For the first time, the NIS-2-Directive also obliges manufacturing sector companies to implement cyber security. (Photo: © Alexander Supertramp/shutterstock)
November 2024
The NIS-2-Directive on the implementation of cyber security measures will lead to new challenges and obligations for manufacturing industry companies.
By Steffen Zimmermann
What is the NIS-2-Directive? The NIS-2-Directive (Network and Information Security Directive 2) is a revised version of the original NIS-Directive. The idea behind it is to improve the resilience of critical infrastructures and important European sectors against cyber threats in Europe.
For the first time, the European guideline also obliges manufacturing sector companies to implement cyber security. It strives to reduce differences in the implementation of cyber security regulations in individual EU member countries by creating more uniform requirements.
The NIS-2-Directive was passed in January 2023 and requires comprehensive implementation in the EU member countries by 17 October 2024. In Germany, the federal cabinet approved the implementation at the end of July with the bill of the NIS 2 Implementation and Cyber Security Improvement Act (NIS2UmsuCG).
As things currently stand, the Bundestag and Bundesrat can be expected to deal with NIS2UmsuCG by the end of 2024. Consequently, in the view of the German Mechanical Engineering Industry Association (VDMA), entry into force of the new law in early 2025 is probable.
The bill does not in principle provide for any implementation deadline. Consequently, the requirements must be fulfilled by the companies affected upon entry into force. In Germany, companies affected have three months to register at the Federal Office for Information Security (BSI). The corresponding BSI portal should be available on time.
Those affected are primarily mechanical and plant engineering companies with more than 50 employees or an annual turnover of more than ten million euros and a balance sheet total of more than ten million euros. In Germany, these are about 3,600 companies of which approximately 75 percent are small and medium-sized enterprises (SMEs – 50 - 250 employees).
The bill also lists a further 13 sectors, including electrical equipment manufacturers. Companies in the sectors mentioned are covered by the bill’s scope if they produce goods or offer services in Europe. Pure distribution companies are excluded. Company groups are not covered by the law. Each company in such groups must be considered individually.
The bill draws a distinction according to criticality between so-called essential institutions and important institutions. Mechanical and plant engineering companies can determine if they are affected by checking the regular statistical reports for their economic sector. If the sector code reported by the company in Germany is between 2800 and 2899, the company is an engineering plant in the scope of NIS2UmsuCG. Companies in the field of electrical equipment are within the scope if the sector code is between 2700 and 2799. The bill does not provide for any further distinctions between specialist sectors or sub-sectors.
Lift manufacturers with the sector code 28.22.0 are in general directly covered in the sector termed "Mechanical engineering" under NIS2UmsuCG and therefore count as essential institutions.
28.22.0 Manufacture of hoisting gear and conveyance equipment
This sub-class covers:
• manufacture of manual or power-driven hoisting gear and conveyance equipment as well as loading and unloading equipment:
o lifting blocks, hoisting gear, winches and capstans
o derricks, cranes, mobile hoisting equipment, straddle carriers, etc.
o works trucks, also self-propelled
o hoisting gear and conveyance equipment for industrial purposes (including hand trucks and wheelbarrows)
o mechanical grabs and industrial robots especially designed for hoisting, conveyance and loading and unloading activities
• manufacture of continuous conveyors, cableways, etc.
• manufacture of lifts, escalators and moving walks
Manufacturers of lift components likewise have to check whether they are covered by the scope of NIS2UmsuCG according to the registered economic activity (sector code).
Companies covered by the law must take stricter security measures, including measures for cyber risk management and reporting obligations regarding cyber security incidents. NIS 2 obliges companies to implement appropriate cyber security measures in their role as information system operators – these include classic IT systems, production systems and IT-related services (such as remote maintenance solutions).
Moreover, the management must be trained in the risk management field. Serious security incidents must be reported to the national authority, in Germany the BSI, within 24 hours. The EU Commission is currently working on which security incidents are regarded as serious.
The NIS 2 does not make any provision for company groups. Consequently, multinational groups must review the respective national implementations of the NIS 2 Directive in all EU countries in which they have subsidiaries and the national subsidiaries must adhere to these. For the parties affected, this means that every legal person in the group should be individually checked, taking the EU SME guideline into account.
Every national company regarded as "essential" in the directive’s scope and which does not meet the exception criteria, must register with the national supervisory authority. This also applies to group divisions that only provide services in the EU member country (e.g. as managed service provider). Reports of serious security incidents must always be made by the national company to the respective national authority. To date, the national NIS 2 implementation laws have entered into force in Hungary, Croatia and most recently in Latvia.
Tough sanctions are being introduced for companies that do not meet the security requirements. For example, unimplemented risk minimisation measures, failure to report a serious cyber security incident and breaches of the registration obligation are subject to fines. There is the risk of fines of up to seven million euros and business restrictions for the management.
Lift manufacturers must occupy themselves comprehensively with the future obligations of the NIS 2 Directive and in Germany with NIS2UmsuCG.
The author is the Head of the Competence Center for Industrial Security at the VDMA.
Advice: The VDMA provides support, for example through recommended actions for SMEs, mapping of ISO 27001 to NIS 2 and advice for member companies regarding whether they are affected and practical implementation as part of the VDMA Competence Center Industrial Security.
vdma.org
Digitalpaper
Write a comment