Taking too long? Close loading screen.

Cybersecurity and HVACR products (GEN – 1201.00)

22 January 2021

3 min read
European Policy

Cybersecurity and HVACR products (GEN – 1201.00)

22 January 2021

3 min read

GEN – 1201.00. The revision of the 2016 Directive sets cybersecurity risks management and reporting obligations to companies, including companies in the HVACR sector. The proposal of the European Commission is now being examined and amended by the Council and the European Parliament.

Directive on Security of Network and Information Systems (NIS)

The Commission has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2). This proposal substantially amends and extends the scope of the 2016 NIS.

The proposal aims at addressing the increased digitalisation of the EU Internal Market and the evolving cybersecurity threat landscape by considerably extending the scope of the current legislation. The purpose is to set cybersecurity risks management and reporting obligations to companies defined as:

  • Essential entities’ (Annex 1 of the proposal) – Includes infrastructures in the energy, transport, drinking and wastewater, digital and space sectors)
  • Important entities’ (Annex 2 of the proposal) – Important entities of direct relevance for our sectors as they include all manufacturing companies in the electrical and machinery and equipment sectors (NACE Rev. 2 chapters 27, 28, 29 and 30), except small and micro companies (less than 50 employees and annual turnover and/or annual balance sheet total less or equal to 10M EUR) unless they enter one of the categories listed in article 2.2 of the proposal

HVACR industry

A verification of the Task 2 reports of the Ecodesign measures shows that a number of products fall within the mentioned NACE codes and would need to be considered as ‘important entities’:

  • Air conditioning – 28 25 12 20 28 25 12 50, 28 25 12 79
  • Water Heaters – 27 51 25 30, 27 51 25 50, 27 52 14 00
  • Ventilation units – 28 25 12 70
  • Refrigerated display cabinets – 28 25 xx xx series
  • Fans – 29 23 20 30, 20 23 20 50, 29 23 20 70
  • Lot 21 – 28 21 11 30, 28 21 11 50, 28 25 12 20, 28 25 13 80
  • Air conditioning – 28 25 12 20 28 25 12 50, 28 25 12 79

Proposed obligations

  1. Cybersecurity risk management and reporting obligations
    • Adoption of measures to manage the risks posed to the security of network and information systems which the entities use in the provision of their services, appropriate to the risk presented.
    • Approval and supervision of these measures by the management body of the entity, that has to be accountable for non-compliance.
    • Specific trainings have to be followed by the management bodies on a regular basis.
    • Member States may require that essential or important entities certify certain ICT products, services or processes under European cybersecurity certification schemes (Cybersecurity Act).
  2. EU coordinated risk assessments of critical supply chains
    • Specific critical ICT services, systems or products supply chains as identified by the Commission, may have to be submitted to coordinated security risk assessments.
  3. Reporting obligations
    • Notification to authorities without undue delay of any incident having a significant impact on the provision of their services, or any significant cyberthreat that could have resulted in a significant incident.
    • Notification where applicable to the recipients of their services potentially affected by a cyber threat or measures taken to address this threat.
    • In turn, competent authorities have to provide feedback within 24 hours to the reporting entity, and upon its request, guidance on possible mitigation measures.
  4. Registry
    • The European Cybersecurity Agency ENISA will create and maintain a registry for essential and important entities that will have to provide information about themselves.
  5. Information sharing
    • Member States are tasked with planning for entities to exchange information on cyber threats and other cybersecurity related matters.
  6. Supervision
    • Article 29 (for essential entities) and 30 (for important entities) provide detailed instructions for Member States competent authorities to supervise and enforce the provisions of the Directive, with specific obligations for such entities.

Recommended actions

In view of the increased connectivity of products, manufacturers are recommended to check if their products would fall within the NACE that would render their company as an ‘important entity’. A further investigation in the proposed revision by the Product Groups is recommended.

Related documents and links

All related documents and articles can be found in the respective sections in the right sidebar.


10 January 2022
  • General
The Commission has published a non-binding FAQ document to provide guidance on how to disclose Taxonomy-eligible activities and assets.
1 min read
10 December 2021
  • General
A regulation supplementing the Taxonomy Regulation was published in the Official Journal of the European Union (OJEU). It specifies how to disclose information according to corporate sustainability reporting requirements.
1 min read
10 December 2021
  • General
The first delegated act of the Taxonomy Regulation was published in the Official Journal of the European Union (OJEU). It contains the Technical Screening Criteria (TSC) for the first two environmental objectives.
1 min read
20 October 2021
  • General
The LIFE sub-programme Clean Energy Transition has issued a call for proposals that can qualify for grants. Three topics may be of interest to the HVACR industry. Around 30 partners are looking for collaboration to introduce a proposal by 12 January 2022....
2 min read
Press "Enter" to start the search

Log in

Don't have a Eurovent Extranet account? Register here!


Are you interested in receiving regular updates from Eurovent? These include, for instance:

  • EU legislation and standards
  • Important WTO notifications
  • Market intelligence and statistics
  • National initiatives and actions by our Member Associations
  • Technological developments
  • Trade shows and conferences

Do you have any questions or are you interested to place your organisation’s advertisement in the next edition of CLIMANOVELA? Feel free to contact us via secretariat@eurovent.eu or +32 466 900 401.