Cyber secu­ri­ty com­pli­ance: four Euro­pean cor­ner­sto­nes for manufacturers

The Radio Equip­ment Direc­ti­ve revi­sed, the NIS‑2 Direc­ti­ve new­ly crea­ted The Cyber Secu­ri­ty Act and the Machi­nery Regu­la­ti­on are plan­ned. We pre­sent the­se four key steps towards a uni­form cyber secu­ri­ty level for manu­fac­tu­r­ers across the EU.

Smart meters and indus­tri­al IOT: all radio systems

The Radio Equip­ment Direc­ti­ve(2014/53/EU), trans­po­sed into Ger­man law by the Radio Equip­ment Act 2017, con­ta­ins basic requi­re­ments for the pro­vi­si­on of radio equip­ment on the Euro­pean sin­gle mar­ket. By way of a dele­ga­ted regu­la­ti­on of 29 Octo­ber 2021, the Euro­pean Com­mis­si­on exten­ded the scope and pur­po­se of the law. Radio equip­ment that com­mu­ni­ca­tes direct­ly or indi­rect­ly (via other devices) with the Inter­net must ensu­re cyber­se­cu­ri­ty and data pro­tec­tion. You can find a detail­ed over­view of the scope of appli­ca­ti­on here.

NIS‑2 Direc­ti­ve

The NIS‑2 Direc­ti­ve, which came into force at the begin­ning of 2023, con­ta­ins a host of new obli­ga­ti­ons to increase the level of cyber secu­ri­ty in com­pa­nies that are “high­ly cri­ti­cal” accor­ding to Annex I or belong to other cri­ti­cal sec­tors accor­ding to Annex II. Com­pa­nies are affec­ted if they have more than 50 employees or tur­no­ver excee­ding EUR 10 mil­li­on and if they pro­vi­de their ser­vices within the EU. Tho­se who are obli­ged must estab­lish a detail­ed cyber secu­ri­ty risk manage­ment sys­tem. Accor­ding to the will of the issuers of the Direc­ti­ve, cer­ti­fied sys­tems and stan­dar­di­sed pro­ces­ses will be used given pre­fe­ren­ti­al tre­at­ment. Trans­po­si­ti­on into Ger­man law is immi­nent. Accor­ding to the prin­ci­ple of mini­mum har­mo­ni­sa­ti­on, legis­la­tors may set stric­ter requi­re­ments. You can find detail­ed infor­ma­ti­on here.

Cyber Resi­li­ence Act: new obli­ga­ti­ons for digi­tal products

With a pro­po­sal dated 15 Sep­tem­ber 2022, the EU Com­mis­si­on pre­sen­ted its draft for a Cyber Resi­li­ence Act. This con­ta­ins requi­re­ments for the deve­lo­p­ment, design, pro­duc­tion and deli­very of digi­tal pro­ducts. Cyber secu­ri­ty must be ensu­red throug­hout the enti­re pro­duct life­cy­cle. The regu­la­ti­ons are com­plex and, in addi­ti­on to a uni­que defi­ni­ti­on of cri­ti­cal pro­ducts, also refer to high-risk sys­tems as defi­ned in the plan­ned AI Regu­la­ti­on. Addres­sees include manu­fac­tu­r­ers, dis­tri­bu­tors, importers and their aut­ho­ri­sed repre­sen­ta­ti­ves.  Anne­xes I and IIpro­vi­de an idea of the future requi­re­ments; cri­ti­cal pro­duct groups (38 to date) are lis­ted in Annex III. Detail­ed infor­ma­ti­on can be found in our free­ly acces­si­ble artic­le on the CRA in the jour­nal, Kom­mu­ni­ka­ti­on & Recht.

Machi­nery Regulation

The pro­po­sal on a machi­nery regu­la­ti­on to replace the cur­rent direc­ti­ve was published at the end of 2022. For the first time, it is being declared per­mis­si­ble to make ope­ra­ting ins­truc­tions available in digi­tal form alo­ne. The new scope of appli­ca­ti­on also extends to software-operated machi­nes and requi­res risk assess­ment pro­ce­du­res. Internet-enabled machi­nes must be spe­ci­al­ly secu­red against tam­pe­ring. The inno­va­tions are cover­ed in detail in our white­pa­per from Sep­tem­ber of last year.


The NIS‑2 Direc­ti­ve must first be trans­po­sed into natio­nal law. The chan­ges to the Radio Equip­ment Direc­ti­ve app­ly as a dele­ga­ted regu­la­ti­on imme­dia­te­ly as of 1 August 2024. It is not yet clear when the Cyber Secu­ri­ty Act or the Machi­nery Regu­la­ti­on will be adopted. What is dis­cer­ni­ble, howe­ver, is the clear ten­den­cy of Euro­pean legis­la­tors to dri­ve for­ward digi­ti­sa­ti­on wit­hout com­pro­mi­sing net­work sta­bi­li­ty, con­su­mer pro­tec­tion or data pro­tec­tion. Manu­fac­tu­r­ers should take the neces­sa­ry mea­su­res today to avo­id fal­ling behind. You can also find more infor­ma­ti­on in our one-page reports, Inci­dent Respon­se (.pdf) and Cyber­se­cu­ri­ty and Data Pro­tec­tion by Design (.pdf).


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.