By enacting the Network and Information Systems Directive 2 (NIS2) in 2023, the European Commission made significant progress in its efforts to improve industrial cybersecurity.
Although the security requirements for industrial organizations in member states will likely not come into effect until 2025 or later, industrial organizations should start preparing now. Readiness for NIS2 compliance will likely require additional OT security talent and outside expertise, resources that will be limited as compliance deadlines draw closer.
Below, Rockwell Automation has compiled more than 20 useful NIS2 resources and recommended next steps to help industrial organizations begin preparations for NIS2 compliance. The resources are grouped into two categories:
- NIS2 highlights and industrial cybersecurity fundamentals
- Strategies and best practices to prepare for compliance
NIS2 Highlights
The NIS2 Directive, which came into effect in January 2023, replaces the original NIS legislation adopted in 2016. The new rule broadens the scope and modernizes the European Union’s (EU) legal framework to keep pace with digitization and the evolving threat landscape. Member states have until October 17, 2024, to transpose NIS2 into national law, and news reports indicate that several have already introduced related bills. After that, industrial organizations will have 21 months to bring their operations into full compliance.
NIS2 applies to organizations that:
- Provide services deemed essential or important to the EU’s health, safety or stability
- Employ at least 50 people or generate at least €10 million (approximately $10.81 million)
- Have industrial or manufacturing operations in the European Union, regardless of their headquarters location
- Offer certain services in the EU, such as DNS services, managed security (MSPs and MSSPs), cloud computing and data centers