Page 24 - BACnet_Europe-Journal_43
P. 24
BACnet Insight
EU Building Security Requirements:
NIS-2, CER, CRA, and RED
EU-Vorgaben zur Gebäudesicherheit:
NIS-2, CER, CRA und RED
Cybersecurity, physical resilience, and product security Designation of a permanent point of contact at the implementation, significantly more comprehensive
are no longer optional extras, but legal requirements. national supervisory authority, e.g., in Germany, the documentation, reporting, and security requirements are
Cybersicherheit, physische Resilienz und Produktsicher- Federal Office for Information Security (BSI) expected to become mandatory in the future. 1
heit sind keine Kür mehr, sondern gesetzliche Pflicht.
Operators of large properties, data centers, or utilities in CER: Physical Resilience for Critical Infrastructures
With the ongoing digitalization of technical infrastructures, particular should assess how they are affected at an early
automated building systems are increasingly becoming stage. The directive requires technical and organizational The Critical Entities Resilience Directive (CER), valid
the focus of legislation. The European Union has created measures, including documented internal processes. since January 2023, adds a physical dimension to NIS-
a comprehensive set of regulations that fundamentally 2. It addresses risks from sabotage, natural disasters, or
changes the security architecture in building automation. The NIS 2 Directive had to be transposed into national technical failures.
This article highlights the four key regulations – NIS- law in all member states of the European Union by
2, CER, CRA, and RED – and shows what they mean October 17, 2024, at the latest. While some countries Sectors affected:
in concrete terms for operators, integrators, and have already completed the implementation process or Energy supply (electricity, gas, and oil)
T
manufacturers. are in the final stages, national legislation is still being ransport and traffic (rail, air, road, and sea)
drafted in other countries, including Germany. Digital infrastructure
W
NIS-2: Legal Obligation for Cyber Resilience ater management (drinking water supply and waste-
In Germany, implementation is currently being carried water disposal)
The revised Network and Information Security Directive out through the “Act on the Implementation of the Public administration
(NIS-2) has been in force at European level since NIS 2 Directive and on the Regulation of Essential Health
January 2023. It aims to strengthen the digital resilience Features of Information Security Management in the Food supply
of critical and important facilities, including numerous Federal Administration” (NIS2UmsuCG). This involves Space
players in building automation. both adapting existing laws, such as the BSI Act, and Banking
introducing new obligations for operators of critical and Financial market infrastructure
Key requirements for operators: important facilities.
Conduct systematic risk analyses Obligations for operators:
Establishment of standardized processes for dealing Until the respective national implementation is complete, Conducting physical risk analyses
with security incidents the provisions of the original NIS 1 Directive will continue echnical protective measures such as access con-
T
Securing the supply chain through contractual and to apply in many countries. This will remain legally binding trols and fire protection
organizational measures until it is formally replaced by national NIS 2 law . Concepts to ensure operations even in the event of
Introduction of a reporting procedure for cyber Companies and operators should therefore familiarize a crisis
incidents themselves with the extended requirements of NIS 2 at Compliance with reporting obligations
an early stage. Regardless of the current state of
Regulatory framework Adoption at EU level Transposition into national law Who is affected? Implementation deadlines
NIS-2 December 2022 Required (implementation in Operators of critical and important By October 17, 2024
(Directive (EU) 2022/2555) Germany via NIS2UmsuCG in facilities, including large building
progress) operators
CER December 2022 Required (national Operators of critical physical By October 17, 2024
(Directive (EU) 2022/2557) implementation in progress) infrastructure (including in the
energy, transport, and public
administration sectors)
CRA March 2024 Not required (regulation – applies Manufacturers and suppliers of Mandatory requirements apply
(Cyber Resilience Act) directly in all member states) products with digital elements, from Q4 2027 (36-month
including GA components transition period)
RED Amendments adopted Not required (automatically valid) Manufacturers of radio equipment, New requirements apply from
(amendment to the Radio Equipment on January 7, 2022 including IoT and GA components August 1, 2025
Directive by delegated act)
24 BACnet Europe Journal 43 09/25
