The EU Commission is planning far-reaching obligations for the prevention and reporting of cyber attacks. These will affect almost all medium-sized industrial companies. VDMA is calling for relief for small businesses.

Brussels/Frankfurt, 11 March 2021 - According to the plans of the EU Commission, practically all industrial companies will have to comply with extensive cybersecurity requirements in future - regardless of whether they are large power plant operators or niche businesses.

Although VDMA supports the idea to foster cybersecurity in industry, it criticises the fact that the planned directive on network security (NIS 2) will not distinguish more precisely between companies that are active in critical infrastructure, for example, and other companies. This would impose a considerable financial burden on small companies in particular and create legal uncertainties

VDMA considers the envisaged classification of companies to be particularly problematic. In addition to "essential facilities", the NIS-2 directive provides for a new category of so-called "important facilities", which, as things stand at present, also includes companies in the mechanical and plant engineering sector. "There is no distinction with regard to the requirements between the categories essential and important. Basically, the requirements for a nuclear power plant (classified as 'essential') are to apply to the same extent as for a mechanical engineering company with 50 employees - regardless of what the company produces. We reject this," says Thilo Brodtmann, Executive Director of the VDMA. Only micro-enterprises with fewer than 50 employees are exempt from the obligations in the planned directive. "If this version remains, more than 9,000 European machinery manufacturers would be affected, more than 3,000 of them in Germany," says Brodtmann. "Three quarters of the companies affected have fewer than 250 employees." 

VDMA is therefore calling on the parties involved in the upcoming legislative process to ease the obligation for "important" entities and to eliminate ambiguities. In this way, the effort - also for the supervising authorities - could be reduced without having to lower the objectives of the proposal in terms of the targeted cybersecurity level.

High fines in case of non-compliance

All affected companies will be subject to strict obligations for the management of cyber risks and reporting of incidents. For example, they must prove that conclusive concepts for company-specific risk analysis, for the management of security incidents and for ensuring the security of suppliers have been developed. Security incidents "with significant impact" must be reported to the authorities within 24 hours. Compliance with these regulations is to be monitored by the member states. Violations could result in fines of up to 10 million euros or 2 per cent of annual global turnover.