Page 24 - BACnet_Europe-Journal_43
P. 24

BACnet Insight


          EU Building Security Requirements:


          NIS-2, CER, CRA, and RED

          EU-Vorgaben zur Gebäudesicherheit:


          NIS-2, CER, CRA und RED






          Cybersecurity, physical resilience, and product security   ƒ  Designation of a permanent point of contact at the   implementation, significantly more comprehensive
          are no longer optional extras, but legal requirements.  national supervisory authority, e.g., in Germany, the   documentation, reporting, and security requirements are
          Cybersicherheit, physische Resilienz und Produktsicher-  Federal Office for Information Security (BSI)  expected to become mandatory in the future.   1
          heit sind keine Kür mehr, sondern gesetzliche Pflicht.
                                            Operators of large properties, data centers, or utilities in   CER: Physical Resilience for Critical Infrastructures
          With the ongoing digitalization of technical infrastructures,   particular should assess how they are affected at an early
          automated building systems are increasingly becoming   stage. The directive requires technical and organizational   The Critical Entities Resilience Directive (CER), valid
          the focus of legislation. The European Union has created   measures, including documented internal processes.  since January 2023, adds a physical dimension to NIS-
          a comprehensive set of regulations that fundamentally                2. It addresses risks from sabotage, natural disasters, or
          changes the security architecture in building automation.   The NIS 2 Directive had to be transposed into national   technical failures.
          This article highlights the four key regulations – NIS-  law in all member states of the European Union by
          2, CER, CRA, and RED – and shows what they mean   October 17, 2024, at the latest. While some countries   Sectors affected:
          in  concrete  terms  for  operators,  integrators,  and   have already completed the implementation process or  ƒ  Energy supply (electricity, gas, and oil)
                                                                                 T
          manufacturers.                    are in the final stages, national legislation is still being  ƒ  ransport and traffic (rail, air, road, and sea)
                                            drafted in other countries, including Germany.   ƒ  Digital infrastructure
                                                                                 W
          NIS-2: Legal Obligation for Cyber Resilience                         ƒ  ater management (drinking water supply and waste-
                                            In Germany, implementation is currently being carried   water disposal)
          The revised Network and Information Security Directive   out through the “Act on the Implementation of the  ƒ  Public administration
          (NIS-2)  has  been  in  force  at  European  level  since   NIS 2 Directive and on the Regulation of Essential  ƒ  Health
          January 2023. It aims to strengthen the digital resilience   Features of Information Security Management in the  ƒ  Food supply
          of critical and important facilities, including numerous   Federal Administration” (NIS2UmsuCG). This involves  ƒ  Space
          players in building automation.   both adapting existing laws, such as the BSI Act, and  ƒ  Banking
                                            introducing new obligations for operators of critical and  ƒ  Financial market infrastructure
          Key requirements for operators:   important facilities.
          ƒ  Conduct systematic risk analyses                                  Obligations for operators:
          ƒ  Establishment of standardized processes for dealing   Until the respective national implementation is complete,  ƒ  Conducting physical risk analyses
           with security incidents          the provisions of the original NIS 1 Directive will continue  ƒ  echnical protective measures such as access con-
                                                                                 T
          ƒ  Securing the supply chain through contractual and   to apply in many countries. This will remain legally binding   trols and fire protection
           organizational measures          until  it  is  formally  replaced  by  national  NIS  2  law  .  ƒ  Concepts to ensure operations even in the event of
          ƒ  Introduction of a reporting procedure for cyber   Companies and operators should therefore familiarize   a crisis
           incidents                        themselves with the extended requirements of NIS 2 at  ƒ  Compliance with reporting obligations
                                            an early stage. Regardless of the current state of



          Regulatory framework    Adoption at EU level  Transposition into national law  Who is affected?  Implementation deadlines
          NIS-2                   December 2022  Required (implementation in   Operators of critical and important   By October 17, 2024
          (Directive (EU) 2022/2555)            Germany via NIS2UmsuCG in   facilities, including large building
                                                progress)            operators
          CER                     December 2022  Required (national   Operators of critical physical   By October 17, 2024
          (Directive (EU) 2022/2557)            implementation in progress)  infrastructure (including in the
                                                                     energy, transport, and public
                                                                     administration sectors)
          CRA                     March 2024    Not required (regulation – applies  Manufacturers and suppliers of   Mandatory requirements apply
          (Cyber Resilience Act)                directly in all member states)  products with digital elements,   from Q4 2027 (36-month
                                                                     including GA components  transition period)
          RED                     Amendments adopted  Not required (automatically valid)  Manufacturers of radio equipment,   New requirements apply from
          (amendment to the Radio Equipment   on January 7, 2022     including IoT and GA components  August 1, 2025
          Directive by delegated act)



          24  BACnet Europe Journal 43 09/25
   19   20   21   22   23   24   25   26   27   28   29