Back to overview
People at Dürr

Cybersecurity is essential for future success

Dr. Christine Payer explains how Dürr integrates cybersecurity into its product strategy and helps customers meet regulatory requirements.

 

CRA, NIS-2, the Machinery Regulation, the AI Regulation—rarely have so many EU regulations focused on digital resilience been introduced simultaneously. What may seem like regulatory compliance on paper actually determines production safety, supp

Dr. Christine Payer, Lead Counsel for IIoT at Dürr AG, presented an overview of these EU guidelines for digitalization at the VDMA European Summit 2026 in Rome—and shares the key takeaways in this interview: what’s changing for manufacturers, why “security by design” is more than a buzzword, and what implementation can look like using Dürr as an example.

Dr. Payer, what was your starting point for your presentation—why focus on “Securely Digitizing Factories”?

Dr. Christine Payer: Because digitization is no longer just a “nice to have.” Any industrial company that wants to remain competitive has no choice but to adopt digitalized production processes. They drive efficiency, improve quality, help optimize energy use, and support more sustainable production. However, with every additional interface, every networked system, and every software component, the risk landscape also evolves. The attack surface is growing—across both IT and OT. Today, it is no longer enough to secure production systems simply by isolating them from the network. Attackers today operate with extreme sophistication and actively search for vulnerabilities within internal corporate systems.
 

At the VDMA European Summit 2026 in Rome, the importance of cybersecurity was highlighted.

You made that very clear in your presentation: Cybersecurity is no longer just an IT issue.

Dr. Christine Payer: Exactly. Today, cyber incidents don’t just affect “IT systems.” They can disrupt production and safety, interrupt supply chains, and ultimately undermine trust. Cybersecurity is therefore a critical component of industrial resilience and corporate responsibility.

You also mentioned a real example of cyberattacks in Rome. What was the point of the example?

Dr. Christine Payer: It was intended to show how far-reaching cyberattacks have become. I referred to attacks at the end of December that affected wind and photovoltaic parks in Poland, while simultaneously targeting the operations of a manufacturing company. This demonstrates that cyberattacks are not ”distant threats” or confined to specific industries. The question is no longer whether you might be affected, but how well prepared you are.

At the summit, European regulation was a recurring topic. Where do companies currently stand?

Dr. Christine Payer: We are currently seeing a wave of regulatory activity: the Cyber Resilience Act (CRA), NIS 2, the Machinery Regulation, the AI Act, and the implementation of the EU Data Act. A great deal needs to be implemented in a short period of time, placing significant pressure on companies-especially manufacturers.
And quite honestly: I seriously wonder how small and medium-sized enterprises are supposed to manage this at the required pace—considering how many components in a digitalized factory may fall under the scope of the CRA.

What does this mean for the Dürr Group – did Dürr need to reinvent itself?

Dr. Christine Payer: No—and that’s an important point. At Dürr, cybersecurity has been firmly established across the entire organization for years. We have developed robust processes, including those based on IEC 62443, to provide customers with reliable solutions. However, cybersecurity is not a one-time effort. Dürr has established a central team that continuously monitors the threat landscape and supports customers in rapidly identifying and implementing solutions.
The CRA therefore requires consistent expansion of existing capabilities rather than a strategic overhaul. What is changing significantly, however, is the compliance dimension: It’s not just about technically implementing cybersecurity effectively, but about robustly demonstrating compliance with regulatory requirements and meeting all obligations in a structured way.

 

Dr. Christine Payer explains how Dürr integrates cybersecurity into its product strategy.

What does this implementation look like in practice at Dürr?

Dr. Christine Payer: We have established dedicated organizational structures and clearly defined responsibilities for this purpose. A group-wide team of experts—led by key individuals and supported by a steering committee—oversees the implementation of the CRA across the entire organization, including structured knowledge sharing across business units. At the same time, each business unit is responsible for implementing the requirements within its specific area, while the legal framework, interpretation of regulations, and the overall assessment are coordinated centrally. In addition, we have increased resources within our Product Security Development team and established a dedicated team to manage legally required reporting channels. Furthermore, we have set up a secure customer portal through which updates and information are provided.

If you had to sum that up in a headline — what is Dürr’s position?

Dr. Christine Payer: At Dürr, cybersecurity is not an “add-on,” but an integral component of both our corporate and product strategy. The CRA essentially confirms the direction we’ve been following for years.

In Rome, you emphasized that NIS‑2 and the CRA need to be considered together. Why?

Dr. Christine Payer: Because digital factories are only resilient if both sides are addressed properly. NIS‑2 focuses on organizational structures and operational processes — in other words, questions such as: Which systems are critical? How are processes protected? How are risks managed? This scope now extends beyond traditional IT to include OT environments with long‑established structures and legacy systems. Thus, NIS-2 addresses the organizational side of resilience, while the CRA focuses on the security of products and the supply chain. It serves as the critical interface with software suppliers, ensuring a uniform security standard throughout the entire software supply chain.

 

Cyber incidents can disrupt production and compromise security, disrupt supply chains, and ultimately erode trust.

What does this mean for customers— from a practical perspective?

Dr. Christine Payer: When products are developed and delivered in compliance with the CRA, operators can meet their NIS‑2 requirements more easily — because a secure foundation is already “built in.” In this sense, secure products also strengthen overall organizational resilience. That is the essence of the “two sides of the same coin” I referred to in Rome.

Many view this primarily as an additional burden. Do you also see positive effects?

Dr. Christine Payer: Yes. From a business perspective, the European legislator’s clear emphasis on strengthening cybersecurity is fundamentally positive. Dürr is well positioned with established standards, processes, and products, to meet these requirements — and to support customers in their secure digital transformation journey.
 

FURTHER RELATED
ARTICLES

Back to overview

  • Global Sales Meeting INP and Dispensing Technology

  • People at Dürr
    Explore topic

    Occupational Safety Specialist ROB (m/f/d)

  • People at Dürr
    Explore topic

    How Michael Baitinger, CEO of Dürr China, is rethinking leadership, innovation, and “local for global”

    • Back to overview