In terms of Safety and Security, machine builders and operators are currently facing a number of legal requirements. What’s happening in 2024?
NIS 2: More obligations for more companies
The directive for Network and Information System Security 2 EU 2022/2555 (NIS 2) specifies measures for a high collective cyber security level in the EU. The NIS law, previously the national implementation of NIS 1, primarily applied to critical infrastructure and providers of relevant digital services. NIS 2 expands the sectors, for example to include the manufacturing/producing trades: Engineering, manufacturers of data processing devices, electronic and optical products, electrical equipment, motor vehicles and motor vehicle parts as well as any other vehicle construction. Within these industries, companies with more than 50 employees OR an annual turnover or an annual balance sheet of over 10 million euros are affected.
These companies will be obliged in future to implement risk management measures for cyber security, such as creating risk analyses and safety concepts for information systems, protection of the supply chain and the safety of the personnel, as well as concepts for access control and the management of plants. There is also mandatory training for the management. In the event of certain security incidents, called significant incidents, an early warning must be issued within 24 hours and a message must be sent to the responsible authority within 72 hours.
In case of violations, there is a threat of severe sanctions such as penalties of 7 million euros or 1.4 percent of the total annual turnover, and natural persons (senior employees) can be rendered liable. The directive was adopted at the end of 2022 by the European Parliament and the Council of the EU. The EU member states have until 18/10/2024 to adopt the directive into domestic law.
Cyber Resilience Act – Security for the whole product lifecycle
In September 2022, the European Commission submitted a draft for a regulation intended to increase the cyber security of products. This Cyber Resilience Act is directed toward manufacturers of products with digital elements (hardware and software) that are capable of communicating with other products. In other words, products from the B2C segment such as smartphones or robotic vacuum cleaners are affected by this, as are those from the B2B segment such as controllers and sensors as well as pure software products such as operating systems.
How great the impact will actually be depends on the criteria that are ultimately established for classifying products. In accordance with the Cyber Resilience Act, only products that guarantee an appropriate level of cyber security may be placed on the market – and that’s over the whole lifecycle of a product. Experts anticipate that the regulation will be adopted in 2024. The Cyber Resilience Act is an EU regulation and will thus be immediately valid in the EU member states.
Pilz is carefully observing legislation in the Industrial Security field on behalf of its customers. New legal requirements are regularly integrated into the training and consulting offer.