Decision and starting signal: What NIS-2 means for machine manufacturers and factory operators
The core of the reform is a clear distribution of roles. The Federal Office for Information Security is responsible for supervising the companies that fall under NIS-2. In the federal administration, it coordinates cyber security as the Federal CISO. This is the federal government’s central office for information security: it defines requirements, bundles responsibilities and monitors implementation. This means that specifications, advice and monitoring come from a single source. For machine builders and factory operators, this means a clear point of contact who explains requirements, supports implementation and checks compliance.
Which machine builders and factory operators are affected by NIS-2?
In addition to traditional infrastructures, NIS-2 also covers parts of industrial manufacturing, including computers and electronics, electrical engineering, machinery and equipment, motor vehicles and other means of transportation. As a rule, the obligations apply from 50 employees; turnover and balance sheet total also play a role. In particularly sensitive areas, the requirements apply regardless of size. The group of addressees in Germany is thus growing from around 4,500 to around 30,000 companies and organizations, including many medium-sized machinery and plant manufacturers that were not previously covered by critical infrastructures (KRITIS) but which carry important parts of supply chains.
If your company falls under NIS-2, you must register within three months of being affected. The joint registration office of the BSI and the Federal Office of Civil Protection and Disaster Assistance (BBK) is responsible for this. The BBK contributes its role in civil protection and crisis management. Together with the BSI, it operates the central point of contact for registration and reporting. Company master data, contact persons and the internal reporting channel should be available for registration so that the process runs smoothly.
What will change in practice for machine manufacturers and factory operators?
The law raises the security level to a binding, verifiable basis. It requires effective risk management, clear processes for closing vulnerabilities and patching, practised emergency and restart plans, continuous logging and monitoring, strong access security with multi-factor login and rules for cooperation with suppliers and service providers. These minimum measures have been specifically adopted from the EU directive into German law. In practice, this means for machines and systems: control systems and gateways need a plannable update path, distributed device fleets require documented approval and rollback, remote access must be managed restrictively and the supply chain requires reliable evidence of the components used. Management is responsible for this and must document decisions and training in a comprehensible manner.
What to do in the event of a security incident
In the event of a significant security incident, a three-stage procedure applies: Initial report within 24 hours, supplement after 72 hours, final report after one month. The report is sent to the joint office of the BSI and BBK; additional interim reports may be necessary on request. In order to meet the deadlines reliably, a practiced process is required between production, IT, information security and communication – with clear roles, deputies, contact persons who can be reached and prepared text modules. Evidence such as logs, timelines, affected systems, measures taken and an initial assessment of the impact should be collected right from the start.
Violations can be expensive: For particularly important facilities, the threat is up to 10 million euros or up to 2 percent of annual global turnover, for important facilities up to 7 million euros or up to 1.4 percent. The specific amount depends on the individual case and the severity of the breach. Good preparation reduces the risk of failures and fines.
– – – – – –
Further links
👉 https://kontron-ais.com
Photo: Kontron AIS
