Governance, Compliance & EU Regulation

With new European regulations such as the NIS2 Directive, the Critical Entities Resilience Directive, the EU Ai Act and the Cyber Resilience Act, the requirements for companies are increasing significantly. These requirements are also becoming relevant for many Swiss organizations – for example through business relationships with the EU, supply chain requirements, or regulatory obligations. Many companies are facing similar questions: Which regulations apply to us? Which measures are actually required? And how can different compliance requirements be implemented efficiently and in a practical manner?

SYNSPACE Switzerland supports companies in making complex EU regulations understandable, implementing them in a structured way, and documenting them in an audit-ready manner – with a risk-based approach that combines compliance and operational security.

Typical challenges our clients face:
Which EU regulations affect us at all?
What does personal liability mean for management?
How do we prepare for audits?

In Short: What are NIS2, CER, the EU AI Act and the Cyber Resilience Act (CRA)?

New EU regulations such as the NIS2 Directive, the Critical Entities Resilience Directive (CER), the Cyber Resilience Act (CRA), and the EU AI Act strengthen cybersecurity, resilience, and the responsible use of digital technologies across Europe. They affect operators of critical infrastructures, numerous industrial companies, as well as manufacturers of digital products and components. The objective of these regulations is to systematically manage cyber risks, protect supply chains, and increase the resilience of critical services. Many Swiss companies are also affected – for example through their role in European supply chains or through business activities in the EU market.

Core elements of the regulation:
NIS2: Cybersecurity risk management, incident reporting obligations, and stronger management accountability
CER: Protection and resilience of critical infrastructures against physical and digital threats
EU AI Act: Risk-based regulation of AI systems, including requirements for transparency, data quality, governance, and oversight – particularly for high-risk AI in safety-critical and industrial use cases
CRA: Security requirements for products with digital components across the entire product lifecycle
Together, these regulations create a Europe-wide framework for cybersecurity, resilience, and product security, requiring companies to implement structured risk management and sustainable security governance.

Industries with increased EU regulatory requirements

These industries are particularly affected by European cybersecurity and resilience regulations – whether due to their role as critical infrastructure, as operators of digital services, or as manufacturers of connected products:

Energy & Utilities
Industrial & Manufacturing
Transport & Logistics
Healthcare & MedTech
Public Sector

Our Services

Regulatory Gap Analysis
Policy & Governance Framework
Compliance Strategy & Roadmap
Audit Preparation & Support

Our 4-Phase Approach

Scope & Applicability

Analysis of the company structure, services, and products to determine which regulatory requirements are relevant and to what extent they apply.

Gap Analysis & Risk Assessment

Assessment of the current maturity level compared to regulatory requirements, as well as identification of security risks, vulnerabilities, and compliance gaps.

Strategy & Roadmap Development

Development of a structured implementation strategy with prioritized measures, governance structures, and a realistic implementation roadmap.

Implementation Support & Audit Preparation

Support in the practical implementation of security and compliance measures as well as preparation for audits, evidence, and regulatory assessments.

Key Deliverables

Regulatory Applicability Assessment
Gap and Risk Analysis
Compliance Strategy & Implementation Roadmap
Policy and Process Framework
Audit Preparation & Evidence Documentation
Enablement of your teams through training & workshops

Enablement of your teams through Trainings & Workshops

→ Formats

In-House – delivered on-site at your organization
Virtual – online, interactive sessions
Public Courses – open enrollment trainings
Train-the-Trainer – enable internal multipliers

→ Your Benefits

Hands-on – real use cases from our consulting practice
Interactive – workshops instead of traditional lectures
Up-to-date – latest regulations and standards
Swiss context – relevant, practical examples
Enablement-focused – your teams become internal experts
Role-based – tailored for executive and operational levels

→ Training: Cyber Security for Critical Infrastructures – Understanding and Implementing NIS2 & CER

Duration: 1 day (Executive: 3h) | Level: Executive & Operational | Target Audience: C-Level, Compliance Officers, Risk Managers

Content:

NIS2 Directive – Requirements & Scope
CER Directive – Resilience of critical entities, management liability & fines, implementation roadmap

Benefits: Regulatory clarity for decision-makers

→ Training: EU Cyber Resilience Act (CRA) – Practical Implementation and Compliance Strategy

Duration: 1 day (Executive: 3h) | Level: Executive & Operational | Target Audience: Specialists and managers from product development, quality management, regulatory affairs, IT security, manufacturers of digital products distributed in the EU

Content:

CRA Scope – which products are affected? Essential Requirements
Product Lifecycle Security
CE Marking & Conformity Assessment

Benefits: Regulatory clarity for decision-makers

→ Training: Fundamentals of Product Safety in the Agricultural Machinery Sector

Duration: 2 days | Level: Executive & Operational | Target Audience: Product Managers, Developers, Security Engineers, Compliance Officers, Quality Managers, Management

Content:

Overview of cybersecurity and product safety in the context of connected agricultural machinery
Contextualization of ISO 24882 within the regulatory framework (including the Cyber Resilience Act, Machinery Regulation, ISO/SAE 21434)
Fundamentals and objectives of ISO 24882, as well as its requirements for organizations and products
Introduction to risk analysis and risk assessment (including damage scenarios and threat assessment)
Derivation and implementation of technical cybersecurity requirements for products
Consideration of the entire product lifecycle, including vulnerability management and supplier handling
Documentation and evidence management in accordance with ISO 24882
Roles, responsibilities, and organizational integration within the company
Practical examples and application of the risk assessment process
Mapping of ISO 24882 to regulatory requirements such as the Cyber Resilience Act and the Machinery Ordinance

Benefits: Participants gain a thorough understanding of cybersecurity requirements for connected agricultural machinery and agricultural products. They learn how regulatory requirements and standards are translated into concrete measures and how risk analyses serve as the basis for secure and compliant.

→ Training: Risk Assessment in a Nutshell

Duration: 1 day (public) or 2 days (in-house, including customer case study) | Level: Operational / Advanced | Target Audience: Security engineers, developers, system engineers, architects, quality managers, compliance officers

Content:

Introduction to risk-based approaches to cybersecurity and their importance for secure systems and products
Overview of regulatory requirements such as the Cyber Resilience Act and relevant standards such as ISO/SAE 21434 and ISO 24882
Fundamentals of the Threat Analysis and Risk Assessment (TARA) methodology
Structured execution of a risk assessment:
– Definition of the intended purpose and system boundaries
– Identification and evaluation of assets and cybersecurity properties
– Development of damage scenarios and impact assessment
– Threat modeling (including methods such as STRIDE)
– Assessment of threat occurrence and derivation of cybersecurity risks
Derivation of measures:
– Risk treatment strategies
– Definition of cybersecurity goals, controls, and requirements
Adaptation and combination of various methods and standards depending on the project context
Implementation of cybersecurity requirements and demonstration of security (compliance & auditability)

Benefits: Participants learn to conduct risk analyses in a structured and practical manner and to translate regulatory and normative requirements into concrete security measures. They develop a clear understanding of how to derive robust cybersecurity measures from assets, threats, and risks

→ Training: Cryptography for Product Security in the Context of the CRA and EU AI Act

Duration: 2 days | Level: Operational / Advanced | Target Audience: Security Engineers, Software & System Developers, System Engineers, Architects, Product Security Engineers, Quality and Compliance Managers

Content:

Introduction to cryptography in the context of product security and regulation (CRA, EU AI Act)
Fundamentals of key cryptographic mechanisms (symmetric/asymmetric encryption, hashes, MACs, digital signatures, PKI)
Typical attacks and vulnerabilities in cryptographic systems and their assessment
Selection and application of appropriate cryptographic methods depending on the use case, including secure system integration
Mapping to regulatory and normative requirements (CRA, EU AI Act, ISO/SAE 21434)

Benefits: Participants learn to apply cryptographic methods in a secure and purpose-driven way, identify vulnerabilities, and translate security requirements in the context of CRA and the EU AI Act into robust and implementable system solutions.

→ Workshops: Regulatory Gap Analysis, CRA/NIS2 Integration

Workshops:

0.5–1 day – Current state vs. NIS2/CER/CRA
1 day – Leveraging synergies between regulations

What we offer:

Trainings
Workshops
Consulting
Assessment (Support)

View training dates and book your spot

Request a consulting proposal

Kontakt:

Reto Müller
+41 61 533 75 92
This email address is being protected from spambots. You need JavaScript enabled to view it.