NIS2 Compliance Framework: Steps for Implementation

The European market for operational technology (OT) is growing at a rate of 7% a year and will be worth US$9 billion by 2028 [1].

Across Europe, manufacturers and operators of infrastructure have invested in connected devices and services. Bringing networked intelligence to the factory floor like this can increase productivity by the equivalent of an extra $1 per square meter per day [2].

Now it’s time to protect that investment — and the need to do so is increasingly urgent. In December 2022, the EU Commission published the revised Network and Information Systems Directive, commonly known as NIS2.

Is your cybersecurity posture ready for NIS2?

Even if your facilities were already covered by, and compliant with, the original NIS directive of 2016, you need to pay attention to NIS2, because it introduces some important changes.

What’s new in NIS2? Among other things, the following are new in NIS2:

• The directive applies to new sectors — such as water, waste management, critical manufacturing and more — not covered by the original NIS directive.
• Any entity that falls under NIS2 must have risk analyzed its cybersecurity posture, then developed and documented security processes and incident-handling procedures.
• The supply chain is now covered, so affected entities must assess the security of their supply chain and create appropriate risk management measures.
• Incident-notification rules are stricter. Entities must notify authorities of a suspected malicious act affecting their IT or OT networks within 24 hours [3].

All these new rules, and more, will be transposed into local law by each of the EU member states no later than 17 October 2024. Across the EU, parliaments are working on new legislation to bring NIS2 into force.

If you operate a factory or a major piece of infrastructure, you need to ask yourself if your cybersecurity posture is ready for these changes.

Securing OT networks can be complicated. The average factory or piece of infrastructure may have thousands of connected sensors and devices. Often, these are old and may not have been patched or designed with cybersecurity in mind.

These connected devices may also be undocumented, and therefore outside the scope of regular maintenance and security updates. This leaves the organization doubly vulnerable — unable to comply with NIS but also ignorant of this fact.

Fixing these problems gains an added urgency when you consider the consequences of inaction. Under NIS2, executives are personally accountable for data breaches. And the company itself can be fined up to €10,000,000 or 2% of their global annual revenue [4].

How to take action, right now, to achieve NIS2 compliance

How then, can companies running complex, often heterogeneous, sometimes undocumented OT networks move quickly to initiate their compliance journey with the upcoming cybersecurity directive? It’s a daunting question. Thankfully, Rockwell can help companies with that answer. Preparing now will enable a smoother transition and better adherence to regulatory requirements.

The answer is to work with an external partner that has the technical skills, knowledge of processes, policies, and procedures to bring your OT network up to code, right now.

Companies aiming for NIS2 compliance must navigate through these essential steps to kickstart their journey:

1. Audit your current operations, discover the devices, procedures, and technologies in use today across your IT and OT networks.
2. Use the results of the audit to build a gap analysis, identifying where your IT and OT networks need to be hardened and upgraded for NIS2 compliance.
3. Draw on established cybersecurity frameworks such as NIST SP 800-82 or IEC 62443, and relevant expertise, to create a tailored NIS2 compliance framework.
4. Work with expert engineers, process experts, and consultants to implement your framework and bring your organization up to code for NIS2.
5. Implement a program of procedures, monitoring, risk and crisis management, incident handling, optimization, and continuous improvement to confirm you remain compliant, and your organization is secured against threats.
6. Cultivate a culture centered around cybersecurity — building a strong cybersecurity culture is essential for lasting compliance.
7. Implement training and awareness programs to educate and empower your employees at all levels to recognize and mitigate cyber threats.

You can start taking these steps towards developing and implementing your own NIS2 compliance framework today. For almost all organizations, the best way to do this is by working with an external partner with knowledge and experience in cybersecurity and compliance for OT networks, and which knows the NIS2 directive inside and out.

Rockwell Automation is a market leader in cybersecurity for manufacturers and infrastructure providers.

By working with Rockwell Automation, you get instant access to the technology, the expertise and the experience you need to prepare your organization for NIS2.

[1] https://www.databridgemarketresearch.com/reports/europe-operational-technology-market
[2] https://www.wired.com/sponsored/story/ericsson-5g-manufacturing
[3] https://www.rockwellautomation.com/en-us/company/news/blogs/nis2-ot-cybersecurity.html
[4] https://eur-lex.europa.eu/eli/dir/2022/2555#art_34