Cybersecurity at the Core: EU and UK Cybersecurity Rules for the Semiconductor Sector

The semiconductor industry faces a rapidly evolving cybersecurity landscape, as regulators across the EU, UK, and U.S. have enacted cybersecurity laws impacting chip manufacturers and downstream semiconductor suppliers, such as managed service providers. In the EU, cybersecurity legislation in recent years has significantly broadened cybersecurity obligations, including upcoming new product-level cybersecurity requirements and more stringent reporting obligations. Even more recently, the UK is overhauling its own cybersecurity framework to also broaden the scope of, and strengthen, existing obligations.

Notably, these laws can apply both directly (e.g., by treating chipmakers as covered “important” entities or as product component manufacturers) and indirectly, by pushing security requirements down the supply chain.

EU: NIS2 Directive

Are You in Scope?

The Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU (NIS2) expands the range of sectors and companies subject to EU cybersecurity regulations, bringing parts of the semiconductor supply chain in scope. In particular, the following covered entities should consider how NIS2 may directly apply to them:

1. Manufacturers of Semiconductors and Their Components: Annex II of NIS2 explicitly captures companies that: (i) manufacture computer and electronic products; (ii) either operate or carry out business in the EU; and (iii) are at least medium-sized (i.e., they have at least 50 employees or an annual turnover and/or an annual balance sheet total of €10 million). This means medium and large companies that create semiconductors (such as integrated circuits or LEDs) and/or certain subcomponents (such as capacitors, resistors, diodes, and transistors) can directly fall in the scope of NIS2 as a result of their manufacturing functions (see further Division 26, Section C of NACE Rev. 2). Notably, this categorization under Annex II is solely function-based rather than technology- or sector-specific, catching semiconductor makers regardless of which products the chips are developed for or whether such products are used in critical sectors.
2. Semiconductor Customers: In addition to manufacturers of computer and electronic products, NIS2 also covers manufacturers of electrical equipment under Division 27, Section C of NACE Rev. 2. This means it is also possible for purchasers of semiconductors (who may incorporate semiconductors into their own products) to fall directly under the scope of NIS2 as a result of their own manufacturing activities, despite not being involved (directly or indirectly) in the creation of chips. This includes manufacturers of phones, TVs, computers, keyboards, VR headsets, medical devices, smart home appliances, and loaded printed circuit boards (PCBs), as well as entities that load semiconductors onto PCBs. Chip customers that do not have cybersecurity obligations directly imposed by NIS2 should consider whether the Cyber Resilience Act could still directly impose similar cybersecurity requirements on them because they make products with digital elements (see further below).
3. Managed Service Providers and Digital Services: Additionally, medium and large managed service providers (MSPs) that are based in, or provide ICT services to companies in, the EU will also be subject to NIS2. Notably, this could include internal MSPs where a distinct group company provides IT services to other companies in the corporate group.

Supply Chain Obligations. Importantly, NIS2 requires in-scope entities to address cybersecurity risks arising from their supply chains and supplier relationships. For semiconductor companies within scope, this may necessitate embedding cybersecurity obligations into supplier agreements and adopting enhanced third-party risk management practices, such as more rigorous vendor due diligence, stricter procurement standards, and ongoing assessments of key suppliers to verify that appropriate security measures are in place. In practice, compliance is likely to involve contractual requirements for suppliers to maintain baseline cybersecurity controls aligned with recognized industry frameworks, such as ISO/IEC 27001 or NIST standards. As a result, even organizations within the semiconductor supply chain that are not themselves directly subject to NIS2 may nonetheless be required to meet NIS2-driven cybersecurity expectations through contractual “flow-down” obligations required to be imposed by regulated customers. These obligations, moreover, are risk-based (per Art. 21(3) NIS2) and are thus likely to be more heavily imposed on suppliers with access to sensitive or proprietary chip design information, including providers of electronic design automation (EDA) software (given the risk of tampering with, or extracting and exploiting, design data), cloud hosting and infrastructure providers, and chip design companies.

What Does This Mean for Companies?

As described in more detail in our previous alert, NIS2 imposes more stringent cybersecurity risk management requirements on in-scope entities, as well as reporting obligations for “significant incidents” to the relevant Computer Security Incident Response Team or competent authority. More specifically, the accompanying NIS2 Implementing Regulations C(2024)7151 clarify that significant incidents will include those where the incident: (i) results or can result in material financial loss of more than €500,000 or 5% of the relevant entity’s total annual turnover (whichever is lower); (ii) involves the actual or potential loss of trade secrets; (iii) causes or could cause death or considerable damage to an individual’s health; (iv) involves successful, suspectedly malicious, and unauthorized access to network and information systems, capable of causing severe operational disruption; or (v) is recurring (i.e., where multiple incidents that occur at least twice within six months, have the same apparent root cause and cumulatively meet the financial loss threshold in point (i)).

Potential enforcement under NIS2 depends on a company’s categorization as essential or important. Essential entities face maximum fines of at least €10 million or 2% of global annual turnover (whichever is higher), whereas important entities face maximum fines of at least €7 million or 1.4% of global annual turnover (whichever is higher). NIS2 further raises the stakes for semiconductor companies by making management bodies personally liable for compliance with cybersecurity risk management measures.

As a directive, NIS2 must first be transposed into an EU Member State’s national law before it becomes enforceable. While the deadline for such transposition has long passed (October 2024), many countries are still lacking implementation. In December 2025, just over half of the EU Member States have implemented the requirements into national law, with a number of large countries still pending. Ongoing implementation status can be tracked on this page.

EU: Cyber Resilience Act (CRA)

Are You in Scope?

Starting from September 2026, Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (CRA) will impose cybersecurity requirements at the product level by ensuring that “products with digital elements” (PDEs) are secure by design and throughout their lifecycle. PDEs are essentially connected products where it is intended (or reasonably foreseeable) that the software or hardware product will be used for a data connection to a device or network, for example, smart home devices or mobile apps that allow users to remotely control such devices.

While semiconductors themselves are not classified as PDEs, semiconductors that are (i) used in PDEs and (ii) sold in the EU, will be caught under the CRA, as it applies to PDE components that are separately placed on the EU market. Therefore, chip manufacturers should assess how their chips may reasonably be used by customers and whether such use would involve incorporation into PDEs. This will involve analysis of the chip’s suitability for incorporation into PDEs and how the chip is marketed, as well as actual sales made to customers (and the relevant activities of such customers). For manufacturers expecting to benefit from the exemptions under the CRA (see below), customer contracts should specify that the semiconductors or components are sold exclusively for the exempted use (e.g., regulated medical devices or certain automotive systems) and should not be used for other purposes. Notably, the CRA’s extraterritorial reach means that companies that manufacture, import, or distribute such chips will be in scope regardless of where they are based.

However, certain chips made for specialized equipment may benefit from CRA exemptions that are intended to avoid dual regulation. These exemptions are narrowly drawn and apply only where the semiconductor is already governed by sector-specific cybersecurity frameworks considered “equivalent” to the CRA, such as semiconductors manufactured for medical devices, certain vehicles, and/or marine equipment. Similarly, semiconductors manufactured exclusively for national security purposes, or chips developed as spare parts intended to replace identical components in PDEs, may also fall under the CRA exemptions. Notably, the spare part exemption only applies if the component is made to the exact same specifications as the part it is intended to replace, on the basis that the original part would already have undergone a relevant conformity assessment, or that it would be repairing a PDE that predated the CRA’s application.

What Does This Mean for Companies?

Manufacturers and developers of in-scope chips will be most affected by the CRA’s obligations. As detailed in our previous alert, key requirements include complying with essential cybersecurity and vulnerability-handling requirements, as well as reporting obligations to regulatory authorities and users for severe incidents and exploited vulnerabilities. Meanwhile, importers and distributors of chips will have verification obligations to ensure conformity and disclosure duties to provide certain information regarding the PDE.

Similarly to NIS2, the CRA carries heavy penalties, with fines of up to €15 million or 2.5% of worldwide annual turnover (whichever is higher). Regulators may also issue product recalls or bans for non-compliant products.

UK Equivalence

How Does EU Legislation Compare to the UK?

The UK’s proposed Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) mirrors many NIS2 concepts and significantly expands the scope of the UK NIS regime, which was implemented to follow the original Network and Information Systems Directive ((EU) 2016/1148). The Bill is expected to pass in 2026 and, unlike NIS2, maintains (and expands) the categorization of operators of essential services and relevant digital service providers.

The expanded scope will include key suppliers such as medium and large MSPs providing services in the UK, and certain companies may be designated as “critical suppliers” to essential services. For example, if a semiconductor manufacturer provides specialized chips to UK energy grid operators, hospitals, or telecommunications providers, the government may designate that manufacturer as a critical supplier. The Bill can apply even if a supplier is not established in the UK and, like NIS2, imposes technical and organizational cybersecurity measures as well as incident reporting obligations. Under the Bill, significant penalties apply with maximum fines of up to £17 million or 4% of worldwide turnover, and daily fines of up to £100,000 per day for non-compliance.

Similarly to the CRA, the UK Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) governs consumer connectable products, including minimum cybersecurity compliance obligations and vulnerability reporting. However, unlike the CRA, components of connectable products such as semiconductors do not fall directly within the scope of the PSTIA and are more likely to be subject to such regulatory requirements through customers flowing down their obligations before incorporating chips into any of their connected products.

What Comes Next for Chips?

Semiconductor companies operating across the EU and UK must assess the potential application of various cybersecurity regimes (e.g., using a compliance heat map indicating direct and indirect applicability). With regulations focusing on cybersecurity compliance and reporting requirements, companies may leverage their existing security controls, policies, and procedures by conducting gap analyses against regulatory obligations and making necessary amendments, training relevant teams on any updated practices and assessing cybersecurity standards along their own supply chain.

Elena Pourghadiri, London trainee solicitor, contributed to the drafting of this alert.