EU Data Act, NIS2 Regulation and Cyber Resilience Act – new challenges for Industry 4.0


Click on the button to load the content from Spotify Player.

Load content

Listen to the IoT Use Case Podcast on Spotify.
Listen to the IoT Use Case Podcast on Spotify.
Listen to the IoT Use Case Podcast on other platforms.

IoT Use Case Podcast #107 - colenio

In today’s podcast episode, Sebastian Fischer, Head of Engineering and Manufacturing, and Sven-Christian Dethlefsen, Attorney at Law, dive deep into the latest developments of the EU Data Act, the NIS2 Regulation, and the Cyber Resilience Act. How will these new regulations revolutionize Industry 4.0 and what does that mean for mechanical engineering in Europe?

Podcast episode summary

In an exciting discussion, Sebastian Fischer and Sven-Christian Dethlefsen of colenio, shed light on the far-reaching impact of the EU Data Act on mechanical engineering, including the consequence of making data available to third parties. Sven-Christian, with his legal background, sheds light on the EU’s ambitions to create a single market for data and how this could affect trade or business secrets. Sebastian explains why data is now considered a valuable business asset and the implications for monetizing and protecting it. The episode also focuses on the cyber security and compliance challenges posed by the introduction of the “NIS2” regulation and the Cyber Resilience Act. This episode provides an in-depth overview of the new policies and how organizations can adapt to these new realities.

Podcast interview

Hello Sebastian, hello Sven. Welcome to the IoT Use Case Podcast. I am very happy that you are with us today and that you have taken the time. Sebastian, how are you doing right now and where can I reach you?


Hello Madeleine. Nice to be part of it. You can actually reach me at home. I am very, very well. I was able to enjoy the weekend with great weather. Nevertheless, exciting topics are also driving us right now, and we are dealing with them. In this respect, everything is fine.

I’m glad you are here again. I’m totally excited to see what’s been going on since then. Today we’re going to discuss a very important and very specific topic, which is also of interest to a lot of my listeners. That’s why I’m really looking forward to the episode. Sven, a warm hello to you as well. Glad you joined us today and took the time. How are you today? Are you also working from home or are you in your office? Where are you?


Thank you so much Madeleine for letting me be a part of this for the first time. I’m actually working from home. That’s quite alright. Door is closed, no one is going to disturb.

Very good, 100 percent focus on our subject. Let’s start right away to briefly introduce your company, for those who don’t know you yet. colenio is active in the IT, services and software sector in general. You provide solutions, especially for the challenges of medium-sized mechanical and plant manufacturers, with what I would call a combination of technical implementation expertise, but also data and system security, and regulatory safeguards. That is our focus today, which is especially relevant for the management of the operations. Let’s introduce you in person. Sebastian, you are Head of Engineering and Manufacturing at colenio. Can you share what clients you work with, so we can get a sense of what industries and areas you’re in?


Yes, very much so. Typical medium-sized companies in mechanical and plant engineering and also manufacturing industry. Customers who deal with the topic of digitalization, be it IoT topics, but also analytics topics and also customers who of course deal with the topic of IT security. How do I secure my production equipment, how do I secure my IoT environment, how do I write secure software, but also looking at it from a regulatory perspective, also now in the podcast towards the EU Data Act and Cyber Resilience Act. These are issues that concern us. The typical mid-sized company in the range of 200 to 2000 employees is the focus of the customers.

Very nice. Thank you, Sebastian, for the transition. Especially now also in the regulatory environment, we are now dealing with exactly those things today in the podcast. Sven, you are the lawyer at colenio. How does it all come together? When did you get into this and why is it important to your customers?


I’ve been with colenio for a little over a year now, and one of the hang-ups has really been the all-encompassing topic of compliance. Of course, you can break that down in part to what’s on our minds, which is why we’re here today. We are a consulting company and try to provide comprehensive support or advice, i.e. not just look at one side . Customers are generally driven by the issue of how they handle their data, how they can make it secure. Of course, there are now a number of topics from the so-called EU data strategy that I will be focusing on from the regulatory side.

In order to get a little bit into the topic, we can classify the EU data strategy thematically. Can you describe what’s happening in the market right now? EU data strategy is a big topic, so perhaps we can shed some light on it today from a practical perspective. What’s happening in the market right now, why is this topic important?


This is important because the EU has decided that data will and should have a higher business value in the future. And from this intention that data should be incredibly important, in the direction of a data-driven society, various programs have been launched at the EU that take the topic to another level in regulatory terms. On the one hand, this includes the topic of data strategy, i.e. how will I deal with data in the future? This also includes the EU Data Act, which means how I have to make data available. But that also includes the AI Act, how do you deal with artificial intelligence? But it also includes the cyber strategy, which is very much concerned with the issue of security. This includes, among other things, IT-Sig 2.0 as a regulation, known in Germany as the IT Security Act, but also in the future the so-called Cyber Resilience Act, which deals with the product cyber security of products that are actually to be manufactured. That’s actually very exciting. Sven, you can certainly add something.


Actually, I don’t need to add much, you’ve already outlined it very well. Ultimately, the EU data strategy is also a bit about creating a single market for data. So far, it’s mostly that we’re dealing with foreign players, many in America, some in China. Die EU has determined that we have a deficit there and is trying to address it with this EU data strategy, and to elevate the European approach, including aspects like data protection and possibly the consideration of European values, or to advance that accordingly.

Let’s take a look at what this data strategy means in practice. Sebastian, can you just sort of categorize this issue of the EU Data Act and the Cyber Resilience Act in terms of content. What does that mean then in the context of this overall data strategy at that point?


The EU Data Act is in principle part of the EU’s data strategy. It is an essential component that first defines and establishes that data must be made available in principle in the future. This means that in products, in machines and systems that naturally collect data in some form because they have sensors, actuators, the machine manufacturer is required to make this data freely available to users in the future. We can discuss how this is done, via USB interface or IoT solution, in a moment. The transfer of data to third parties is also regulated in detail. This means that, in principle, the possibility of doing anything with data is created in the first place, because everyone is required to make data available.

Regarding data strategy, cyber strategy, cybersecurity… There’s NIST 2 as a successor to NIST, network and information security guideline. Today known as the IT Security Act 2.0. This has passed. In the future, there will be the IT Security Act 3.0 in succession. That basically deals with how cyber secure is my company or how do I need to set myself up to make my company cyber secure? So, this typical hacker attack, in order to make myself resilient there. The special thing about this is that it now also affects the breadth of machine plant manufacturers, because these are companies of particular interest. This affects about 5000 companies in Germany that will have to implement NIS 2 in the future from the mechanical engineering sector.

I think that’s also a very important point that you make: you have to. Providing the data is, after all, the requirement behind it. The other two topics are about the <<how>>. How do I share the data with third parties? How do I build my cybersecurity strategy, too? Sebastian, you just said it’s about mechanical engineers, it’s also about the products behind them. Let’s say I’m a manufacturer of a packaging machine that’s on the shopfloor, for example. What does that mean? What are the requirements that apply to my product, the machine? If I offer a data-driven service for my facility in the future, what does that mean for that product in practice? Can you explain that a little bit?


Yes, we gladly do. Not only if I want to offer a data-driven service, but fundamentally, if I put the machine on the shopfloor, I have to give the user, the person who bought the machine, the ability to use the data in some way. That means I have to make sure I provide data access. This data access must also be modeled and documented accordingly. The user must see exactly which data points are to be tapped with which frequency, with which unit. I simply have to make sure that this data access is appropriately secure. This means that only defined users who are allowed access to the data are also granted access to the data. I have to think about what this data model can look like already during design and development. Data sovereignty is also clarified. Who owns the data? Who has access to the data? How do I share data with third parties? In the future, the user may disclose the data to third parties. If we look at the packaging line, the last link in a line probably. If we are now at Lindt, chocolate is produced there. What happens? They are preparing chocolate dough, figuratively speaking, chocolate mixture. This is poured into mold, in the form of a chocolate bar and packaged at the end. For Lindt, of course, it is incredibly good to know how the overall system works. When the chocolate molding machine stops, the packaging machine should not continue packaging. This means that sharing data below the plants will thus be much, much more transparent impossible.

So what are the implications if I didn’t take that into account. What are the implications, what happens if I don’t do that or haven’t considered that yet, as of today?


Basically, the question does not arise at all. I will be obliged to do it in the future. This means that if the user wants data, I have to make it available to them. Ideally, as a mechanical engineer, I offer a digital service that I can also use monetarily to some extent. Otherwise, the service aspect as a machine builder slips through my hands, because the user is generally entitled to have the data.


Another short interjection. I think that’s the issue. There are already requirements, and the EU Data Act also provides for the possibility of fines if manufacturers or producers do not comply with the regulations. But I don’t think that’s so important; the customer issue is more important. The customer has a right to the data. And I assume that customers will also demand this right. So it makes sense to think not only about the pure production of the machine, but also about services and to consider new business models. which are then, of course, data-driven.

You have opened up an important topic, which I would like to examine in detail. What does the service business of the future look like, then, that I can still use this data monetarily myself? There are different use cases and also business cases that are emerging. Do you have some real-world examples of what data can be used there and how? Sebastian, you just talked about frequencies and different feature units that such a machine provides. Do you have any examples of how to use this data?


Yes, in different levels. So if I think about classic machine service, in the direction of predictive/preventive maintenance, using the data. The machine manufacturer who produced the machine offers service to the user and says, preventive maintenance, in three weeks a machine will fail because… and we do proactive service. Certainly an issue, but another issue would also be to offer the user of the machine a smart insurance policy that insures the machine based on its use. How often is the machine used and what does the usage behavior look like and to map intelligent services on top of that. Or the use of data across plants to optimize the overall process, to sift through it, to optimize the effectiveness itself, to say, I no longer make 1,000 chocolates an hour, but perhaps, with optimization of all plant parameters, 1,200 bars an hour.

It also depends very much on the options that the end customer offers. Many manufacturing companies are now integrating the data from the machines themselves, especially the large ones. As a mechanical engineer, you have to ask yourself what your assets actually are. I have now heard of use cases, for example, where CO2 data is provided in a manufacturing company. In the past, these were Excel lists. Now, you could provide a manufacturing plant with an interface through which you can retrieve the CO2 data. That would be a case where you could say that everything is already available digitally, or perhaps other cases that would be possible. Sven, do you have any examples of how to use this data?


That would almost have been my example now, with CO2 consumption, because as far as the topic of the environment is concerned, or environmental certificates, or CO2 certificates, that you provide appropriate data there. Also, the topics of speed, real-time, direct access via appropriate portals, perhaps also insurance and also the topic of optimization, that one is ultimately able to really cover the entire production process, but can of course also go into a qualitative improvement for the company, also the topic of internal training to improve the production processes as well. At one point or another, this also results in business models that perhaps offer optimization possibilities from the manufacturer’s side, because you can also determine somewhere what the input is and what the output is, and somehow something doesn’t fit together at one point or another.

Yes, very nice. A short note. If you find these use cases or others exciting, both Sebastian and Sven are part of our network. If you have any questions or just want to discuss possible use cases, feel free to contact Sebastian or Sven. I link to the LinkedIn profiles in the show notes or contact me directly. I think there are a lot of cases that are already working in practice today, where you can simply share information and added value. You guys just opened up three different topics. The data must be provided. It’s about disclosure to third parties and it’s about cyber strategy. Let’s maybe go into a little bit of depth there. What does this mean in practice? Can you share some insights on what that means?


Yes, very much so. So the issue of data sharing under the EU Data Act is first of all about legal certainty. The question, who has access to the data, how do I control that? This is about regulating the legal framework, in the form of terms of use, access rights, user management. In the end, it’s also about a lot of technical security: how can the whole thing be implemented securely so that there are only certain access rights? But I think a key aspect is simply also the legal framework. I’m already looking in Sven’s direction again, to define and specify.

Yes. What does a legal framework look like, Sven, and what kind of questions do I need to ask myself in that regard?


Sebastian has just brought up a few keywords as well. In the end, of course, I have to make sure that I really agree on an appropriate condition of use with the buyer of my machine. The issue of user management is important. How do I make the data available? Who has access to the data? The EU Data Act first says that all data must be made available. This means that all data that the machine generates, produces, and collects somewhere must be made available to the user, and if the user wants it, this data must also be passed on to third parties. Then you can also hang price tags on it. Also an important aspect to the user of the machine, the customer is to provide the data free of charge. You then also think about how you can then offer that to the customers most profitably. If you have to make all the data available, which under certain circumstances can of course also be company or trade secrets or the other way around from the data, you can perhaps then also go to one or the other place on such company or trade secrets accordingly or find them out. These are important aspects, for example, that the regulatory framework between the manufacturer and the customer is defined accordingly, i.e. that a framework is provided through terms of use, corresponding user accounts, and so on and so forth.

Can you actually compare this with what we also know from vehicles today? So when I sit down in a modern vehicle, the vehicle almost greets me by name. I log in there, have my apps loaded. That may also be personal data. But that means that I, as a mechanical engineer, have to make a corresponding contract, just like a manufacturer does today. Tick the checkbox and agree to the use of data. Is that comparable?


Technically, certainly. In the future, I will also have to ensure on the machine that certain data is only fed to certain groups of people. That’s certainly technical to evaluate, contractual to evaluate, similar. Here, too, it must be regulated who may use which data and how. The user is also able to provide data to third parties. In other words, I don’t want the packaging machine company to provide me with a digital service, but I would like to obtain the digital service from Amazon, Apple or someone else, and they would like to use the machine’s data, in which case I am allowed to do so regardless of the company secrets. This is an issue that also concerns mechanical engineers. After all, people believe that the company’s trade secrets, its know-how lies in the data. In the end, that’s what needs to be protected. This means that as a mechanical engineer, I have to think very, very carefully about which data points could involve company secrets. However, I cannot simply exclude them and say that I have now selected ten data points, which I will not send or output. Instead, this must actually be decided by a court of arbitration as to whether they really are trade secrets. The hurdle is significantly higher. I can’t just say I’m not sending out ten data points out of 100.

Sven to pass the question on to you again. Are there any possible solutions? How do I ensure that this data I share does not contain trade secrets? Sebastian, you also said that the first step is to deal with it in the first place. What kind of data could this be? Are there any possible solutions?


Determining what are not trade secrets and at the same time making all the data available, that is the problem. That’s why, as a manufacturer, you should think quite hard about what is important data for me to generate or somehow provide. From which one can perhaps also infer my know-how, company or business secrets. There are specifications that all data must be made available. However, in the case of trade and business secrets, which is currently the subject of discussion, the EU Data Act is currently being drafted, it is possible to apply or attempt to apply a certain level of protection to trade and business secrets. But as Sebastian already said, it is possible to try to get access to this data via arbitration. There is no real protection as such. If the user, the customer of the machine, now says, they want to pass the data on to a third party, i.e. not to the manufacturer, then the data must also be made available. The most you could then do is talk about the appropriate contract design and put price tags on it, so that you then also say, okay, if you get the data, then it costs X price. If you want to have more data, i.e., data that actually goes in the direction of know-how trade secrets, we will then increase the price. Perhaps also about a reasonable user management. So that you also have an initial control or control somewhere that not just anyone can access the data somewhere. Machine turns on and finds Sven has now logged in. Hello Sven, how are you today? Let’s start producing. So that’s not necessarily how it’s going to go. That’s one question, although you should also keep in mind the issue of data protection for personal data.

Okay, but that means that one approach to a solution, or perhaps also a procedure, would be to define in the first place what data I want to protect. Which data could lead to conclusions about a trade secret or I look at these different clusters of data in order to define them in the first step. Then you probably have to make the individual packages according to that, where I then attach the measures. Would that be one of those ways?


I would actually tend in that direction at the moment. You have to make all data available to the user, but when it comes to sharing, as you said, is doner clustered. That’s data that’s not too important, we can give that to third parties for a price tag X. But of course, the deeper it really goes into the disclosure of know-how or company or trade secrets, the more you might really say, I’ll just raise the price tag to prevent a certain risk that the data will be used elsewhere. There are protective mechanisms. The EU Data Act also prohibits using the data to then produce a comparable machine, for example. There are possibilities, but that is of course also a legal matter. In this case, you can only defend yourself legally by means of corresponding contractual clauses or terms of use or clauses in the purchase contract for the machine.

Yes, very nice. Once I have the basis, I must of course ensure that the software solution I use allows this distribution of roles and rights to specific types of data. I can then say exactly who has which access in which role and that can then be controlled via the software solution behind it, right?


This must happen in any case, and the whole issue of cyber security is getting even more impetus from the Cyber Resilience Act, which is also part of the EU’s cyber strategy. In principle, the Cyber Resilience Act is an attempt to raise the issue of cyber security in products to another level and make it mandatory for all manufacturers. At the moment, the topic of cyber security is purely a matter of self-commitment. I can, but I don’t have to. Ultimately, this is an attempt to raise the topic to another level by obliging mechanical engineers to implement the topic of cyber security in their products and also to observe it. So that’s certainly another exciting topic.

Keyword Cyber Resilience Act. It’s also always about risk assessment around these products, whether it’s a machine or even the products behind it. What exactly does this look like then? What do I have to deal with, so to speak? Sebastian, do you have a few points that I, as a mechanical engineer, have to deal with when going in this direction?


Yes, definitely. The machine builder is certainly familiar with a risk assessment in the sense of the Machinery Directive. This is certainly sufficiently known, where I have to deal with the functional safety of a machine. But in the future, I will also have to deal with the cyber security of a machine and must also be able to assess and overview such cyber risks. That is, classics such as USB interface on a device on the machine. Can malware be installed there? If the machine is connected via IoT, there may be entry points where a hacker can attack and take over the machine. These are typical issues to deal with. This means that in the future I will have to carry out a risk assessment during the design development phase and this must also be continued continuously throughout the entire product life cycle. Now comes the very special thing about this, that the risk assessment must also become part of the CE declaration of conformity in the future. The declaration of conformity certifies that I, as the machine manufacturer, comply with all rules and standards that are currently valid when developing or operating the machine. In the future, I will also have to take responsibility for complying with the Cyber Resilience Act. This means that, as a manufacturer, I am liable for having dealt with the issue of cyber security for my products in the form of a risk assessment. I can then say, ok, USB interface risk 2 out of 10, because I can only put signed USB sticks from the manufacturer in there and not any random, private ones. These are then issues that you have to deal with.

We are familiar with the previous Machinery Directive, but this also means that I have to build up competencies and establish cooperations in order to penetrate this topic at all. As a mechanical engineer, I don’t have any personnel who know how to do this. That’s probably also the approach, where you enter into a cooperation with companies like you, who are active there, in order to build up this competence in the first place, to understand that and then to deal with these risk assessments, that’s a completely new field that’s being opened up there, isn’t it?


Absolutely. I think it goes much further than that. It’s not just purely about security and purely about data. I also believe the interaction towards the machine. I have an IoT device, which is coupled with a machine controller. I have the functional issue, if I access the IoT device, I may be able to manipulate the control, may make movements that become a danger to life and limb. I think you also need some mechanical engineering industry know-how to approach the subject properly. I think that’s one of the things that perhaps distinguishes us as a company, because we don’t just look at it from an IT perspective, but actually from a mechanical engineering perspective.

Yes, very nice. I think it’s exactly the right way to enter into strategic partnerships with companies like you. If you want to have a conversation about this, here’s a warm invitation. You two are also part of the network. That’s definitely something to talk about. You have just mentioned the proposed solutions and also the expertise in this direction, where you can also build on good cooperation. We had talked about the packaging machine builder. So what do these concrete measures look like for our packaging machine manufacturer? I have now learned that all data must be provided somewhere. This is what the legislator requires. There is a need to regulate how disclosure to third parties works and the cyber strategy that I have to deal with. So what do the measures for our packaging machine manufacturer look like now for the Cyber Resilience Act. What are the measures there? Sebastian, do you have some examples?


Essentially, you have to deal with the issue of risk assessment. That means I need to establish a process in the company on how to assess cyber risks in my products. I have to make sure that I am updateable. In the future, I need to be able to put security updates on the machine. The packaging machine will have to network somehow. It has to anyway, because it has to pass on data. These are already the essential components. To deal with the topic, to have the possibility to release updates and also to permanently monitor the machine in terms of cyber security. Things change over time. You know this from Windows, you have to do updates all the time. At the end of the day, as a mechanical engineer, I have to have that under control, too. I think that is an essential skill that I need to acquire.

Yes, perfectly. If my customer allows it then, that’s still the issue we had at the beginning. How then can you monetize such services and also partner with the customer to then enable a win-win situation? The data must be provided. How do I make that work for my future business as well? That is the direction in which we need to think. What is the business case for our machine builder if we now look at the EU Data Act, Cyber Resilience Act or NIS2? What’s the business case for customers here?


That’s relatively easy to answer from my point of view. If we look in the direction of the EU Data Act, the appeal is very clear, deal with digital business models and try to offer the data as a service so that the customer doesn’t just come up with the idea of doing something with the data themselves. In other words, in the form of prepared dashboards and performance analyses, which also simply incorporate the know-how of the machine builder. If you need help, I’m a member of the VDMA’s Platform Economy Expert Group. We will be releasing white papers on monetization in digital business models in the coming weeks. You can browse through it and see how it works. This is available for different methods. Otherwise, regarding the Cyber Resilience Act, there are already drastic penalties. I think Sven can certainly say more about this from a compliance perspective.


I wouldn’t necessarily call that a business case now. When it comes to possible penalties, we’re not talking about peanuts, not five-digit amounts, but in the region of two to two-and-a-half percent of sales. In some circumstances, correspondingly high amounts if, for example, the Cyber Resilience Act or NIS2 are not implemented in some cases. Because that is actually a consequence of the fact that when data is produced or manufactured, it must also be made available securely, or the machine must be secured. So accordingly, in the context of new business models, one should simultaneously deal with the topic of security or resilience of the data.

Very nice. Then that’s also a nice closing word for the end. I think that’s also the call to all of you who haven’t dealt with it today. I know that many people are already going down this path, but it’s good to have experts like you, to have contacts, and to simply seek out this conversation. How do I approach this? All data must be provided. The cloud and the software solutions behind it also enable good user management in order to manage and administer these data clusters, as we mentioned earlier. First of all, thank you very much for being with us today. Thank you very much for your time and with that I would turn the final word over to you. I was very pleased that you were with us today.


Thank you so much for having us today. This is an exciting topic, which should in no way be seen as a threat, but rather as an opportunity. With the EU Data ACT, the topic of digital services is getting another boost. I believe this is an opportunity for mechanical engineering. The same applies to the topic of cyber security. This must be seen as an opportunity to properly safeguard your products to avoid reputational damage. So we look at it as an opportunity rather than a problem.


That’s actually what I would also want to bring to the forefront again. I would see it as an opportunity, not necessarily as an obstacle or, from a cost point of view, certainly not easy for one or the other mechanical engineer, but I think that these are real opportunities. We are moving more and more in the direction of a data-driven society and, of course, the producers or manufacturers of machines should also be involved. accordingly with on the wave simply surf therefore therefore many thanks also from my side and yes I see actually also rather the chance than the risk

Very nice closing, then have a great week and maybe we’ll hear from you again for a follow up. Take care!

Please do not hesitate to contact me if you have any questions.

Questions? - Ing. Madeleine Mickeleit

Ing. Madeleine Mickeleit

Host & General Manager
IoT Use Case Podcast