GEN – 1201.00. The revision of the 2016 Directive sets cybersecurity risks management and reporting obligations to companies, including companies in the HVACR sector. The proposal of the European Commission is now being examined and amended by the Council and the European Parliament.

Directive on Security of Network and Information Systems (NIS)

The Commission has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2). This proposal substantially amends and extends the scope of the 2016 NIS.

The proposal aims at addressing the increased digitalisation of the EU Internal Market and the evolving cybersecurity threat landscape by considerably extending the scope of the current legislation. The purpose is to set cybersecurity risks management and reporting obligations to companies defined as:

• ‘Essential entities’ (Annex 1 of the proposal) – Includes infrastructures in the energy, transport, drinking and wastewater, digital and space sectors)
• ‘Important entities’ (Annex 2 of the proposal) – Important entities of direct relevance for our sectors as they include all manufacturing companies in the electrical and machinery and equipment sectors (NACE Rev. 2 chapters 27, 28, 29 and 30), except small and micro companies (less than 50 employees and annual turnover and/or annual balance sheet total less or equal to 10M EUR) unless they enter one of the categories listed in article 2.2 of the proposal

HVACR industry

A verification of the Task 2 reports of the Ecodesign measures shows that a number of products fall within the mentioned NACE codes and would need to be considered as ‘important entities’:

• Air conditioning – 28 25 12 20 28 25 12 50, 28 25 12 79
• Water Heaters – 27 51 25 30, 27 51 25 50, 27 52 14 00
• Ventilation units – 28 25 12 70
• Refrigerated display cabinets – 28 25 xx xx series
• Fans – 29 23 20 30, 20 23 20 50, 29 23 20 70
• Lot 21 – 28 21 11 30, 28 21 11 50, 28 25 12 20, 28 25 13 80
• Air conditioning – 28 25 12 20 28 25 12 50, 28 25 12 79

Proposed obligations

1. Cybersecurity risk management and reporting obligations
   • Adoption of measures to manage the risks posed to the security of network and information systems which the entities use in the provision of their services, appropriate to the risk presented.
   • Approval and supervision of these measures by the management body of the entity, that has to be accountable for non-compliance.
   • Specific trainings have to be followed by the management bodies on a regular basis.
   • Member States may require that essential or important entities certify certain ICT products, services or processes under European cybersecurity certification schemes (Cybersecurity Act).
2. EU coordinated risk assessments of critical supply chains
   • Specific critical ICT services, systems or products supply chains as identified by the Commission, may have to be submitted to coordinated security risk assessments.
3. Reporting obligations
   • Notification to authorities without undue delay of any incident having a significant impact on the provision of their services, or any significant cyberthreat that could have resulted in a significant incident.
   • Notification where applicable to the recipients of their services potentially affected by a cyber threat or measures taken to address this threat.
   • In turn, competent authorities have to provide feedback within 24 hours to the reporting entity, and upon its request, guidance on possible mitigation measures.
4. Registry
   • The European Cybersecurity Agency ENISA will create and maintain a registry for essential and important entities that will have to provide information about themselves.
5. Information sharing
   • Member States are tasked with planning for entities to exchange information on cyber threats and other cybersecurity related matters.
6. Supervision
   • Article 29 (for essential entities) and 30 (for important entities) provide detailed instructions for Member States competent authorities to supervise and enforce the provisions of the Directive, with specific obligations for such entities.

Recommended actions

In view of the increased connectivity of products, manufacturers are recommended to check if their products would fall within the NACE that would render their company as an ‘important entity’. A further investigation in the proposed revision by the Product Groups is recommended.

Related documents and links

All related documents and articles can be found in the respective sections in the right sidebar.

• Proposal and related documents: https://ec.europa.eu/digital-single-market/en/news/proposal-directive-measures-high-common-level-cybersecurity-across-union
• Current NIS: https://ec.europa.eu/digital-single-market/en/directive-security-network-and-information-systems-nis-directive
• NACE classification: https://ec.europa.eu/eurostat/documents/3859598/5902521/KS-RA-07-015-EN.PDF