1394C-SJT22-A/C NIS 2: More obligations and more restrictions for more companies

NIS (Network and Information Security) is an EU directive that aims to strengthen network security. The directive has been in place since 2016 and has so far applied to critical infrastructure providers, including energy, transport, banking and finance, health, the supply and distribution of drinking water, and digital infrastructure. Vendors in these sectors must implement “appropriate information security safeguards” and report any serious cybersecurity incidents. NIS 2, as a successor, comes into force at the beginning of 2023, and EU member states must incorporate it into national law by autumn 2024. Now, the directive also applies to the engineering and automotive sectors, which include companies with more than 50 employees or an annual turnover of more than 10 million euros. According to the German mechanical engineering industry association VDMA, this will affect about 9,000 companies across Europe. Going forward, these companies will need to demonstrate that they have taken technical, operational and organizational measures to prevent security incidents. First, this will include risk analysis of existing systems, including in production environments, in other words OT (Operational technology). This will be followed by the development and implementation of specific processes and measures such as password protection or encryption, as well as ongoing education and training for employees. Cyber security incidents must be reported to the relevant authorities within 24 hours. Explicit integration into the supply chain is also a new endeavor. All in all, NIS 2 now affects more companies, expands obligations, and imposes stricter restrictions. Companies that fail to do so will be subject to severe penalties.

Cyber Resilience Law – Security throughout the product lifecycle

In September 2022, the European Commission presented a draft regulation aimed at 1394C-SJT22-A/C improving the cybersecurity of products. The Cyber Resilience Law targets manufacturers of products that have a digital element. That means hardware as well as software. The regulation refers to both consumer products and products for industrial applications, such as machine controllers. Under the Cyber Resilience Law, only products that guarantee an appropriate level of cyber security can be placed on the market. Manufacturers also have an obligation to inform customers of security vulnerabilities and fix them as soon as possible. Therefore, the regulation applies to the entire life cycle of the product. This means that manufacturers must now provide software updates outside of the usual warranties so that future threats can be defended against as well. We expect the regulation to be passed by the end of 2024.

New Machinery Regulations – Mandatory cyber security

The third new statutory information security requirement is the EU Machinery Regulation. The regulation will soon be published. Since it is a statute, it is not necessary to first translate it into national law. Machine manufacturers have 42 months to comply with the new requirements. The Machinery Regulation replaces the existing Machinery Directive a1394C-SJT22-A/C nd, in contrast to the former, makes cybersecurity mandatory. If the Machinery Directive is purely looking at safety, the Machinery Regulation incorporates the objective of information security protection into “measures against corruption” in the Basic Health and Safety Requirement EHSR: the safety functions of the machinery must not be compromised by corruption, whether intentionally or unintentionally. By now, it is well known that meeting the requirements of the Cyber Resilience Act leads to a presumption of compliance with the Machinery Regulations.