The Radio Equipment Directive revised, the NIS‑2 Directive newly created The Cyber Security Act and the Machinery Regulation are planned. We present these four key steps towards a uniform cyber security level for manufacturers across the EU.
Smart meters and industrial IOT: all radio systems
The Radio Equipment Directive(2014/53/EU), transposed into German law by the Radio Equipment Act 2017, contains basic requirements for the provision of radio equipment on the European single market. By way of a delegated regulation of 29 October 2021, the European Commission extended the scope and purpose of the law. Radio equipment that communicates directly or indirectly (via other devices) with the Internet must ensure cybersecurity and data protection. You can find a detailed overview of the scope of application here.
The NIS‑2 Directive, which came into force at the beginning of 2023, contains a host of new obligations to increase the level of cyber security in companies that are “highly critical” according to Annex I or belong to other critical sectors according to Annex II. Companies are affected if they have more than 50 employees or turnover exceeding EUR 10 million and if they provide their services within the EU. Those who are obliged must establish a detailed cyber security risk management system. According to the will of the issuers of the Directive, certified systems and standardised processes will be used given preferential treatment. Transposition into German law is imminent. According to the principle of minimum harmonisation, legislators may set stricter requirements. You can find detailed information here.
Cyber Resilience Act: new obligations for digital products
With a proposal dated 15 September 2022, the EU Commission presented its draft for a Cyber Resilience Act. This contains requirements for the development, design, production and delivery of digital products. Cyber security must be ensured throughout the entire product lifecycle. The regulations are complex and, in addition to a unique definition of critical products, also refer to high-risk systems as defined in the planned AI Regulation. Addressees include manufacturers, distributors, importers and their authorised representatives. Annexes I and IIprovide an idea of the future requirements; critical product groups (38 to date) are listed in Annex III. Detailed information can be found in our freely accessible article on the CRA in the journal, Kommunikation & Recht.
The proposal on a machinery regulation to replace the current directive was published at the end of 2022. For the first time, it is being declared permissible to make operating instructions available in digital form alone. The new scope of application also extends to software-operated machines and requires risk assessment procedures. Internet-enabled machines must be specially secured against tampering. The innovations are covered in detail in our whitepaper from September of last year.
The NIS‑2 Directive must first be transposed into national law. The changes to the Radio Equipment Directive apply as a delegated regulation immediately as of 1 August 2024. It is not yet clear when the Cyber Security Act or the Machinery Regulation will be adopted. What is discernible, however, is the clear tendency of European legislators to drive forward digitisation without compromising network stability, consumer protection or data protection. Manufacturers should take the necessary measures today to avoid falling behind. You can also find more information in our one-page reports, Incident Response (.pdf) and Cybersecurity and Data Protection by Design (.pdf).back