NIS2 Compliance for ICS
What are the main takeaways from the new NIS2 Directive and what are the main requirements for compliance?
The NIS2 Directive is a directive by the European Parliament on the measures that need to be taken for a high common level of cybersecurity across the European Union. The NIS2 Directive replaces the previous NIS Directive (EU Directive 2016/1148) and aims to improve the security of crucial services by protecting the networks and information systems of critical and important entities across the EU.
The NIS2 Directive applies to a wide range of organizations, including:
- Essential entities: These are organizations that provide essential services, such as energy, water, transport, and financial services.
- Important entities: These are organizations that are not essential entities, but that could have a significant impact on the economy or society if they were to be disrupted by a cyberattack.
- 3rd parties: Providers and suppliers that want to work with entities that provide essential or important services such as the above two.
The NIS2 Directive applies to “Essential” entities, “Important” entities, and 3rd party providers/suppliers that want to work with those “essential” and “important” entities.
Cybersecurity Measures Required by the NIS2 Directive
The NIS2 Directive is a complex piece of legislation, and there are several different ways that organizations can comply with it. However, the key principles of the directive are risk management, incident response, vulnerability management, security awareness training, and supply chain security.
- Risk management: Organizations must identify and assess the risks to their networks and information systems. This also includes a person or team that is responsible for handling the decisions that need to be made regarding risk, with the blame falling on them if something goes wrong.
- Incident response: Organizations must have a plan in place to respond to cybersecurity incidents within 24-hours of the incident. NIS2 also requires organizations to report certain types of cybersecurity incidents to their national authorities.
- Vulnerability management: Organizations must identify and patch vulnerabilities in their systems in a way that is appropriate for their devices and networks. This use of the term “appropriate” is somewhat ambiguous and it is probably best to err on the side of caution and provide more protection instead of less protection whenever there is any doubt.
- Security awareness training: Organizations must train their employees on cybersecurity best practices. Sometimes the most secure networks can be compromised by an employee clicking on some phishing link or using a weak password. Avoiding these issues can be greatly mitigated if everyone with access has a good understanding of the type of threats that exist and how to avoid them.
- Supply chain security: Organizations must also ensure that their 3rd party vendors are taking appropriate cybersecurity measures. This means that not only does the entire internal operation need to comply with NIS2, but also any 3rd party vendors that provide products or services need to comply too.
Overall, the NIS2 Directive represents a significant step forward in the fight against Europe’s cyber threats. By requiring organizations, and their supply chains, to implement stronger cybersecurity measures, the directive will help in protecting critical infrastructure and other important assets from cyberattacks throughout the European Union.
Stay up to date
Subscribe to our blog and receive insights straight to your inbox