Security legislation: What’s happening in 2024?

NIS 2: More obligations for more companies

The direc­tive for Net­work and Infor­ma­tion System Secu­rity 2 EU 2022/2555 (NIS 2) spec­i­fies mea­sures for a high col­lec­tive cyber secu­rity level in the EU. The NIS law, pre­vi­ously the national imple­men­ta­tion of NIS 1, pri­marily applied to crit­ical infra­struc­ture and providers of rel­e­vant dig­ital ser­vices. NIS 2 expands the sec­tors, for example to include the manufacturing/producing trades: Engi­neering, man­u­fac­turers of data pro­cessing devices, elec­tronic and optical prod­ucts, elec­trical equip­ment, motor vehi­cles and motor vehicle parts as well as any other vehicle con­struc­tion. Within these indus­tries, com­pa­nies with more than 50 employees OR an annual turnover or an annual bal­ance sheet of over 10 mil­lion euros are affected.

These com­pa­nies will be obliged in future to imple­ment risk man­age­ment mea­sures for cyber secu­rity, such as cre­ating risk analyses and safety con­cepts for infor­ma­tion sys­tems, pro­tec­tion of the supply chain and the safety of the per­sonnel, as well as con­cepts for access con­trol and the man­age­ment of plants. There is also manda­tory training for the man­age­ment. In the event of cer­tain secu­rity inci­dents, called sig­nif­i­cant inci­dents, an early warning must be issued within 24 hours and a mes­sage must be sent to the respon­sible authority within 72 hours.

In case of vio­la­tions, there is a threat of severe sanc­tions such as penal­ties of 7 mil­lion euros or 1.4 per­cent of the total annual turnover, and nat­ural per­sons (senior employees) can be ren­dered liable. The direc­tive was adopted at the end of 2022 by the Euro­pean Par­lia­ment and the Council of the EU. The EU member states have until 18/10/2024 to adopt the direc­tive into domestic law.

Cyber Resilience Act – Security for the whole product lifecycle

In Sep­tember 2022, the Euro­pean Com­mis­sion sub­mitted a draft for a reg­u­la­tion intended to increase the cyber secu­rity of prod­ucts. This Cyber Resilience Act is directed toward man­u­fac­turers of prod­ucts with dig­ital ele­ments (hard­ware and soft­ware) that are capable of com­mu­ni­cating with other prod­ucts. In other words, prod­ucts from the B2C seg­ment such as smart­phones or robotic vacuum cleaners are affected by this, as are those from the B2B seg­ment such as con­trollers and sen­sors as well as pure soft­ware prod­ucts such as oper­ating sys­tems.

How great the impact will actu­ally be depends on the cri­teria that are ulti­mately estab­lished for clas­si­fying prod­ucts. In accor­dance with the Cyber Resilience Act, only prod­ucts that guar­antee an appro­priate level of cyber secu­rity may be placed on the market – and that’s over the whole life­cycle of a product. Experts antic­i­pate that the reg­u­la­tion will be adopted in 2024. The Cyber Resilience Act is an EU reg­u­la­tion and will thus be imme­di­ately valid in the EU member states.

Pilz is care­fully observing leg­is­la­tion in the Indus­trial Secu­rity field on behalf of its cus­tomers. New legal require­ments are reg­u­larly inte­grated into the training and con­sulting offer.