31 www.drivesncontrols.com July/August 2025 SAFETY AND SECRUITY n also require protection against the corruption of safety functions – of controllers, for example – and thus sets out requirements for industrial security. The concept of machinery safety is being redefined. The EU has introduced legal requirements for industrial security for engineering on three levels. There are requirements for machinery, products with digital elements, and companies: n The Machinery Regulation applies to machinery. n The Cyber Resilience Act (CRA) defines cybersecurity requirements on products with digital elements. n And the NIS 2 (Network and Information Security 2) Directive focuses on enhancing cybersecurity across the EU, and applies to almost all companies with more than 50 employees. This presents industry with a huge task. All three laws have already been published by the EU. The clock is already ticking for the first two, and industry now has around 18 months to adapt its development, production and engineering accordingly, including all associated processes and tasks such as training and documentation. This is a truly mammoth task – as was the original implementation of the Machinery Directive. I’ve already mentioned the Machinery Regulation. The CRA requires that products with digital elements are designed, developed and manufactured in accordance with basic cybersecurity requirements. In concrete terms, this means that there are now requirements for risk assessment and assurance, vulnerability management, documentation and reporting obligations. This affects Pilz too. In order to implement this, several years ago we introduced a certified “secure” process for product development in accordance with IEC 62443-4-1, and had it certified in 2022. That allows us to guarantee that our developments comply with the CRA. We have an extensive product portfolio and each product has had to be assessed to determine the extent to which it is affected by the CRA and whether it may need to be adapted. The necessary measures were introduced at an early stage. Our cyberattack experience The third piece of legislation, the EU's NIS-2 Directive, which obliges companies to prepare for cyberattacks, has to be transposed into national law. Nine of the 27 EU member states have completed this. In the remaining countries – including Germany and Austria – political circumstances have sometimes prevented laws from being passed. Based on our own experience of being the victim of a cyberattack in 2019, I can say that it would be disastrous to wait until there is agreement at the political level before implementing security protection measures. It's not about fulfilling legal requirements, but about securing companies and their continued existence. With all of the new requirements, the question arises as to whether other markets besides the EU will also face up to the new challenges, such as AI or cybercrime. To answer that, I’d like to return to the successful CE marking model. As with the Machinery Directive, European laws and standards will probably serve as worldwide models when it comes to AI and cybersecurity. Most governments have a strong interest in ensuring that their citizens are as well protected as possible from these hazards, while machine-builders and manufacturers are keen to be able to market their products worldwide. This means that economic operators outside the EU will also have to meet the new requirements if they wish to continue exporting to the EU. Security has many facets that affect us, our partners, customers and society in general. The new approval process in India and the new AI and security requirements in the EU are examples of how important it is to have functioning cross-market cooperation. Laws and international standards are key. They help us to rely on global technical security mechanisms. n Attitudes to machine safety – and legislation – are having to adapt to take account of developments such as AI and cybercrime
RkJQdWJsaXNoZXIy MjQ0NzM=