NEWS n 5 Safety boss warns of ‘farreaching’ effects of EU security legislation on industry THOMAS PILZ, joint managing partner of the German safety technology company that bears his name, has warned that recent and impending European safety and security legislation could have “farreaching effects” for the whole of industry – and not just in the EU. Addressing a recent global press conference, Pilz cautioned that “winds of change are blowing for safety”, partly driven by concerns over cybersecurity and AI (artificial intelligence). He highlighted three legal developments that will have a significant impact on many parts of industry. The first is a European directive aimed at strengthening cyber-security. The NIS (Network and Information Security) directive has been in existence since 2016 but initially applied only to suppliers of critical infrastructure, which had to implement “appropriate security safeguards” and report serious cybersecurity incidents. In early 2023, however, a new version, called NIS 2, came into force and must be adopted into national law by EU member states by autumn 2024. It applies, amongst others, to engineering and automotive companies with more than 50 employees or turnovers of more than €10m. According to the German Mechanical Engineering Industry Association VDMA, it will affect around 9,000 companies across Europe. In future, these companies will have to prove that they have taken technical, operational and organisational measures to protect against security incidents, including risk analyses of their existing systems – including production environments. This will be followed by measures such as password protection or encryption, as well as staff training. Cybersecurity incidents must be reported within 24 hours. Supply chains are also included for the first time. “NIS 2 now affects more companies, extends the obligations and provides for stricter sanctions,” Pilz said. Companies that fail to take measures will be threatened with “severe” penalties. He pointed out that machinebuilders will also have to meet the NIS 2 requirements. This will, in turn, affect their controls and sensors suppliers. Because NIS 2 stipulates that suppliers must be taken into consideration, vendors such as Pilz will have to make demands on their suppliers. “NIS 2 covers the whole supply chain,” Pilz said. “It is no longer at the company’s discretion whether, and to what extent, it wishes to grapple with security – it is a legal requirement!” The legislation allows for companies to be punished after an incident, with penalties of up to 10% of their turnover. “The logic needs to change,” Pilz declared. He is advising companies to deal with NIS 2 “as soon as possible” and to carry out holistic security assessments. This will include, for example, the development of Information Security Management System (ISMSs), with certification in accordance with the ISO 27001 information security standard. The second piece of legislation that worries Pilz is the Cyber Resilience Act – Security. In September 2022, the European Commission submitted a draft for a regulation intended to increase the cybersecurity of products. The Act targets manufacturers of products with digital elements. It covers hardware as well as software, and refers to both consumer and industrial products – including machine controls. Only products that guarantee an appropriate level of cybersecurity may be placed on the market. Manufacturers are also obliged to inform customers of security vulnerabilities and close them as quickly as possible. The regulation covers the whole of a product’s lifecycle. This means that manufacturers must now offer software updates beyond their usual warranty period, to repel future threats. The regulation is expected to be adopted at the end of 2024. The third new statutory security requirement that Thomas Pilz cited is the EU Machinery Regulation, which was adopted by the European Council last month. It replaces the existing Machinery Directive but, unlike it, makes cybersecurity mandatory. The Regulation includes security protection as a goal. A machine’s safety functions must not be compromised by corruption, whether intentional or unintentional. Unlike a directive, the Machinery Regulation does not need to be converted into national law first. Machine manufacturers will have 42 months to meet the new requirements. They will have to prove that their machines are protected against manipulation. “To implement security retrospectively is always complex,” Pilz pointed out, “and usually means reductions in user-friendliness, functionality and productivity. The risk assessment now also includes security as well as safety – no security, no CE mark!” These new measures mean that Europe will have the world’s strictest security requirements. But agreements are already in place with other countries, and similar laws will be introduced there too, Pilz predicts. For example, Australia is currently in talks with the EU and seems likely to follow the European standards. “So, global harmonisation of industrial security is to be expected,” he warned. It is no longer at the company’s discretion whether, and to what extent, it wishes to grapple with security – it is a legal requirement! www.drivesncontrols.com June 2023 Thomas Pilz: “The logic needs to change”
RkJQdWJsaXNoZXIy MjQ0NzM=