Loading
Magazine | Cybersecurity
Recent ActivityRecent Activity

Tips for Complying with the NIS2 Compliance Framework

Learn 7 steps to help you comply with this directive for increasing cybersecurity for industrial firms, utilities and others across the European Union.

Share This:

LinkedInLinkedIn
XX
FacebookFacebook
PrintPrint
EmailEmail
Anonymous hacker with his hand on a laptop committing a cybercrime.

By Meghna Subramani, Commercial Product Manager, Network & Cybersecurity, and Andreu Cuartiella, Lifecycle Services Commercial Manager EMEA, Rockwell Automation

The European market for operational technology (OT) is growing at a rate of 7% a year and will be worth US$9 billion by 2028, according to a study from Data Bridge Market Research. Across Europe, manufacturers and operators of infrastructure have invested in connected devices and services. Bringing networked intelligence to the factory floor like this can help increase productivity by the equivalent of an extra $1 per square meter (m3) per day.

Now it’s time to protect that investment — and the need to do is increasingly urgent. In December 2022, the European Union (EU) Commission published the revised Network and Information Systems Directive (Directive (EU) 2022/2555), commonly known as NIS2.

The directive is a legislative act that aims to achieve a high, common level of cybersecurity across the EU.  It focuses on a risk-based approach to security, covering areas such as business continuity and crisis management, vulnerability handling and disclosure, and multifactor authentication.

Prepare Your Cybersecurity Posture for NIS2

Even if your facilities were already covered by, and compliant with, the original NIS directive of 2016, you need to pay attention to NIS2, because it introduces some important changes. Some issues that are new in NIS2 include the following:

  • The directive applies to new sectors not covered by the original NIS directive, such as water, waste management, critical manufacturing and more.
  • Any entity that falls under NIS2 must have risk-analyzed its cybersecurity posture, then developed and documented security processes and incident-handling procedures.
  • The supply chain is now covered, so affected entities must assess the cybersecurity of their supply chain and create appropriate risk-management measures.
  • Incident-notification rules are much stricter. Entities must notify authorities of a suspected malicious act affecting their IT or OT networks within 24 hours.
Keep up with digital transformation trends and technologies
Main Image
Keep up with digital transformation trends and technologies

Subscribe to The JOURNAL from Rockwell Automation and Our PartnerNetwork™ and receive the latest news directly to your inbox about digital technologies and trends. Enter your email address and check the box for "The Journal." Getting help on your digital transformation journey is that easy!

Subscribe Now

All these new rules, and more, will be transposed into local law by each of the EU member states no later than October 17, 2024. Across the EU, parliaments are working on new legislation to bring NIS2 into force.

If you operate a factory or a major piece of infrastructure, you need to ask yourself if your cybersecurity posture is ready for these changes.

Securing OT networks can be complicated. The average factory or piece of infrastructure may have thousands of connected sensors and devices. Often, these are old and may not have been patched or designed with cybersecurity in mind.

These connected devices might also be undocumented, and therefore outside the scope of regular maintenance and security updates. This leaves the organization doubly vulnerable — unable to comply with NIS but also ignorant of this fact.

Fixing these problems gains an added urgency when you consider the consequences of inaction. Under NIS2, executives are personally accountable for data breaches. And the company itself can be fined up to €10,000,000 or 2% of their global annual revenue.

Take Action NowHow then, can industrial firms running complex, often heterogeneous, sometimes undocumented OT networks move quickly to initiate their compliance journey with the upcoming cybersecurity directive that’s set to be transposed at the national level by October 17, 2024? Starting preparations now will help provide a smoother transition and better adherence to regulatory requirements.

 

Often, the answer is to work with an external partner that has the technical skills and knowledge of process, policies and procedures to bring an OT network up to code.

 

Companies aiming for NIS2 compliance must navigate through these essential steps to kickstart their journey, as follows:

  1. Audit your current operations and discover the devices, procedures, and technologies in use today across your IT and OT networks.
  2. Use the results of the audit to build a gap analysis, identifying where your IT and OT networks need to be hardened and upgraded for NIS2 compliance.
  3. Draw on established cybersecurity frameworks such as NIST SP 800-82 or IEC 62443, and relevant expertise, to create a tailored NIS2 compliance framework.
  4. Work with expert engineers, process experts and consultants to implement your framework and bring your organization up to code.
  5. Implement a program of procedures, monitoring, risk and crisis management, incident handling, optimization, and continuous improvement to to help you remain compliant, and your organization is secured against threats.
  6. Cultivate a culture centered around cybersecurity; this is essential for lasting compliance.
  7.  Implement training and awareness programs to educate and empower your employees at all levels to recognize and mitigate cyberthreats.

You can start taking these steps today to develop and implement your own NIS2 compliance framework.

 

Like this article? Sign up for the digital magazine (4X/year) and e-newsletter from The Journal From Rockwell Automation and Our PartnerNetwork.

 

 

The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.

Female software engineer sitting in front of computers monitoring manufacturing big data.
Industry Perspective
Q&A: Understanding the OT Threat Landscape Helps Manufacturers Improve Cybersecurity

The sophistication and frequency of cyberattacks on manufacturers keep increasing, making response readiness vital. To explore these trends and what you can do, The Journal From Rockwell Automation and Our PartnerNetwork's Executive Editor Theresa Houck spoke with Kamil Karmali, Senior Global Commercial Manager, Cybersecurity Services at Rockwell Automation and Dave Kang, Advisory Solutions Architect at Dragos. Also learn what methods are critical for securing controls.

Read the insightful interview (2-page PDF).

Read the Q&A
Topics: The Journal Cybersecurity Digital Engineering Digital Transformation Smart Manufacturing Networks & Infrastructure Lifecycle Services
Recommended for You
Loading
  1. Chevron LeftChevron Left Rockwell Automation Home Chevron RightChevron Right
  2. Chevron LeftChevron Left Com... Chevron RightChevron Right
  3. Chevron LeftChevron Left News Chevron RightChevron Right
  4. Chevron LeftChevron Left The Journal Chevron RightChevron Right
  5. Chevron LeftChevron Left How to Comply with the NIS2 Compliance Framework Chevron RightChevron Right
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose