A Guide to Understanding NIS2 for OT Cybersecurity

By enacting the Network and Information Systems Directive 2 (NIS2) in 2023, the European Commission made significant progress in its efforts to improve industrial cybersecurity.

Although the security requirements for industrial organizations in member states will likely not come into effect until 2025 or later, industrial organizations should start preparing now. Readiness for NIS2 compliance will likely require additional OT security talent and outside expertise, resources that will be limited as compliance deadlines draw closer.

Below, Rockwell Automation has compiled more than 20 useful NIS2 resources and recommended next steps to help industrial organizations begin preparations for NIS2 compliance. The resources are grouped into two categories:

• NIS2 highlights and industrial cybersecurity fundamentals
• Strategies and best practices to prepare for compliance

NIS2 Highlights

The NIS2 Directive, which came into effect in January 2023, replaces the original NIS legislation adopted in 2016. The new rule broadens the scope and modernizes the European Union’s (EU) legal framework to keep pace with digitization and the evolving threat landscape. Member states have until October 17, 2024, to transpose NIS2 into national law, and news reports indicate that several have already introduced related bills. After that, industrial organizations will have 21 months to bring their operations into full compliance.

NIS2 applies to organizations that:

• Provide services deemed essential or important to the EU’s health, safety or stability
• Employ at least 50 people or generate at least €10 million (approximately $10.81 million)
• Have industrial or manufacturing operations in the European Union, regardless of their headquarters location
• Offer certain services in the EU, such as DNS services, managed security (MSPs and MSSPs), cloud computing and data centers

What Industrial Organizations Need to Know

NIS2 expands many of the requirements of the prior directive. For example, it classifies additional sectors as critical infrastructure, to a total of 11.

Other noteworthy changes include:

• Expanded security and incident reporting obligations
• Stronger supply chain security
• Bigger emphasis on international cooperation and information exchange
• Steeper penalties (up to €10 million or at least 2% of total annual worldwide turnover during the entity’s prior fiscal year)
• Public disclosure of breaches and the accountable corporate entities

Noncompliance with the NIS2 Directive is also likely to increase financial penalties. The public disclosure requirement may bring public scrutiny to organizations that report an incident, which may also impact brand reputation.

NIS2 Compliance Fundamentals

While the full details on how to comply are evolving, industrial organizations can get started by using the directive’s minimum cyber risk management measures as general guidance to provide insights on key areas of focus. These 10 primary provisions include:

• Risk analysis and information systems security
• Incident handling
• Business continuity measures, such as backup and disaster recovery
• Supply chain security
• Systems and network security, including vulnerability management
• Policies and procedures for risk management and analysis
• Basic cybersecurity hygiene and employee training
• Cryptography and encryption policies
• Human resources security, such as access control policies
• Multi-factor authentication and secure emergency communication

NIS2 recommends a risk-based approach, which aligns with best security practices for IT and OT. To understand risk, industrial organizations first need to understand the vulnerabilities in their environment and what those represent in terms of criticality to the organization. This knowledge will surface gaps in defenses, enable prioritization, and help establish what countermeasures are needed to help protect IT and OT environments and improve NIS2 readiness.

Aligning with Cybersecurity Frameworks

Cybersecurity frameworks are a core aspect of any organization’s cybersecurity strategy. Adopting a cybersecurity framework also provides a blueprint for NIS2 compliance as the NIS2 Directive maps to several established frameworks.

Commonly used security frameworks include:

• The NIST Cybersecurity Framework (CSF). Developed by the U.S. National Institute of Standards and Technology (NIST) to address CI security, the CSF is recognized globally by private and public entities as a comprehensive approach to preventing, detecting and responding to cyber threats.
• ISA/IEC 62443. This series of global standards from the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) establishes an industrial security framework for both traditional IT environments and SCADA or production sites.
• ISO 27001. Created by the International Organization for Standardization (ISO), these standards address fundamental aspects of security and risk management.

NIS2 Resources

The following resources can help organizations impacted by NIS2 to learn more.

• The NIS2 Directive (Directive (EU) 2022/2555) website contains information about the NIS2 legislative act to help organizations achieve a high common level of cybersecurity across the European Union.
• The E.U.’s Frequently Asked Questions. The European Commission answers questions about key NIS2 components, enforcement and other high-level updates.
• The European Union Agency for Cybersecurity (ENISA) NIS2 policy directive page also provides detailed information about the directive to aid in improving cybersecurity across Europe.
• Ireland’s Quick Reference Guide. Ireland’s National Cyber Security Centre provides an EU-wide overview of sectors and entities in scope, incident notification requirements, penalties and more.

Country-specific websites:

• The French FAQ page. The French National Agency for the Security of Information Systems provides national updates and answers to common questions.
• The Belgium NIS2 Blog. The Belgium Centre for Cybersecurity posts articles when NIS2 updates are available.
• The Czech CISA website. The Czech National Cyber and Information Security Agency website also has an overview and national updates.
• The Finnish TCA NIS2 working group. The Finnish Transport and Communication Agency publishes national progress updates and documentation.

Additional resources

• IT-Baseline Protection Compendium (IT-Grundschutz). The German Federal Office for Information Security (BSI) created this framework to provide a systematic, risk-based, maturity-related approach to IT, OT and IoT cybersecurity.
• The European Reference Network for Critical Infrastructure Protection. A part of the European Commission’s Joint Research Centre, this entity provides CI standards, best practices and guidelines, including a list of other IT and cybersecurity frameworks and guides.
• Critical Infrastructure Resilience Newsletter. The European Commission publishes a newsletter to share best practices, information and guidance with CI stakeholders.
• MITRE ATT&CK ICS Techniques. This knowledge base and matrix has tactical information on “adversary tactics and techniques based on real-world observations” specific to critical infrastructure.
• The Critical Entities Resilience Directive creates an overarching framework that addresses the resilience of critical entities regarding all types of hazards, whether natural or manufactured, accidental or intentional.
• The European Cyber Resilience Act bolsters cybersecurity rules to ensure more secure hardware and software products.

Outside experts can also help you navigate NIS2 requirements, and provide guidance tailored to your business and objectives. Take advantage of the expertise offered by trusted industrial cybersecurity partners to implement a robust cybersecurity plan, and to help continuously monitor and mitigate cybersecurity risks.

Turn to Rockwell Automation to Achieve NIS2 Compliance

If you’re looking for industrial cybersecurity expertise and advice to help meet NIS2 compliance requirements, Rockwell Automation can help. We offer a broad range of services for assessing, designing, implementing and managing industrial infrastructure. With strategic partnerships, a global footprint and more than a century of experience, we deliver both strategic and tactical capabilities to help protect your operations and secure your future.

Rockwell Automation stands ready to help you achieve NIS2 compliance. Click here to learn more.