New security regulations to have a big effect on industrial digitalization

Generally speaking, to succeed in any new industrial digitalization project, it is essential to keep track of regulatory requirements and implement them early on. Failure to comply with national, regional, and/or global regulations can be an expensive disaster. If compliance is an afterthought, it may roll back the development to square one.

“A typical mistake in traditionally less regulated device and digital services verticals in general is failing to notice that there can be different regulatory requirements in the European Union, United States, China, and other regions and countries. If a company eventually wants to place the product in all markets, the best choice is to start considering all requirements in the beginning,” says Etteplan’s specialist related to cybersecurity regulations, Antti Tolvanen, Sales Director for Software & Embedded.
 

It is easy to understand why cybersecurity regulations concerning operational technology such as industrial production systems and solutions are now being introduced. Operational technology (OT) is vital in the critical infrastructure of societies, and it is necessary for running industrial processes in factories. Traditionally, OT is well equipped for functional safety. However, compared to information technology (IT), there has historically been less attention on cybersecurity of OT solutions.

“Cybersecurity incidents involving OT may cause massive financial losses through lost production. But they can also pose huge safety risks to humans, property, and the environment,” Tolvanen says.

In the European Union, almost every company will directly or indirectly be affected by the new NIS2 directive as it applies on a very wide range of companies. It is expected to become incorporated into national laws by the end of 2024. Manufacturers of operational technology such as industrial equipment will need to comply with the directive.

“The NIS2 directive classifies nearly all manufacturers of electrical products as so-called Important Entities that must implement an appropriate information security management system. Appropriate secure development procedures related to e.g. devices and digital services will also become mandatory, also at direct suppliers.”
 

According to Tolvanen, the global automotive industry nicely illustrates how companies will improve their cybersecurity postures due to NIS2:

“The automotive OEMs and practically also all Tier 1 suppliers had in 2021 to put in place a cybersecurity management system, as it became a type approval requirement for new car types in July 2022. In automotive, some cybersecurity management system requirements are rolled down even to Tier 2 and 3 suppliers,” Tolvanen explains.

Cybersecurity of nearly all wirelessly connected devices sold in the EU will be regulated via the Radio Equipment Directive delegated acts 3(3)def. It makes sales of non-conforming devices illegal in EU on August 1st 2024.

Depending on the intended use of the device or digital solution, industrial equipment must in a few years comply also with new cyber security requirements General Product Safety Regulation, Artificial Intelligence Act and Machine Regulation, which are currently being created or updated. As with the Radio Equipment Directive, these new regulations will make existing products and digital services illegal to sell in EU in case of non-conformance with new cybersecurity requirements.

Investing in regulatory compliance, product safety, and cybersecurity requires significant expertise – and in many cases, a thick wallet, at least if a company intends to handle everything in-house. Regular R&D departments often lack cybersecurity experts.

“Today, it won’t pay off to start any industrial IoT or SaaS development project without applying a Secure Product or Software Development Lifecycle process from the very beginning due to high risk of legal non-conformance and a short lifetime on the market. I would also expect that non-compliance with applicable cybersecurity legislation probably makes it harder to receive any insurance compensations of recovery costs in case of cybersecurity incidents,” Antti Tolvanen concludes.