Whether power plant operators, niche businesses or medium-sized industrial companies - according to the EU Commission's plans, practically all industrial companies will be obliged to comply with cybersecurity requirements in future. These are intended to help prevent and report cyber attacks. Although the VDMA supports the expansion of cybersecurity in industry, the association criticizes the fact that the planned directive on network security (NIS 2) does not differentiate between companies. For example, the planned directive affects companies that are active in critical infrastructure just as much as other companies. According to the VDMA, this would impose a considerable financial burden on small companies in particular. In addition, there would be major legal uncertainties.

The VDMA considers the future classification of companies to be particularly problematic: In addition to "essential facilities", the NIS-2 Directive provides for a new category of so-called "important facilities", which, as things stand at present, also includes companies in the mechanical and plant engineering sector. "There is no distinction in the requirements between the categories of essential and important. In principle, the requirements for a nuclear power plant to be classified as 'essential' should apply to the same extent as for a mechanical engineering company with 50 employees - regardless of what the company produces. We reject this," says Thilo Brodtmann, Managing Director of the VDMA. Only micro-enterprises with fewer than 50 employees are exempt from the requirements in the planned directive. "If this version remains, more than 9,000 European mechanical engineering companies would be affected, including more than 3,000 in Germany," says Brodtmann. "Three quarters of the companies affected have fewer than 250 employees."

VDMA calls for relief for small companies

VDMA Managing Director Thilo Brodtmann comments on the planned EU security law.

© VDMA

The VDMA is therefore calling on those involved in the upcoming legislative process to ease the requirements for facilities in the 'important' category and remove ambiguities. In this way, the burden - also for the authorities - could be reduced without having to lower the objectives of the proposal with regard to the desired level of cybersecurity.

All affected companies are to be subject to strict cyber risk management and reporting requirements. For example, they must prove that coherent concepts have been developed for company-specific risk analysis, for managing security incidents and for ensuring the security of suppliers. Security incidents "with a significant impact" must be reported to the authorities within 24 hours. Compliance with these regulations is to be monitored by the member states. Violations could result in fines of up to 10 million euros or 2% of annual global turnover.