By Arik Diamant

In a bid to further strengthen the security and resilience of member states, the European Union introduced the Network and Information Security Directive earlier this year. Better known as NIS2, the new directive seeks to expand on the scope of the original with new cybersecurity requirements for essential sectors such as manufacturing, waste, water and chemicals.  

With just over a year until the new requirements are enforced by law, we ask Arik Diamant Principle Solution Architect at Claroty what NIS2 covers, and the priorities for organisations included in its scope.   

What is the NIS2 Directive? What are the key requirements organisations need to be aware of? 

NIS2 is the EU’s next ambitious step towards fortifying its cybersecurity framework by focusing on critical services. The original NIS Directive broke ground as the first-ever EU-wide piece of legislation focused on cybersecurity, while the new addition aims to both expand the scope and add more stringent requirements.  

More specifically, NIS2 focuses on – 

  • Cooperation and information exchange
  • Reporting / notification of breaches
  • Cyber security measures

The NIS2 Directive has built on the NIS1 Directive in that is has:

  • Added a large number of new industry sectors and classifications
  • Imposed direct obligations on management in respect to compliance
  • Detailed cyber risk management measures that are required to be put in place
  • Acknowledged the importance of security at all levels in supply chains
  • Clarified and strengthened incident reporting requirements
  • Provided supervisory authorities with a greater ability to monitor companies
  • Increased the sanctions for non-compliance

One of the most important elements of NIS2 is article 21, focusing on cybersecurity risk management measures. Member states will need to ensure that essential and important entities implement measures including establishing information system security and risk analysis policies, as well as frameworks and procedures for cyber risk-management measures.  

Affected entities will also need to produce thorough policies on incident handling, business continuity, vulnerabilities disclosure and network protection. Supply chain security is another key factor, focusing on the relationship with direct suppliers and service providers.

There is also a strong emphasis on getting the foundations right, including basic cyber hygiene, the use of cryptography, multi-factor authentication, and access control.  

In many respects the new directive is a CISO’s dream scenario, mandating that organisations invest in core cyber capabilities that most security leaders will have been clamouring to secure budget for, for some time.  

The directive is notable for its recognition that, in our interconnected digital age, a vulnerability in one sector can ripple across to others. The main focus is on “essential” sectors like healthcare, energy, and transportation. But it also casts a wider net to include “important” fields like digital providers and manufacturers linked to those sectors. There’s a strong emphasis on the supply chain, both physical and digital.  

In essence, NIS2 is the EU’s call for a united front against cyber threats, urging entities not just to defend but to collaborate, share, and innovate in their cybersecurity strategies.  

How about non-compliance? What are the potential penalties? 

The repercussions of non-compliance with NIS2 are not to be taken lightly. Drawing parallels with GDPR, the penalties for falling short of NIS2 standards can be stringent and are designed to be financially punishing.  

Essential entities, those at the heart of sectors like energy and healthcare, could face fines up to €10 million or 2% of their total annual worldwide turnover from the previous fiscal year – whichever is higher. For important entities, which encompass sectors like manufacturing and postal services, the fines can reach up to €7 million or 1.4% of their total annual worldwide turnover. 

As with the GDPR, it’s hoped that the steep fines will spur financially motivated businesses into action. Non-compliance could also lead to reputational damage and erode stakeholder confidence, harming brand value and losing business opportunities. 

What are some potential blind spots for those dealing with NIS2? 

Many organisations tend to focus on securing their traditional IT systems to comply with regulations and overlook their cyber physical systems (CPS) security, and this is likely to be the case for article 21 too.

Since most of the industries falling under NIS2’s remit are heavily based around physical infrastructure, this means their CPS assets also underpin our society at large.  

Some of the most common CPS that organisations will need to account for include operational technology (OT) assets such as the Programmable Logic Controllers (PLCs) driving the manufacturing and energy sectors. 

Internet of Things (IoT) and Industrial IoT (IIoT) devices are also increasingly common, covering everything from security cameras to motion sensors. Most businesses also have some form of automated building management system, and there are more specialist fields, such as connected Internet of Medical Things (IoMT) devices helping to automate healthcare services. 

Physical systems present a greater security challenge than traditional IT as they are usually incompatible with standard security tools and strategies and are very sensitive to change in operation. Organisations must ensure they have the tools to extend any controls and policies they implement to all of these systems if they are to comply with NIS2. 

One major challenge is the time it takes to design, deploy, integrate and implement security projects in an industrial environment. Those environments are big , old in many cases, highly sensitive, low in visibility and might be well distributed over large geographical areas.

With the enforcement of NIS2 approaching, what steps should organisations take to ensure they are compliant? 

NIS2 was launched in January 2023, with October 2024 being the time where the directives will become law in Europe and local authorities will start to audit entities.

With the enforcement date looming, there’s no time for complacency. All organisations within the directive’s scope must kick-start their compliance journey by allocating appropriate budgets now. Article 21 demands more than a tick-box regulatory requirement – these policies, procedures and technical solutions are an investment in their digital future. 

Organisations will need to ensure they have strong capabilities around detecting and responding to cyber threats. Automated asset discovery tools can help to identify assets, automation systems and their communications and ensure security teams have complete visibility. With all devices identified, it is then crucial to implement a regular cadence for applying security measures.   

When considering industrial environments, the size, the distribution of sites (production / water distribution / electrical grids, for example) and the sensitivity and complexity of them means time is of the essence. There is sadly not a lot of time left to plan in terms of choosing technologies to deploy, implement and integrate. It is important organisations act now.

Strict security controls such as network segmentation, are also crucial to restricting unnecessary connections and the movement of malware, as well as real-time monitoring and analysis to identify anomalies and potential intrusions quickly. This will ultimately limit the impact of cyberattacks.  

Indeed, supply chain security is a particularly critical component. In today’s interconnected world, a vulnerability in a supplier’s system can easily become a chink in the armour – even if the supplier is two or three steps further down the supply chain. Therefore controls, like network segmentation, which restrict malware’s movement across networks is essential. 

Incident response is another pivotal area. It’s not just about reacting to cyber incidents but doing so swiftly, efficiently, and collaboratively. Steps should be taken to ensure that people, processes and technology can respond to a cyberattack effectively and more precisely, tools like industrial IDSs, firewalls, industrial secure-remote-access, endpoint protections and others are connected to SIEMs and SOARs in industrial specialised SOCs.

In order to do this, effective training and clear protocols should be in place detailing how potential threats will be handled, from detection to mitigation. This includes setting up dedicated teams, leveraging advanced tools, and ensuring seamless communication channels both internally and with external stakeholders. 

Lastly, it’s essential to remember that NIS2 isn’t a one-and-done exercise. It’s an ongoing commitment. Regular audits, continuous training, and staying updated with the latest cybersecurity trends are crucial to staying ahead of potential threats, without losing sight of getting a handle on the day to day basics.

NIS2 reflects that those firms operating in essential sectors have a critical place in the fabric of our society, so their security responsibilities extend beyond their financial bottom lines. The new directive is not just another regulatory hurdle. It’s a call to action for organisations to prioritise cybersecurity as an integral part of their business strategy. Embracing NIS2 wholeheartedly can pave the way for a safer, more resilient, and more collaborative digital future for all.

About the Author

Arik DiamantArik Diamant is a Principle solution architect EMEA at Claroty.

Leave a Reply

Your email address will not be published. Required fields are marked *