Cybersecurity in International Corporate Reorganizations: Strategic Impacts on Structure, Integration, and Risk

The CRA, adopted in late 2024, sets mandatory cybersecurity requirements for products with digital elements. It applies to manufacturers, importers, and distributors, enforcing secure-by-design principles, vulnerability management and post-market surveillance for so-called ‘products with digital elements’ that are placed on the EEA market. These obligations will be enforced from December 2027, with reporting duties starting in 2026.   In the UK, its closest  product security “cousin”, in force since April 2024, the UK PSTI Act though narrower in scope, requires manufacturers, importers, and distributors of consumer connectable products (e.g. smart devices, IoT) to meet minimum security standards before products can be placed on the UK market.]

NIS2, meanwhile, targets (medium-sized and larger) essential and important service providers across sectors such as energy, transport, manufacturing and digital infrastructure providing in scope services in the EEA. It requires robust risk management, swift incident reporting and coordination with national authorities. Although effective since January 2023, national implementations vary, creating a patchwork of compliance requirements.    [The UK meanwhile has recently release a first draft of the UK Cyber Security and Resilience Act (CSR Bill). This is currently progressing through Parliament and will expand the UK’s cyber regulatory framework, aligning it more closely with the EU’s NIS2 Directive but tailored for the UK context.]

Together, CRA and NIS2 form a comprehensive regime: one focused on product integrity, the other on enterprise operational resilience. This duality introduces new layers of complexity and risk for companies in the EU and EEA providing certain critical services and products.  Sanctions under NIS2 are significant -up to EUR 10 million or 2% of global annual turnover of the relevant entity. Managing directors may also be held personally liable for not complying with NIS2. For managing directors in companies falling within the scope of NIS2, this should result in awareness of tasks and  accountability, incident response readiness, and cross-border compliance strategies. Administrative fines under the CRA can go up to 2 % of the total worldwide annual turnover.

The UK and other countries are seeking to create a similar broader web of cybersecurity controls.     The picture gets even more complex if the organisation falls within other highly regulated sectors such as financial services.

How Do Cybersecurity rules such as CRA and NIS2 Affect Your Reorganization Strategy?

1. Entity Structuring and Rationalisation

• The CRA and NIS2 introduce new compliance thresholds that must be considered when determining which entities to retain, merge, or divest.
• Product portfolios and operational footprints should be mapped against CRA applicability and NIS2 sectoral scope. This may influence decisions on which entities remain in the EEA, how digital products are distributed, and where critical functions are located.
• Early identification of in-scope entities and products can prevent costly restructuring or regulatory exposure after completion.

2. Post-Completion Integration

• Integration plans must now include cybersecurity compliance as a core workstream.
• Harmonising policies, controls, and reporting mechanisms across newly combined entities is essential to meet CRA and NIS2 requirements.
• Failure to align cybersecurity standards can delay integration, trigger regulatory scrutiny, or expose the group to sanctions and reputational risk.

3. Risk Management Frameworks

• Both regimes require robust, documented risk management and incident response frameworks.
• Boards and managing directors are expected to demonstrate oversight and accountability for cyber risks—across all relevant entities and jurisdictions.
• Risk registers, governance structures, and reporting lines should be reviewed and updated to reflect the expanded obligations under CRA and NIS2. This is particularly important for cross-border groups, where national implementation of NIS2 may vary.

Key Takeaways for International Reorganizations

• Cybersecurity compliance is now a strategic driver in entity structuring, integration, and ongoing risk management—not just a technical or legal afterthought.
• Early, proactive assessment of CRA and NIS2 implications can unlock value, streamline integration, and reduce the risk of regulatory intervention.
• Embedding cybersecurity into your reorganization process enhances market access, stakeholder trust, and long-term resilience.

Our International Corporate Reorganizations team, together with our Data and Cybersecurity specialists, is ready to help you navigate these complexities and turn compliance into a strategic advantage.