the network level over cellular, using Zscaler ZTNA for identity-based application access and Illumio for traffic visibility and segmentation. No VPN client runs on the device.

IXT Zero Trust does not make you NIS2-compliant on its own. Risk documentation, incident response plans, staff training, and supplier governance remain your responsibility.

IXT Zero Trust does not make a product CRA-compliant. It secures the remote-access and maintenance environment around the product. Product design and conformity assessment remain the manufacturer's responsibility.

CRA timeline: in force 10 December 2024, vulnerability and incident reporting from 11 September 2026, full requirements from 11 December 2027.

IoT devices have limited capabilities to defend themselves. There is often no client, no agent, no way to flag unusual behaviour. Security has to happen at the network level. Zero Trust is how we do that. NIS2 requires it. We built for it. - Henning Solberg, CTO and co-founder, IXT

The compliance question your customers are asking

Your IoT deployment connects devices to back-end systems. It routes data through cellular networks. It gives third-party service technicians remote access to equipment. Under two pieces of EU legislation, each of these activities now carries a compliance obligation.

NIS2 (Directive EU 2022/2555) applies to organisations operating in critical and important sectors. It requires demonstrable security controls across your network and information systems. The Cyber Resilience Act (Regulation EU 2024/2847) applies to manufacturers of products with digital elements. It requires those products to be secure by design and to remain secure throughout their support lifecycle.

This article explains what each regulation requires technically, where IXT Zero Trust addresses those requirements directly, and where the boundary of what a network security solution covers ends.

NIS2: What Article 21 requires

NIS2 Article 21 requires essential and important entities to implement appropriate and proportionate technical, operational, and organisational measures to manage risks to the security of network and information systems. The article enumerates ten minimum measures. These are not prescriptive in method. They are outcomes-based. The regulation tells you what must be achieved, not which technology to use.

For IoT deployments, the gap between what the regulation expects and what traditional connectivity solutions deliver is significant. A private APN keeps traffic off the public internet. It does not segment devices from each other. It does not give you visibility into what a device is communicating with. It does not restrict what a third-party contractor can access once connected. And it does not produce the audit trail a regulator will ask for.

The ten measures under Article 21(2) are summarised below, with a direct mapping to what IXT Zero Trust covers and what falls outside the scope of a network security solution.

Risk analysis and information security policies

Article 21(2)(a):

What it requires: A documented methodology for identifying, assessing, and treating cybersecurity risks across the systems you operate.

Where IXT Zero Trust contributes: The visibility layer, powered by Illumio, maps all device traffic in real time. Every connection from every device is captured through the mobile gateway. This gives you a factual, current picture of what your devices communicate with, the baseline you need before you can assess risk accurately. You cannot run a credible risk analysis on devices you cannot see.

What remains your responsibility: The risk assessment methodology, the risk register, and the information security policy framework are organisational obligations. IXT provides the visibility to inform them. The documentation and governance process sit with you.

Incident handling

Article 21(2)(b):

What it requires: Procedures and capabilities for detecting, containing, responding to, and recovering from cybersecurity incidents. NIS2 Article 23 requires early warning to authorities within 24 hours of becoming aware of a significant incident, a more detailed notification within 72 hours, and a final report within one month.

Where IXT Zero Trust contributes: Illumio detects anomalies automatically. When a device communicates with an unexpected destination, an alert fires. This shortens the time between an incident occurring and your team becoming aware of it. Faster detection directly supports your ability to meet NIS2 reporting timelines. The Zscaler Zero Trust Exchange inspects all traffic in real time, giving your team session-level data for analysis and containment decisions.

What remains your responsibility: Your incident response plan, escalation paths, internal classification criteria, and the regulatory reporting process are yours to define and operate.

Business continuity and crisis management

Article 21(2)(c):

What it requires: Backup management, disaster recovery, and crisis management capabilities to maintain or restore critical services following an incident.

Where IXT Zero Trust contributes: Blast-radius reduction is a direct capability. Illumio's policy-based segmentation isolates compromised devices from the rest of your fleet, limiting the spread of an incident before it reaches systems you depend on for continuity. Containing an incident to one segment is measurably different from an incident that propagates across a flat network.

What remains your responsibility: Backup strategy, recovery time objectives, and your crisis management team structure are organisational and infrastructure obligations outside the scope of network security.

Supply chain security

Article 21(2)(d):

What it requires: Security requirements for relationships with direct suppliers and service providers, including assessment of their security practices.

Where IXT Zero Trust contributes: Third-party vendor access is one of the highest-risk vectors in IoT. Privileged Remote Access (PRA) replaces VPN-based vendor access with browser-based sessions. Contractors authenticate through a web portal, see only the applications they have been granted access to, and operate within time-limited, recorded sessions. No VPN client is distributed. No network access is granted. A compromised contractor device does not reach your infrastructure, because the session is brokered through the Zero Trust Exchange and fully inspected before anything passes.

This is a direct, documentable control against supply chain access risk. The session recordings give you an audit trail of exactly what each third party did and when.

What remains your responsibility: Supplier due diligence, contract security requirements, and your third-party risk assessment programme are governance obligations outside this scope.

Security in network and information systems acquisition, development, and maintenance

Article 21(2)(e):

What it requires: Policies addressing the security of procurement, development, and maintenance activities, including how vulnerabilities are handled.

Where IXT Zero Trust contributes: All traffic from IoT devices is inspected at the Zero Trust Exchange, including file transfers. Malware scanning and sandboxing apply to everything passing through the exchange during maintenance sessions. This reduces the risk of introducing malicious content through a legitimate maintenance workflow.

What remains your responsibility: Your secure development lifecycle, patch management process, and vulnerability disclosure procedures are internal engineering and governance obligations.

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

Article 21(2)(f):

What it requires: A process for evaluating whether the controls you have implemented are working.

Where IXT Zero Trust contributes: The Illumio traffic map gives you a continuous, live view of device behaviour. You compare actual traffic patterns against the policies you have set and identify deviations. This is an evidence base for assessing control effectiveness, not a tick-box report.

What remains your responsibility: The formal assessment process, the review cadence, and the management sign-off on results are yours to own.

Cyber hygiene practices and cybersecurity training

Article 21(2)(g):

What it requires: Basic cyber hygiene practices and training for staff with responsibilities in cybersecurity.

Where IXT Zero Trust contributes: Zero Trust removes several categories of hygiene risk at the infrastructure level. No VPN certificates to manage. No exposed ports to patch. No standing network access for contractors. The architecture reduces the number of things your team needs to manually keep secure.

What remains your responsibility: Staff training programmes, acceptable use policies, and security awareness initiatives are organisational obligations.

Policies and procedures regarding the use of cryptography and, where appropriate, encryption

Article 21(2)(h):

What it requires: Documented policies on encryption, key management, and the use of cryptographic controls.

Where IXT Zero Trust contributes: All traffic through the IXT Zero Trust architecture is device-initiated and encrypted. No unencrypted traffic reaches the Zero Trust Exchange. The private APN keeps device traffic off the public internet. Encryption is architectural, not optional.

What remains your responsibility: Key management policies, cryptographic standards documentation, and formal sign-off on your encryption approach are governance obligations.

Human resources security, access control policies, and asset management

Article 21(2)(i):

What it requires: Controls over who has access to what, across both personnel and systems. Asset management to maintain an accurate inventory of systems and devices.

Where IXT Zero Trust contributes: Access control is the core function of Zscaler ZTNA. No device or user gets network-level access. Access is granted to specific applications only, based on identity and policy. Every session is individually verified. There is no implicit trust. The IXT CMP gives you a real-time inventory of every SIM, every device, every connection, with event logging, session diagnostics, and searchable history. This is your asset register for your cellular-connected fleet.

What remains your responsibility: Your broader access control policies for non-IoT systems, HR security procedures, and formal asset management documentation covering all infrastructure are yours to maintain.

Use of multi-factor authentication or continuous authentication solutions, and policies and procedures regarding the use of secure voice, video, and text communications

Article 21(2)(j):

What it requires: MFA or continuous authentication for access to systems. Secure communications policies.

Where IXT Zero Trust contributes: Contractor and employee access through Privileged Remote Access requires authentication through the Zero Trust Exchange before any session begins. The Zero Trust Exchange applies continuous policy verification throughout every session. There is no standing access. Access is granted, verified, and terminated. This directly addresses the MFA and continuous authentication requirement for third-party and employee access to IoT and OT infrastructure.

What remains your responsibility: MFA policies for your corporate IT environment, user directory management, and secure communications policies for internal tools are yours to define.

The Cyber Resilience Act: what it is and what it demands

The Cyber Resilience Act (Regulation EU 2024/2847) is a product regulation. It applies to manufacturers of products with digital elements, meaning hardware and software that connect directly or indirectly to other devices or networks. This covers a wide range of IoT hardware: gateways, sensors, controllers, routers, and any device that communicates over a network.

The CRA entered into force on 10 December 2024. Vulnerability and incident reporting obligations apply from 11 September 2026. Full requirements, including conformity assessment and CE marking, apply from 11 December 2027.

The CRA places three categories of obligation on manufacturers.

First, product security requirements. The product must be designed and developed without known exploitable vulnerabilities, with a secure-by-default configuration, protection against unauthorised access, and mechanisms for security updates throughout its supported life.

Second, vulnerability handling. Manufacturers must have documented processes for receiving, analysing, and addressing reported vulnerabilities throughout the product's support period.

Third, reporting. From September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA and their national CSIRT within 24 hours of becoming aware, with a more detailed report within 72 hours.

Where Zero Trust and the CRA intersect

IXT Zero Trust does not make a product CRA-compliant. The CRA places product design, vulnerability management, and conformity documentation obligations on the manufacturer. Those are engineering and process obligations. No network security solution substitutes for them.

What Zero Trust does is secure the operational environment around those products throughout their deployed life.

Remote access to deployed devices for maintenance, updates, and diagnostics is one of the highest-risk activities in IoT operations. Under the CRA, manufacturers are responsible for maintaining the security of their products during the support period. That means the tools and processes used for remote maintenance are part of the security posture regulators will examine. Privileged Remote Access replaces VPN-based access with session-controlled, time-limited, fully recorded browser sessions. The maintenance workflow is documented. Every action is inspectable.

The Zero Trust Exchange inspects file transfers during maintenance sessions, including malware scanning and sandboxing. A vendor pushing a firmware update through a compromised laptop does not automatically introduce that compromise to the device, because the transfer is inspected before it passes.

Illumio's traffic mapping gives manufacturers visibility into how deployed devices behave in the field. When a device starts communicating with an unexpected endpoint, an anomaly alert fires. For a manufacturer responsible for the ongoing security of a product, this is the detection layer that turns a theoretical obligation into an operational capability.

The CRA requires that products remain secure. Zero Trust secures the access paths, maintenance workflows, and communication channels that determine whether they do.

The combined picture for IoT operators

If you operate IoT deployments in a sector covered by NIS2 and you supply connected products, both regulations apply to different parts of your operation. NIS2 governs how you operate and secure your network and information systems. The CRA governs the products you put on the market.

Zero Trust addresses the NIS2 technical controls that matter most for cellular IoT: access control, network segmentation, incident detection, supply chain access risk, audit trail, and continuous authentication for remote sessions. It does not replace organisational obligations: risk assessment documentation, incident response plans, staff training, or supplier governance frameworks.

For CRA obligations, Zero Trust secures the operational environment and maintenance infrastructure around your products. It does not substitute for secure product design, conformity assessment, or the vulnerability reporting process.

The Article 21 mapping above is intended as a working reference. Before using it in tender responses or compliance documentation, verify the specific claims against your legal and compliance team's interpretation of the transposed national legislation in your jurisdiction.

Frequently asked questions

What does NIS2 Article 21 require?

NIS2 Article 21 requires essential and important entities to put appropriate and proportionate technical, operational, and organisational measures in place to manage risks to their network and information systems. It sets out ten minimum measures and describes the outcome each must achieve, not the technology to use.

Does IXT Zero Trust make my organisation NIS2-compliant?

No single product makes you NIS2-compliant. IXT Zero Trust addresses the Article 21(2) technical measures that matter most for cellular IoT, including access control, segmentation, incident detection, and continuous authentication for remote sessions. Risk documentation, incident response plans, staff training, and supplier governance remain your responsibility.

Which NIS2 Article 21 measures does IXT Zero Trust address?

It contributes to risk analysis through traffic visibility, incident handling through automatic anomaly alerts, business continuity through segmentation, supply chain security through controlled third-party access, maintenance security through inspected file transfers, control effectiveness assessment, cyber hygiene at the infrastructure level, encryption, access control and asset inventory, and MFA and continuous authentication for remote sessions.

Does IXT Zero Trust make my product CRA-compliant?

No. The Cyber Resilience Act places product design, vulnerability management, and conformity obligations on the manufacturer. IXT Zero Trust secures the operational environment around the product, including remote maintenance access and file transfers. It does not substitute for secure product design or conformity assessment.

When do Cyber Resilience Act obligations start?

The CRA entered into force on 10 December 2024. Vulnerability and incident reporting obligations apply from 11 September 2026. Full requirements, including conformity assessment and CE marking, apply from 11 December 2027.

How does IXT secure third-party vendor remote access?

IXT replaces VPN-based vendor access with Privileged Remote Access. Contractors authenticate through a web portal, see only the applications they have been granted, and work inside time-limited, recorded sessions. No VPN client is distributed and no network-level access is granted.

How is IXT Zero Trust different from a private APN or VPN?

A private APN keeps traffic off the public internet, but it does not segment devices from each other, show you what a device communicates with, restrict what a contractor reaches once connected, or produce an audit trail. IXT Zero Trust adds identity-based access, segmentation, real-time traffic visibility, and recorded third-party sessions on top of the connection.

What do Zscaler and Illumio each provide in IXT Zero Trust?

Zscaler ZTNA enforces identity-based access to specific applications, with no network-level access and no implicit trust. Illumio maps device traffic in real time, detects anomalies, and applies policy-based segmentation to contain an incident before it spreads.

See how IXT Zero Trust works in practice. Book a demo at ixt.io.