Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Electrification technologies have grown increasingly complex in recent decades, and the regulatory environment has struggled to keep up not only with the pace of technological advances, but also with the new threats that have emerged alongside it. The proliferation of remote condition monitoring and enhanced connectivity has meant that more data is being transmitted throughout a facility, as well as to and from the cloud, than ever before. While these advances have vast potential to improve the efficiency, reliability and safety of electrical systems, from a cybersecurity perspective they also introduce new risks that need to be addressed. The EU’s NIS2 Directive is an attempt to standardize cybersecurity risk analysis, threat response, and reporting for organizations that operate within the EU.
Even for systems that are perceived as relatively secure, new vulnerabilities are detected with increasing regularity. This problem is often compounded in legacy equipment which is no longer supported with regular manufacturer updates to keep it secure. With fast, widespread and constant network connectivity driving much of the innovation in this sector, it is no longer a feasible option to keep legacy systems siloed from the rest of the plant as a security measure. However, ripping out and replacing large amounts of automation equipment can also be expensive and difficult to implement efficiently.
The NIS2 Directive has been developed in response to these challenges. It is a legislative framework that aims to establish a high common level of security for network and information systems. The nature of NIS2 came into effect in October 2024, and builds upon the scope of the original NIS directive (NIS1). While it is an EU directive, one of the key differences between NIS1 and NIS2 is that NIS2 now applies to any company throughout the world that provides services within the EU.
How EU legislation works
EU directives and the processes that govern their introduction, implementation and enforcement are often highly complex. A directive is a legislative act that sets out a goal that EU countries must achieve. It is then up to individual EU countries to devise their own laws or other mechanisms to ensure that it is achieved. Directives are distinct from EU regulations, which are binding laws that apply to all member states.
NIS2 was first introduced in 2023, and the deadline for implementation by member countries was 17th October 2024. Even though some individual countries are further along than others in implementing their own legislation in full, the requirements of NIS2 should be considered applicable across the whole EU bloc as of the October 2024 deadline.
What does NIS2 mean in practice?
Compared to NIS1, NIS2 brings more industries into the scope of the legislation. However, this still does not include all organizations and entities, and some industries remain outside of it. All medium and large-sized organizations in the applicable industries in both public and private sectors are within the scope, however exemptions may also apply.
Another major change from NIS1 is where accountability falls in the event of non-compliance. NIS2 introduces personal responsibility at managerial levels of the organization, although individual punishments will vary from case to case. At an organizational level, heavy fines may be levied for non-compliance.
In terms of actual requirements, NIS2 obligates companies to follow a risk management approach for security and reporting. Every organization is different, and so there is no single universal checklist that can be followed to ensure guaranteed compliance. Rather, NIS2 is about instigating the right policies, procedures and culture to address risks and ensure robust cybersecurity. As such, an organization’s policies on risk analysis and incident handling should be appropriate and proportionate to both the risks themselves, and existing policies, while also taking into account the
nature of the organization’s operations. In short, there is no one-size fits all approach, but organizations must nonetheless take steps to ensure that an effective framework is in place to adequately identify and address risks.
NIS2 also enhances the requirements for incident reporting, including the content of reports, who the reports must go to, and timelines in which they must be supplied. In the case of “significant incidents” the reporting requirements may be more complex. There are additional requirements for addressing cybersecurity risks within an organization’s ICT supply chains and other suppliers. Organizations must also consider how to ensure business continuity in the event of major cyber incidents. This includes, for example, system recovery, emergency procedures, and establishment of a crisis response team.
NIS2 requires that a process exists, but how that process is implemented is up to the organization concerned. A framework for implementation is provided in part by the standard IEC 62443 3-2, which focuses on risk assessments, and governs the process of how to conduct one for cybersecurity. If NIS2 compliance is an issue within an organization, then IEC 62443 3-2 can provide a helpful framework by which to make improvements.
What can you do today?
Clearly the full requirements of NIS2 cannot be covered within the space of this article. For specific guidance, it is highly recommended that you consult a trusted and competent advisor, however there are some steps you can take to work towards compliance if it has not already been achieved.
The first thing that any organization needs to do is to determine whether NIS2 applies to them. Broadly, the directive applies to medium and large organizations with over 50 employees, or a turnover of €10 million, across 18 business sectors – although exemptions may apply. The requirements are applicable for any company that does business in the EU, even if it does not have a physical presence within the EU.
Conducting a risk assessment is a key part of the requirements, as this will provide the framework through which compliance can be established. This can help to identify and address current and potential cyber risks, and prioritize which assets and systems are in most urgent need of additional protection, and whether broader policy changes are required across the business. The risk assessment can also appraise incident response and reporting procedures. The outcomes from the risk assessment can thus be used to improve resilience over time, and ensure compliance not just with NIS 2 but with similar legislation emerging in other territories. Crucially, it facilitates the implementation of robust threat mitigations to protect your business, and your critical assets.
The wider context
NIS2 is indicative of a broader direction of travel, and is just one of several pieces of cybersecurity regulations that organizations need to be aware of both within and outside of the EU. As electrification equipment becomes more complex and connected, so too does the range of cybersecurity threats. In any case, effective cybersecurity is simply good business, as any attack can be hugely costly and damaging to an organization.
With effective cybersecurity policies and procedures in place, the risk of being attacked can be considerably reduced, as can the severity and cost of any attacks that do occur. ABB Navigate offers security assessments and solutions for both mature and emerging customers, ranging from high-level risk assessments and NIS2/IEC 62443 3-2 advisory and consultancy services, to bespoke security software.
