How the EU's NIS2 Directive Impacts the OT Domain

In this short video, Peter van der Voort, OT cybersecurity specialist at OTconnect, explains why the European Union Agency for Cybersecurity (ENISA) chose to update its 2016 Network and Information Systems (NIS) Directive with a second version (NIS2), which has a compliance deadline of October 17, 2024 for EU member states. Van der Voort also explores what NIS2 means for organizations in the OT domain.

Video Transcript: NIS2 for the OT Domain

In today's interconnected world, the fabric of our society is increasingly woven with digital threads. And this digital transformation unlocks unprecedented opportunities, but also exposes us to new and evolving cybersecurity threats. That's why the European Union recognized the need to fortify its defenses and ensure a unified approach to cybersecurity across its member states.

Hence the birth of the NIS2 Directive, an evolution of the original Network and Information Systems (NIS) Directive. And why the update? The digital landscape has dramatically changed since the original directive was introduced. We've witnessed a significant increase in cyberattacks, both in frequency and sophistication.

And these aren't just attacks on individual companies anymore. They are attacks on our infrastructure, our public services, and therefore, our way of life. From ransomware against hospitals to attacks on energy grids, the stakes have never been higher.

Furthermore, the original NIS Directive revealed gaps in its coverage. It became clear that the scope needed to be broadened to include more sectors critical to our societal and economic well being. The NIS2 Directive responds to these challenges by extending its reach and covering more sectors and more digital sources, thus ensuring a higher level of security across the board.

Another key reason for the update is inconsistency in how the original directive was implemented across different EU member states. This fragmentation created ‘cybersecurity weaklings’ that could be exploited. NIS2 aims to harmonize cybersecurity practices across the EU, ensuring that all member states are equally prepared to tackle cyberthreats.

Lastly, the pace of technological innovation continues to accelerate. Emerging technologies like artificial intelligence, the internet of things (IoT), and 5G networks introduce new vulnerabilities. And the NIS2 Directive is designed to be more flexible and able to adapt to the rapidly changing digital landscape and address these future challenges. 

So the NIS2 Directive is not just an update, it's a necessary evolution to bolster our collective cybersecurity defenses, ensure operational resilience, and protect the critical infrastructure that underpins the European Union. As we move forward, embracing this directive is paramount for all sectors including operational technology (OT).

Now, let's have a look at how NIS2 specifically impacts the OT domain. First, it has an expanded scope to cover more OT sectors. This too broadens the range of sectors deemed critical, thereby extending to more OT environments. This includes sectors like water supply, energy, transport, health, food and beverage, and digital infrastructure.

And with this expansion, many more OT operators might now fall under the directive's requirements, necessitating a reassessment of their cybersecurity practices. It requires stricter security and reporting requirements. Organizations within the OT domain are required to adopt risk management measures and report serious incidents to national authorities. 

And NIS2 mandates a more rigorous approach to security, pushing entities to strengthen their defenses against cybersecurity threats and vulnerabilities specific to OT, such as those related to legacy systems and industrial control systems in general and all resiliency against cyberthreats by requiring entities in the OT domain to adhere to higher security standards.

NIS2 aims to enhance the resiliency of critical infrastructure against cyberthreats. This includes ensuring that systems are adequately protected, monitored, and capable of recovering from cybersecurity incidents, which is crucial in environments where safety and operational continuity are paramount.

NIS2 also places a greater emphasis on supply chain security, acknowledging the interconnected nature of cybersecurity risks. OT environments often rely on a complex supply chain, including hardware and software vendors, service providers, maintenance contractors, etc. Organizations will need to ensure that their suppliers adhere to cybersecurity standards that align with NIS2 requirements, thereby mitigating risks that could originate from third-party components or services.

And the directive seeks to harmonize cybersecurity practices across the EU, promoting a consistent level of security in the OT domain across member states. This includes standardized reporting protocols and risk management practices, facilitating cross border collaboration in the face of cyberthreats and incidents. 

And with the introduction of stricter enforcement measures and the potential for significant penalties for non-compliance, organizations in the OT domain are incentivized to prioritize cybersecurity. This not only includes adhering to the directive's requirements, but also fostering a culture of cybersecurity awareness and preparedness within the organization.

Lastly, NIS2 encourages increased information sharing and collaboration among EU member states and between public and private sectors. And this is particularly relevant for the OT domain, where sharing insights about vulnerabilities, threats, and best practices can significantly enhance the security and resilience of critical infrastructure.

In summary, NIS2 represents a comprehensive effort to strengthen the cybersecurity posture of the OT domain across the European Union, addressing both specific vulnerabilities inherent to ot environments and broader cybersecurity challenges.

Discover How Cyolo Can Help Your Organization Achieve NIS2 Compliance

Subscribe to Our Newsletter