CRA, NIS 2 and MR: What awaits machine manufacturers and operators?<\/h2>\n\n\n\nSimon, how does the subject of cybersecurity present itself when you are talking to customers in the field?<\/h5>\n\n\n\n
Simon Nutz: <\/strong>Most people know that they need to act, but many are unsure about what exactly is required. We do a lot of edu\u00adca\u00adtional work and explain to cus\u00adtomers what to expect: what needs to be imple\u00admented? What really affects the com\u00adpany? We start with the basics: what should be pro\u00adtected? What hap\u00adpens if a plant or OT in gen\u00aderal is attacked? On this basis we build appro\u00adpriate pro\u00adtec\u00adtion con\u00adcepts.<\/p>\n\n\n\n Kuczera: <\/strong>Com\u00adpa\u00adnies actu\u00adally have a vested interest in pro\u00adtecting them\u00adselves against cyber attacks. The EU guide\u00adlines are merely intended to ensure that all com\u00adpa\u00adnies are ade\u00adquately pre\u00adpared.<\/p>\n\n\n\n The CRA affects all prod\u00aducts with dig\u00adital ele\u00adments. From December 2027, these must meet a defined Secu\u00adrity level. Anyone who pur\u00adchases new machinery or IT infra\u00adstruc\u00adture must act in accor\u00addance with CRA. Man\u00adu\u00adfac\u00adturers who place their own prod\u00aducts on the market must comply with the rel\u00ade\u00advant processes. At Pilz, for example, we have a devel\u00adop\u00adment process cer\u00adti\u00adfied in accor\u00addance with IEC 62443\u20134\u20111, thereby ensuring that secure product devel\u00adop\u00adment life\u00adcycle require\u00adments are met.<\/p>\n\n\n\n Nutz: <\/strong>Anyone who fol\u00adlows IEC 62443 is already doing a lot of things right. Even if not all of the stan\u00addards are fully avail\u00adable yet, it is a solid foun\u00adda\u00adtion.<\/p>\n\n\n\n Nutz: <\/strong>NIS 2 is about enabling com\u00adpa\u00adnies to pre\u00adpare for a cyber threat sce\u00adnario. The NIS 2 Direc\u00adtive applies to com\u00adpa\u00adnies with over 50 employees or an annual turnover of more than 10 mil\u00adlion Euro. These com\u00adpa\u00adnies must iden\u00adtify risks and take appro\u00adpriate mea\u00adsures: risk man\u00adage\u00adment, backup man\u00adage\u00adment and vul\u00adner\u00ada\u00adbility man\u00adage\u00adment. In future, attacks must be reported. This allows other com\u00adpa\u00adnies to quickly check whether they are also affected.<\/p>\n\n\n\n \u201cThere\u2019s no Safety without Secu\u00adrity \u2013 that\u2019s the core mes\u00adsage of the Machinery Reg\u00adu\u00adla\u00adtion. Any Safety func\u00adtion can be com\u00adpro\u00admised and must be pro\u00adtected.\u201d<\/p>\nMatthias Kuczera, Stan\u00addards Group at Pilz<\/cite><\/blockquote>\n<\/div>\n\n\n\n Kuczera<\/strong>: An infor\u00adma\u00adtion secu\u00adrity man\u00adage\u00adment system in accor\u00addance with ISO 27001 is an ele\u00adgant way to meet the require\u00adments. Alter\u00adna\u00adtively there are infor\u00adma\u00adtion secu\u00adrity man\u00adage\u00adment sys\u00adtems such as TISAX (Trusted Infor\u00adma\u00adtion Secu\u00adrity Assess\u00adment Exchange). Each com\u00adpany must decide whether to go down this route or imple\u00adment other mea\u00adsures.<\/p>\n\n\n\n Kuczera: <\/strong>There\u2019s no Safety without Secu\u00adrity \u2013 that\u2019s the core mes\u00adsage of the Machinery Reg\u00adu\u00adla\u00adtion. It is now nec\u00ades\u00adsary to check whether a Safety func\u00adtion can be com\u00adpro\u00admised and must there\u00adfore be pro\u00adtected accord\u00adingly. Even though the MR does not take effect until 2027, it makes sense to imple\u00adment it now. Secu\u00adrity gaps actu\u00adally exist within the machine, i.e. in the OT. I need to know what my machine does and what the worst-case sce\u00adnario is if an unau\u00adtho\u00adrised person is in con\u00adtrol of it. Is the data con\u00adfi\u00adden\u00adtial? Is avail\u00adability cru\u00adcial? Then I analyse how an attacker might pro\u00adceed and how to secure the con\u00adtrol system. Because this con\u00adtrols the plant and must not be exposed on the Internet without pro\u00adtec\u00adtion. Misuse due to oper\u00adating errors also need to be con\u00adsid\u00adered. Close com\u00admu\u00adni\u00adca\u00adtion between man\u00adu\u00adfac\u00adturer and oper\u00adator is impor\u00adtant. Only the oper\u00adator knows the actual risk in their appli\u00adca\u00adtion.<\/p>\n\n\n\nWhat is the best possible way for machine manufacturers to prepare under the current conditions?<\/h5>\n\n\n\n
What does the NIS 2 Directive require?<\/h5>\n\n\n\n
![](\"https:\/\/pilz-magazine.com\/en\/wp-content\/uploads\/sites\/24\/2025\/11\/Pilz-Manuel-Kuczera-Portrait-1-300x288.jpg\")
<\/figure>\n\n\n\n\n
Security starts in the machine<\/h2>\n\n\n\n
The new Machinery Regulation stipulates that Security aspects must now also be taken into account when assessing Machinery Safety. What is the best approach for a machine manufacturer or operator?<\/h5>\n\n\n\n
Pilz Podcast #43 || OT Security is coming \u2013 but how do I deal with it?<\/h4>\n\n\n\n