The Broader Benefits of NIS2 Compliance in Life Sciences

What are the NIS2 Compliance Requirements?

NIS2 establishes a comprehensive framework of security obligations that range from risk management policies to technical controls like multi-factor authentication and supply chain oversight.

NIS2 compliance requirements
What are the security obligations of NIS2?

NIS2 and the Pharmaceutical Sector

One industry most impacted by NIS2 is the pharmaceutical sector. Already the subject of myriad legislation across multiple disciplines, NIS2—which labels the pharmaceutical sector as ‘essential’—brings additional operational pressures. Although laudable in their intentions and anticipated results, create significant workload for those in charge of compliance.

But pharmaceutical companies should not see their adherence to the NIS2 directive as a box-ticking exercise. Instead, they should see the deployment of modern digital technology—process hardware and MES solutions—and the road to compliance as a journey of broader operational self-improvement. One that goes far beyond the measures (and their results) prescribed by the legislation.

From the outset, tackling the technological and procedural basics of cybersecurity hygiene will certainly create a solid foundation. It’ll also help strengthen your business and define a more manageable evolutionary roadmap based on proven technology, industry best practice and effective governance.

Why NIS2 Matters for the Pharmaceutical Sector

The cyberthreat landscape is evolving at a prodigious rate and the ‘old methods’ of combatting and dealing with incursions are no longer up to the job. This is precisely why national and international government has stepped in. As focus shifts toward OT-based threats, hackers—including state actors, hacktivists, and gangs—are targeting industrial systems for data, disruption, and profit.

Although NIS2 has good intentions across the board, the industry vertical requirements are not considered. Life sciences business owners and CTOs must not only address these potential supply chain disruptions, but also look at the broader business-facing issues, such as the impact on profitability, customer goodwill, brand reputation, and product/consumer safety.

A growing number of companies are finding it difficult to secure adequate cybersecurity because their current controls fall short of what insurers now expect. When security maturity lags, perceived risk rises and it makes insurance coverage too costly or out of reach. This dynamic is one reason boards have elevated cybersecurity into their top organizational priorities.

Non-compliance will see fines of up to €10,000,000, or at least 2% of the total annual worldwide turnover. Keep in mind, that’s ‘worldwide’, not just European operations. And senior management may also be held personally accountable for any failures in adherence to the new rules.

The Path Toward NIS2 Starts with Basic Cybersecurity Hygiene

Basic cybersecurity hygiene is a vital first step and an essential practice going forward. While the potential of AI and big data is compelling, having a lax foundational security puts you at risk for having your intellectual property and operational data exploited.

Before proceeding, review your organization’s compliance efforts. It’s important to assess security risks based on existing assets, review the capabilities surrounding risk management, incident detection and response, and define responsibilities based on locality or region.

Establishing dedicated OT security policies and procedures is another critical step. These help demonstrate compliance and strengthen overall maturity. Effective policies define:

• Clear objectives aligned to business priorities
• Which roles are accountable or own OT security
• What asset visibility looks like for your organization
• Rules for authentication and remote access

Tips for Implementing Basic Cybersecurity Hygiene

Based on the extensive experience Rockwell Automation has in helping secure industrial environments, consider implementing the following:

• Network separation and segmentation: Separating trusted and non-trusted zones within ICS networks makes it harder for threat actors to move laterally.
• Software patching and program updates: Update all software, firmware, and OS according to your OT policy and procedures—and apply mitigating controls when it’s not possible to update an asset.
• Device hardening: Minimize entry points for threat actors by disabling device capabilities and implementing the least privilege principle.
• Employee training: Provide specific training regarding ICS cybersecurity so they maintain and operate with a security-first mindset.
• Continuous monitoring and incident response: Monitor network traffic for anomalous behavior and make sure that you have an incident response plan in place for breaches.

Developing a Business Case for NIS2

Consider compliance as part of a broader business-improvement project, which is started by tackling the basics. A holistic, multi-dimensional approach will help you develop a strategic roadmap to improving cybersecurity maturity long term. As you develop that approach, consider creating a business case to secure alignment and investment.

Here are four things to keep in mind when developing a business case:

• Set the stage: Identify your problem, create an impact statement, and confirm the organizational outcomes.
• Gather the evidence: Get the facts so you can confirm your problem.
• Develop the solutions: Take your risk tolerance, roadmap, regulatory requirements, downtime, costs, and time to implement into account.
• Outline demonstration results: Solidify what the return on investment looks like, how it’ll be measured, and what the KPIs are.

How Rockwell Automation can help