Achieve NIS2 compliance using existing frameworks in just 6 easy stages

By 17 October, EU member states must pass the Revised Network and Information Security Directive (NIS2) into national law. That gives organizations that come under the directive’s remit just a few months to make sure their operations are NIS2 compliant.

The good news is many organizations have already done at least some of the hard work required. If you’ve implemented existing cyber-security frameworks — for instance NIST-CSF or IEC 62443 — in your Information Technology (IT) and Operational Technology (OT) environments, the chances are, you’re already part of the way to compliance.

Existing standards are a useful springboard to rapid compliance. NIS2 sets out the requirements operators must meet. Standards such as NIST-CSF, NIST SP 800-82,
ISO/IEC 27001 and IEC 62443 provide guidance on achieving compliance with the legal requirements.

But this only works, with the right combination of expertise, technology, and tools. So how can organizations with OT networks use existing cybersecurity frameworks to meet their NIS2 obligations?

Follow these 6 stages:

1. Discover the frameworks you use: audit your operations to discover what cybersecurity frameworks you’re using and how complete your implementations are.
2. Map your current state against NIS2: audit your operations to understand how your current OT and IT security posture compare to the NIS2 requirements.
3. Develop a plan: using existing standards as a springboard, rapidly build a plan to bring all areas of your operation, IT and OT, up to code for NIS2.
4. Build the right technology mix: having created a compliance plan, build the right mix of technologies required to put that plan into action and close any security gaps.
5. Implement your compliance strategy: deploy your new technologies, permissions, and security protocols rapidly, with minimum disruption for maximum impact.
6. Monitor, analyze, optimize: monitor both your operations and relevant compliance regimes and continually optimize for maximum performance and minimum risk.

Whether your IT and OT security already complies with current best practices and regulations, or you’re starting from scratch, using existing cybersecurity frameworks — such as those developed by the US National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) or the International Electrotechnical Commission (IEC) — can help you achieve compliance faster, with lower costs and less risk.

This is particularly useful for operators of OT networks. These are often more heterogenous than IT networks, with many older components not designed with security in mind. Using existing frameworks provides the intellectual and methodological framework you need to act fast, secure your infrastructure and demonstrate NIS2 compliance.

Securing OT networks with existing frameworks also puts you on the fast-track to compliance with future regulations, such as the EU Cyber Resilience Act and and the Machinery Regulation (EU) 2023/1230. Although some of these are still taking shape , the tighter and more comprehensive your security, the less of a challenge compliance will be when they come into force.

Understanding frameworks and compliance requirements is paramount in navigating the complex realm of cybersecurity. In the previous article in this series, we outlined the crucial steps to NIS2 compliance., shedding light on the specific measures organizations need to take to align with the European Union's new cybersecurity regulations.

But to realize these benefits, your organization needs rapid access to specific expertise in the frameworks themselves, in NIS2 and in the relevant technologies. Without this expertise, you run the risk of implementing cybersecurity frameworks in a way that leaves gaps in protection and compliance and could expose your organization to risk.

Rockwell Automation is a market-leader in cybersecurity for manufacturers and infrastructure providers. Our specialists will help you understand your current cyber-security posture, NIS2 as it’s being implemented in legislation where you operate, and how to use existing cyber-security frameworks to comply with NIS2, rapidly and with minimum disruption.

By working with Rockwell Automation, you get instant access to the technology, the expertise and the experience you need to bring your facilities into compliance with the NIS2 directive in time.

Use these frameworks as a springboard to NIS2 compliance

Whether you’ve already implemented some OT cybersecurity best practice or you’re starting from scratch, the following frameworks can you help you rapidly comply with NIS2:

• NIST-CSF: although designed for IT networks, this standard provides OT operators with a structured, comprehensive approach to security.
• NIST SP 800-82: covers Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems and Distributed Control Systems (DCS).
• IEC 62443 3-2 & 3-3: covers risk assessment and full-lifecycle security for industrial control systems.
• ISO/IEC 27001: covers risk management, cyber-resilience and operational excellence for IT and OT networks.

Working with the right standards — or mix of standards — and the right partner you can quickly and cost effectively secure the OT and IT networks at your plants and infrastructure in a way that makes it easy to demonstrate NIS2 compliance.