Four Security Standards That Mechanical Engineering Companies Need to Know About in 2024
Your roadmap for navigating the EU Data Act, Cyber Resilience Act, NIS2 and IEC 63442
The year 2024 will be a decisive turning point for manufacturers of components, devices and machines for the Industrial Internet of Things (IIoT), because four important European Union security standards are taking effect, or will come into focus. The European Commission has set clear minimum security requirements for IoT products, which not only strengthen cybersecurity, but also significantly increase the responsibility of manufacturers, operators and integrators. These companies are recommended to ensure that their products meet these standards from 2024 onwards in order to retain their presence in the EU market.
Ultimately, it concerns the far-reaching changes described in the EU Data Act, the Cyber Resilience Act (CRA), the Network and Information Security Directive (NIS2) and the international series of standards that address cyber security for industrial communications networks and systems (IEC 62443). The focus is on ensuring the confidentiality, integrity, authenticity, and availability of IoT devices to be prepared against cyber threats.
Failure to comply with these new security standards exposes various risks, including facilitating hacking attacks, security breaches, lost productivity, and damage to the company’s reputation. It may also result in financial losses due to heavy fines and legal consequences. In addition, there is a risk of data loss, manipulation and unauthorized access to data, which can lead to loss of image and trust, and in the worst case also to a loss of revenue.
It is time to rethink and adapt the approach to IoT device security to meet the current and future challenges of our fast-moving world. Here you will find everything you need to know on this subject as a manufacturer of components and devices.
EU Data Act
The EU Data Act is a new regulation that lays down uniform rules for access to data, switching cloud suppliers, and interoperability requirements in the EU. It applies to both personal and non-personal data and aims to remove barriers to the use and reuse of non-personal data, especially data generated by networked products and related services.
The EU Data Act was ratified by the European Council on November 27, 20231 and entered into force at the beginning of January 2024. There is a transitional period of 20 months until September 12, 2025, after which the Data Act will become directly applicable law throughout the EU.
Access to data and consumer rights
The EU Data Act not only regulates access to, but also the use of data generated by IoT devices. Consumers are given the right to access their data in real time and use it for value-added services such as predictive maintenance. This not only promotes transparency, but also strengthens their position in terms of having control over their own data.
Fostering competition in the after-sales market
An important focus of the EU Data Act is the creation of a single market for the free movement of data within the EU. Manufacturers could be obligated to share certain data with repair or service providers. This could lead to more competition in the after-sales market, as consumers would have more choice and better access to services.
Data security and location restrictions
The act also contains provisions on data security, including a ban on storing or processing certain data outside the EU. This is intended to protect sensitive information and at the same time promote the development of interoperability standards to facilitate the reuse of data in various sectors of industry.2
What does the EU Data Act mean for mechanical engineering companies as well as component and device manufacturers?
For manufacturers of IoT devices, the introduction of the EU Data Act means increased compliance responsibility. This includes not only ensuring data access for users, but also ensuring comprehensive protection of their data and compliance with data security. Addressing these requirements will be decisive for companies to avoid fines and remain competitive in the evolving data-driven economy of the EU.
In order to comply with EU data protection law in the future, manufacturers must ensure that their products and related services are accessible to customers and that the data generated by the products and they way the data is used are transparent. In addition, they must design their products in such a way that customers can access the data and share it with third parties.3
Cyber Resilience Act (CRA)
The European Cyber Resilience Act (CRA) is a proposal for a legal framework to lay down cybersecurity requirements for hardware and software products offered on the market in the European Union. It is intended to ensure that manufacturers take security seriously throughout the entire life cycle of a product and create conditions that enable users to take cybersecurity in consideration when choosing and using products with digital elements.4
The European Parliament has recently reached political agreement on the legal content of the act, which has yet to be ratified by the European Parliament and the Council. It is expected that the act will go through the EU legislative process at the beginning of next year and will be formally adopted at the beginning of 2024.5 However, it is envisaged that the new Cyber Resilience Act will only come into force 36 months after its adoption - i.e. at the end of 2026 at the earliest.6
The Cyber Resilience Act represents a milestone in European Union legislation, as it is the world's first draft law that specifically addresses the cybersecurity of products with digital elements, especially with regard to IoT. The regulation, which is still at the draft stage, aims to lay down minimum standards and continuous updates to increase cybersecurity and protect digital products, including IoT devices.
Focus on security-by-design
A central aspect of the CRA is the emphasis on the secure-by-design concept. This means that manufacturers must take into consideration safety-related aspects right from the development stage of their products. Cybersecurity needs to be an integral part of the product, from the development stage through to the end of its life cycle. The idea behind this is to design products that are fundamentally secure right from the start, instead of implementing security measures retrospectively.
Manufacturer responsibility over the entire life cycle
A key concern of CRA is shifting responsibility for the cybersecurity of digital products to businesses, in particular manufacturers. This includes an obligation to integrate cybersecurity into every step of the development and software life cycle. Documenting risks, continuous monitoring of vulnerabilities, and rapid response to security incidents are all part of this.
Specific security requirements for IoT devices
The CRA lays down specific security requirements for IoT devices to ensure the protection of personal and financial data. Some of these basic requirements include a ban on using standard and weak passwords, the obligation to support software updates, the obligation to check for security vulnerabilities, and the protection of stored personal and financial data. In addition, consumers are given the right to manage and erase their data.
Product categories and assessment procedures
The draft act proposes creating two product categories: critical and non-critical products. Critical products are assessed by third parties, while non-critical products only require the manufacturer to declare that the act has been complied with. This distinction between the two categories is intended to ensure that higher-risk products are subject to more intensive testing.
What does the Cyber Resilience Act mean for mechanical engineering companies as well as component and device manufacturers?
For component and device manufacturers, the introduction of the CRA means a profound change in how they develop and bring digital products to market. It will oblige manufacturers to improve the security of products with digital components from the design and development phase through the entire life cycle, including hardware and software updates and new versions on the market. In addition, it will create a uniform framework for cybersecurity, increase the transparency of the security properties of products and enable companies and consumers to safely use products featuring digital components.
Failure to comply with the requirements of the act can result in severe penalties of up to EUR 15 million or 2.5% of annual revenue.7
Network and Information Security Directive (NIS2)
The NIS2 directive is an EU-wide piece of legislation that provides legal measures to improve the overall level of cybersecurity in the EU by ensuring readiness and cooperation between member states and requiring the most important players in key industries to implement security measures and report incidents.8
The NIS2 directive came into force on January 16, 2023. The member states must adopt and publish the necessary measures to comply with the NIS2 directive by 17 October 2024 and apply these measures from 18 October 2024.9 In Germany, a draft bill from the Federal Ministry of the Interior on the NIS2 Implementation Act (NIS2umsuCG) has already been drawn up.
The NIS2 directive defines a broad scope of application that covers various sectors. Manufacturers of components and devices as well as mechanical engineering companies must deal with NIS2 in particular if their products are considered critical or important within the meaning of the directive. This will significantly expand the scope compared to the existing NIS. This includes classification of the type of institution as “essential” and “important” as well as the size and revenue of the company. This can be the case if they have valuable data that makes them attractive targets for cyber attacks. The use of networked IoT devices represents an increased risk of attack.
NIS2 security checks and monitoring
NIS2 relies on comprehensive implementation of security checks to minimize the risk of cyber attacks. This includes the implementation of holistic and stringent security measures as well as increased monitoring. The directive places great emphasis on identifying vulnerabilities, strengthening security, maintaining vigilance, and preventing cyber damages to systems and data.
What does NIS2 mean for mechanical engineering companies as well as manufacturers of components and devices in critical infrastructures?
- Prioritizing supply chain security: Manufacturers must assess the security of their supply chain and mitigate risks. This includes measures to secure suppliers, partners and contractors.
- Focus on risk management: Manufacturers who are classified as “important” must introduce mandatory risk management processes. This may require investment in new tools and additional specialist staff.
- Increased collaboration with IT service providers: To meet NIS2 requirements, manufacturing companies must work more closely with IT service providers. This can lead to higher costs and changes in business models.9
Companies in critical infrastructures in particular need to take NIS2 compliance seriously. Failure to comply may result in significant fines, which can amount to EUR 10 million or 2% of revenue.
International series of standards on cyber security for industrial communications networks and systems (IEC 62443)
IEC 62443 is an international series of standards that deals with cyber security for industrial technology in automation and control systems. It contains guidelines for securing industrial control systems (ICS) and operational technology (OT) networks and was originally developed for the industrial process industry, but is now applicable to a wide range of industries. The standards take a risk-based approach to cybersecurity and provide a framework for systematically evaluating, mitigating, and managing cybersecurity risks in industrial automation and control systems to ensure the reliability and security of critical industrial processes and infrastructure.10
The IEC 62443 series of standards has been developed over time and the individual sections have been published and introduced step by step at different times. For example, the IEC 62443-4-1 standard, which sets process requirements for the safe development of products for industrial automation and control systems (IACS), was published in February 2018.
IEC 62443 is an important guideline for manufacturers in the field of industrial automation to meet growing cybersecurity challenges. The integration of effective risk management, the implementation of secure development practices from the start, and the possibility of product certification and supply chain protection are key aspects that help manufacturers offer the highest quality and security products. Lifecycle management in accordance with IEC 62443 ensures that products meet the highest security standards not only when they are launched but throughout their life cycle. Overall, the standard provides manufacturers with a clear structure and guideline to make their products resistant to cyber attacks and ensure the integrity of industrial automation systems.
IEC 62443 is divided into four parts:
- General: The first part describes the basic nomenclature, concepts, models and guidelines that apply to the complete series of standards.
- Policies and Procedures: The second part focuses on methods and processes related to IEC security. The requirements for security training for various roles in the industry, such as operators, integrators and service providers, are defined here.
- System: The third part deals specifically with the assessment of security risks for system design and risk management and provides a systematic approach for preventing and managing security risks in industrial automation and control systems.
- Component and system requirements: This last part describes the detailed requirements for secure product development and the security-related features of IEC components.12
Focus on secure development processes:
Security standards should not only be seen as a necessary hurdle, but as an integral part of the development process. Integrate security into the design and development cycle from the start to identify and address potential risks early on. The IEC 62443 standard plays a decisive role in promoting these secure development practices. In particular, Part 4-1 “Secure product development lifecycle requirements” sets out the guidelines and requirements to ensure that security is integrated into the whole development process. This standard affects both hardware and software development and applies to both new and existing products.
Train employees at regular intervals:
Continuously train your team on the latest security practices and technologies. Through training and cross-functional working groups, you can raise awareness of security risks and ensure that your team proactively responds to threats.
Consider an edge device management solution
With the K-PORT edge device management solution, you can manage all devices worldwide in a cloud-based edge device environment. In implementing this, we can rely on maximum security. Our solution is based on Oracle Cloud Infrastructure (OCI), which meets the strict requirements of the cloud computing criteria catalog C5 of the German Federal Office for Information Security. This catalog, which was first published in 2016, sets minimum standards for secure cloud computing and serves as a benchmark for professional cloud suppliers, their auditors and customers.
Since its introduction, the C5 catalog has become successfully established and is used by a growing number of national and international cloud suppliers. In addition, C5 compliance supports your own risk management by making it easier to meet regulatory and compliance requirements while providing a high level of security and reliability for cloud-based services. In today's fast-paced and security-aware business world, this represents a decisive competitive advantage.
In light of the new security standards set by the European Commission for the Internet of Things (IoT), it is clear that security is no longer an option, but an indispensable cornerstone for manufacturers, operators and integrators of components and IoT devices. In the competitive environment of the IoT market, security is becoming a decisive differentiating factor. Manufacturers who proactively adapt to this by striving for compliance and implementing the highest security standards as an integral part of their product development, not only meet legal requirements, but also gain the trust of their customers.
The future of the IoT market is in the hands of those who treat security as a strategic opportunity, rather than as an obstacle. The new legislation is the catalyst for a more secure, more resilient and more trustworthy IoT landscape. Manufacturers, operators and integrators that take on this challenge and make their products secure are not only on the right path to compliance, but also on the road to sustainable success in an increasingly connected and digitalized era.
|EU Data Act
|Cyber Resilience Act
|The EU Data Act is a new regulation that establishes uniform rules for data access, switching cloud providers, and interoperability requirements in the EU.
|The European Cyber Resilience Act (CRA) is a proposal for a legal framework to define cybersecurity requirements for hardware and software products placed on the market in the European Union.
|The NIS2 Directive is an EU-wide piece of legislation that provides legal measures to improve the overall level of cybersecurity in the EU.
|IEC 62443 is an international series of standards covering cyber security for operational technology in automation and control systems.
|Create a single data market in the EU with reuse of data across all sectors of the economy.
|To improve the security of digital products.
|Increase cyber security and resilience in the EU.
|Ensure the reliability and safety of critical industrial processes and infrastructure.
|Expected to enter into force in mid-2025
|Adopted in January 2024, effective no earlier than late 2026
|Application of the necessary measures from October 18, 2024
|Already in force
|Mandatory or recommendation?
|Mandatory for products and services in the EU
|Mandatory for all companies that manufacture products with digital elements
|Mandatory for operators of critical infrastructures
|Recommended or mandatory from January 1, 2024 for offshore installations and ships.