Tips for Complying with the NIS2 Compliance Framework

By Meghna Subramani, Commercial Product Manager, Network & Cybersecurity, and Andreu Cuartiella, Lifecycle Services Commercial Manager EMEA, Rockwell Automation

The European market for operational technology (OT) is growing at a rate of 7% a year and will be worth US$9 billion by 2028, according to a study from Data Bridge Market Research. Across Europe, manufacturers and operators of infrastructure have invested in connected devices and services. Bringing networked intelligence to the factory floor like this can help increase productivity by the equivalent of an extra $1 per square meter (m³) per day.

Now it’s time to protect that investment — and the need to do is increasingly urgent. In December 2022, the European Union (EU) Commission published the revised Network and Information Systems Directive (Directive (EU) 2022/2555), commonly known as NIS2.

The directive is a legislative act that aims to achieve a high, common level of cybersecurity across the EU.  It focuses on a risk-based approach to security, covering areas such as business continuity and crisis management, vulnerability handling and disclosure, and multifactor authentication.

Prepare Your Cybersecurity Posture for NIS2

Even if your facilities were already covered by, and compliant with, the original NIS directive of 2016, you need to pay attention to NIS2, because it introduces some important changes. Some issues that are new in NIS2 include the following:

• The directive applies to new sectors not covered by the original NIS directive, such as water, waste management, critical manufacturing and more.
• Any entity that falls under NIS2 must have risk-analyzed its cybersecurity posture, then developed and documented security processes and incident-handling procedures.
• The supply chain is now covered, so affected entities must assess the cybersecurity of their supply chain and create appropriate risk-management measures.
• Incident-notification rules are much stricter. Entities must notify authorities of a suspected malicious act affecting their IT or OT networks within 24 hours.

All these new rules, and more, will be transposed into local law by each of the EU member states no later than October 17, 2024. Across the EU, parliaments are working on new legislation to bring NIS2 into force.

If you operate a factory or a major piece of infrastructure, you need to ask yourself if your cybersecurity posture is ready for these changes.

Securing OT networks can be complicated. The average factory or piece of infrastructure may have thousands of connected sensors and devices. Often, these are old and may not have been patched or designed with cybersecurity in mind.

These connected devices might also be undocumented, and therefore outside the scope of regular maintenance and security updates. This leaves the organization doubly vulnerable — unable to comply with NIS but also ignorant of this fact.

Fixing these problems gains an added urgency when you consider the consequences of inaction. Under NIS2, executives are personally accountable for data breaches. And the company itself can be fined up to €10,000,000 or 2% of their global annual revenue.

Take Action NowHow then, can industrial firms running complex, often heterogeneous, sometimes undocumented OT networks move quickly to initiate their compliance journey with the upcoming cybersecurity directive that’s set to be transposed at the national level by October 17, 2024? Starting preparations now will help provide a smoother transition and better adherence to regulatory requirements.

Often, the answer is to work with an external partner that has the technical skills and knowledge of process, policies and procedures to bring an OT network up to code.

Companies aiming for NIS2 compliance must navigate through these essential steps to kickstart their journey, as follows:

1. Audit your current operations and discover the devices, procedures, and technologies in use today across your IT and OT networks.
2. Use the results of the audit to build a gap analysis, identifying where your IT and OT networks need to be hardened and upgraded for NIS2 compliance.
3. Draw on established cybersecurity frameworks such as NIST SP 800-82 or IEC 62443, and relevant expertise, to create a tailored NIS2 compliance framework.
4. Work with expert engineers, process experts and consultants to implement your framework and bring your organization up to code.
5. Implement a program of procedures, monitoring, risk and crisis management, incident handling, optimization, and continuous improvement to to help you remain compliant, and your organization is secured against threats.
6. Cultivate a culture centered around cybersecurity; this is essential for lasting compliance.
7.  Implement training and awareness programs to educate and empower your employees at all levels to recognize and mitigate cyberthreats.

You can start taking these steps today to develop and implement your own NIS2 compliance framework.

Like this article? Sign up for the digital magazine (4X/year) and e-newsletter from The Journal From Rockwell Automation and Our PartnerNetwork.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.}