The NIS-2 Directive and how it affects mechanical engineering

The NIS-2 Directive (EU) 2022/2555 already came into force on 16 January 2023 and defines measures for a high common level of cybersecurity in the Union - it will therefore replace the NIS Directive, which came into force in 2016. The NIS 2 Directive must be transposed into national law by the member states by 17 October 2024.

The focus of the NIS 2 Directive for affected companies is on the implementation of risk management measures and the reporting obligations for recognised security incidents. In contrast to the NIS Directive, the sectors of critical facilities have been expanded and the main focus has been placed on dependency on partner companies (supply chains), among other things.
 

Who is affected?

Whether you are affected by the NIS-2 Directive depends on both the size of the company and the associated sector of the company. The NIS-2 Directive applies to public and private entities of the type listed in Annex I (High Criticality Sectors) and Annex II (Other Critical Sectors) that meet or exceed the thresholds for medium-sized enterprises set out in Article 2(1) of the Annex to Recommendation 2003/361/EC and provide their services or carry out their activities in the Union.

* Information and communication technology

For mechanical engineering companies, the sub-sectors defined under the "Manufacturing/production of goods" sector are of particular importance:

1. Manufacture of medical devices and in vitro diagnostic medical devices
2. Manufacture of computer, electronic and optical products (described in division 26 NACE Rev. 2)
3. Manufacture of electrical equipment (described in division 27 NACE Rev. 2)
4. Machinery (described in division 28 NACE Rev. 2)
5. Manufacture of motor vehicles, trailers and semi-trailers (described in division 29 NACE Rev. 2)
6. Other transport equipment (described in division 30 NACE Rev. 2)

As already mentioned, the company concerned must meet or exceed the thresholds for medium-sized enterprises. The respective thresholds can be found here:

However, in accordance with Art. 2 and Art. 3 of the NIS 2 Directive, it is possible for companies to also fall under the scope of the NIS 2 Directive under certain conditions and regardless of their size - this is particularly conceivable in the case of dependencies through supply chains.

Tip: Link to the self-assessment (In German) according to NIS-2 from the Austrian Federal Economic Chamber (WKO): https://ratgeber.wko.at/nis2/
 

How is controlled / penalised?

In contrast to the NIS Directive, the NIS 2 Directive does not require every company to undergo a regular audit. In the case of important facilities, an inspection is only carried out if there is reasonable suspicion, for example following a security incident. However, regular NIS 2 audits by external bodies are planned for essential facilities. In addition, on-site/off-site inspections or security scans are possible at any time. The sanctions in the event of non-compliance also vary, see the following table: 

What needs to be implemented

The risk management measures (Art. 21 para. 2) must be based on a cross-hazard approach aimed at protecting the systems from security incidents and cover at least the following topics. The sub-items serve as examples:

a) Concepts related to risk analysis and security for information systems;

• Risk-based approach - see also, for example, ISO 270001 and IEC 62443
   

b) Management of security incidents;

• Incident response plan
   

c) Maintenance of operations & crisis management;

• BCM - Business Continuity Management
• Backup & Recovery
   

d) Supply chain security;

• Interfaces to suppliers, service providers and partner companies
• Consider supply chain availability
• State-of-the-art security standards
   

e) Security measures for the acquisition/development/maintenance of ICT;

• Certification of components and manufacturers
• Vulnerability and patch management
• Security by design
• Security by default
   

f) Concepts and procedures for evaluating the effectiveness of risk management measures;

• Information Security Management System (ISMS - see ISO 27001)
   

g) Cyber hygiene and cyber security training;

• Recurring training and workshops
• Employee awareness of cyber security (e.g. phishing)
• Define processes and guidelines (e.g. passwords, authorisations, etc.)
   

h) Cryptography and encryption if necessary;

• Guarantee the integrity of the data, both in rest (during storage) and in transit (during transmission)
   

i) Security of personnel, concepts for access control;

• Physical security
• Defence-in-Depth approach (see IEC 62443)
   

j) Multi-factor authentication or continuous authentication.

• Additional factor to the password (dongle, biometrics, app solutions, etc.)
• Secured voice, video and text communication
• Note emergency communication

The measures must ensure a level of security appropriate to the existing risk, taking into account the state of the art and, where applicable, the relevant European and international standards and the costs of implementation. Factors for the proportionality of the measures are The extent of the facility's exposure to risk, the size of the facility and the likelihood of security incidents occurring and their severity, including their social and economic impact. 

In addition, there are reporting obligations to be taken into account in the event of significant security incidents. The deadlines for this are as follows:

• Within 24 hours: Early warning to the authority.
• Within 72 hours: detailed notification/assessment.
• Within one month: detailed progress/final report.
   

Conclusion

If they have not already done so, companies should familiarise themselves with the NIS 2 Directive and define responsibilities (per department) as quickly as possible - even without the current regulation! With the help of initial workshops and surveys, which require the involvement of knowledge holders in the company, critical services and the necessary assets can be quickly identified. However, it should be noted that all services within a company must be subjected to a risk analysis - the remedial measures and the timing of implementation are then defined using the risk-based approach. In the event of difficulties in achieving the objectives (roadmap), it is recommended to seek help in the form of external consulting companies - the actual implementation should be carried out by internal resources in any case, as this keeps the expertise within the company.  

It is important to note that there is no need to reinvent the wheel when implementing risk management measures. There are already existing frameworks and recognised standards, such as ISO 27001 (Information Security Management) and IEC 62443 (Industrial communication networks - IT security for networks and systems). The requirements from the NIS 2 directive coincide in many areas with the components of the two standards.

For companies, e.g. machine manufacturers, that are not affected by NIS-2, however, this does not mean that they have no obligations in terms of cyber security. Both the new Machinery Directive and the forthcoming Cyber Resilience Act define requirements for manufacturers. Last but not least, operators who are covered by NIS-2 will also place requirements on their suppliers in order to fulfil their NIS-2 obligations with regard to supply chain security. 
 

Implementing rules for NIS-2

• The Implementing Regulation (EU) 2024/2690 lays down technical and methodological requirements for risk management measures in the area of cybersecurity. It also clarifies when an incident is considered significant and must be reported for various providers (DNS, cloud, online platforms, etc.).