An increasingly digitized world with growing digital connectivity brings enormous opportunities and attack paths for cyber criminals to exploit. In parallel, the number, complexity, and scale of cybersecurity incidents and their economic and social impact are growing. Supply chains are more interconnected, and a security breach at an entity significantly impacts an entire region or industry. The EU is increasing the security risk management requirements for the region to protect the digital landscape.

At the end of 2022, the European Union published the final version of “Measures for a high common level of cybersecurity across the Union,” also called “NIS2”. This is the successor of the “Network and Information Security Directive” (NISD), which was released in 2016. The directive provides legal measures to improve overall cybersecurity across the EU. This includes obligations for businesses, government authorities, and cooperation between EU member states on security risks and incidents. The differences between the NIS2 draft version (released in 2020) and the final version are significant, and this paper refers to the final version.

This document’s purpose is to provide an overview of the final NIS2 directive. Our second whitepaper provides practical advice and security measures for incident detection/reporting and OT security based on an EU member state’s recently published methodology update.

 

Management Summary NIS2

The NIS2 directive will become effective across all EU Member states by 17. October 2024. All requirements apply for entities of specific sectors and business sizes that are active in one or more EU member states. For a business to be in scope, the entity has to engage in economic activities, irrespective of its legal form. Major suppliers for clients in the EU will also be in scope if their clients are in the EU and receive critical services.

Key aspects of NIS2:

  • A new level of reliability: Frightening and painful fines and penalties for repeated non-compliance are intended, up to temporary suspension of C-Level/board member
  • More industries: Supervision and enforcement by local authorities for medium and large organizations across more than a dozen key sectors
  • Minimum requirements: Establish mandatory, reviewable, and sanctionable cyber security measures for incident reporting and risk management, response/remediation required. EU member states can define stronger requirements for their region
  • Supply chain included: Requires risk reviews of security practices for major connected 3rd party services providers; this includes, e.g., Managed Security Services providers
  • Government support: Entities without adequate security staffing can ask for help in case of a major incident
  • Maximum fees: Defined by member states but has to be at least 1.4% of global turnover or €7M for important entities, 2% of global turnover or €10M for essential entities

 

The expected impact:

  • Gain in security maturity insights across EU Member states: Expect government authorities to develop a good understanding of effective measures in your industry and raise the expected security maturity to a common level.
  • Efficient management of risks required: Adding active risk management measures will add cost/time efficiency pressure to the organization as it requires not only to detect but to continuously assess and respond to risks.
  • NIS2 is not the end: Cybersecurity maturity is a strategic target of the EU commission, and in parallel to NIS2, additional initiatives are underway. An increase in requirements and fines can be expected.
  • Recently published measures from an EU member state we discuss in Chapter II indicate NIS2 compliance will require a significant increase in security maturity (approx. CMM level 3-4), requiring better understanding and actively managing risks, not only covering incident detecting but also taking remediation actions, and measures the outcome and security management efficiency.

 

Suggested actions:

  • Review your compliance: Assess security risks based on all relevant assets, review your security risk management and incident detection and response management capabilities, and define local/regional (EU)/global responsibilities. There are solutions like Verve that can help to evaluate and resolve security issues.
  • Close gaps: Identify OT-accepted security solutions based on their security coverage, work efficiency, and operational costs. Get a demo and run a pilot before selecting a vendor. There are OT security solutions for different maturity available; go with the one that covers regulatory compliance as well as internal requirements. Keep in mind you will probably need to grow into a higher maturity level over time, make sure the investment is sustainable, and the solution doesn’t have to be replaced after two years because requirements have increased. The more integrated the solutions are, the more efficient (time/effort/cost) is the security management.
  • Prepare for expected security controls: As of today, the expected measures in detail have not been published. ENISA, the European cyber security agency, released a mapping of NIS2 requirements to global security standards. For a first idea of to be expected security controls, we mapped expected NIS2 measures with the 2023 version of the security compendium from German BSI in chapter II of this document. We also mapped the BSI controls with our security solution, which is built by control systems engineers and allows clients to gain deep security insights on their OT assets, allowing them to make informed decisions and act on events in an OT-accepted, cost- and time-effective way.
  • Note to CISOs and board members: Be aware of what’s coming, not only because you can be held personally responsible but also because the EU is on its way to building and enforcing a major and rather complex framework of security compliance regulations across all member states. If organizations fail to take the initiative, the initiative will be taken by government authorities which can cause stress to your organization.

 

NIS2 and important related regulations 2023/2024

NIS2 is part of the EU’s cybersecurity strategy and complements other directives and laws. Especially relevant for operational environments are the Critical Entity Resilience (CER) directive, which is closely interrelated with NIS2, and the EU Cyber Resilience Act (ECRA). Both have significant consequences for vendors, operators, and service providers of operational equipment; ECRA becomes effective at the end of 2023.

CER Directive (final):

Finalized and transposed in parallel to the NIS2 Directive, together they address digital cyberattacks (NIS) to physical attacks and natural disasters (CER). CER focuses on physical rather than digital resilience measures for critical entities. National authorities perform reviews and assess the effectiveness and accountability of the risk management process; they can also provide significant support to entities. Both directives become effective by October 2024.

EU Cyber Resilience Act (ECRA):

Becomes legally effective End of 2023 and is focused on regulating a broad range of digital devices, their hardware, and solutions with embedded software and applications. It imposes obligations on manufacturers, importers, and distributors of these products across their life cycles. It also defines essential requirements for the design, development, production, and operation of digital products and adds requirements for vulnerability and incident handling for manufacturers and obligations for operators.

 

ENISA’s 2023 report uses NIS-based reported data

To improve cybersecurity and create risk awareness, ENISA publishes an annual threat landscape report that includes NIS-based incident reporting information and globally gathered incident data. A recently released 2023 report for the transport sector shows a targeted system that includes OT for the first time (left image) and observed incidents across all sectors (right image) and concludes for 2022, once again, an increase of ransomware, impacting vulnerable and unpatched systems.

 

What does the coverage of OT mean for the organizations in scope?

We know there is already a skills shortage in cybersecurity and especially for OT, but there is a notorious lack of experts with a combined industrial operational risk understanding and security expertise. Entities and regulators must find ways to identify and evaluate the most efficient, automated, and integrated approaches for continuous and active management of risks, including OT. NIS2 will require organizations to understand their risks and actively manage their security measures. A one-time, project-based security investment into a single-dimensional technology without proper management integration will not be sufficient to cover the increasing requirements. Especially for operational environments, entities will either acquire new security solutions for each maturity increase step they take or invest in higher maturity solutions they can grow with and into. The last approach is more effective; the other is slower and pricier. As some entities are regularly audited, effective and valuable approaches to OT security will quickly become visible to authorities.

 

Who is in scope?

The last NIS2 update added a new level of flexibility to who is in scope. Added flexibility for regulators allows entities to move between weaker and tougher requirements sets; unfortunately, it also adds complexity for entities to determine if they are in scope.

Scoping elements:

  • Medium and large-sized entities that provide or carry out services within the Union and are active within the sectors of NIS2 Annex I or II
  • NIS2 Annex I or II type entities of any size when the entity is
    • critical because of its specific importance at the national/regional level for the particular sector or type of service or for other interdependent sectors in the Member State
    • The entity is the sole provider of services in the member state, and service is essential for the maintenance of critical societal or economic activities
    • Trust services, public communication network provider, DNS
  • NIS2 Annex I + II type entities of any size when a service disruption
    • could have a significant impact on public safety/security/health
    • could have significant systemic risks, especially for sectors where disruption could have a cross-border impact
  • Member states may include critical research activities

NIS2 distinguishes between essential and important entities. Essential entities have increased security requirements and face stricter supervision and higher penalties. See the image below for major requirements; we will provide more details later on:

 

At some point, you will be able to reach out to ENISA for clarification; the EU agency will create and maintain a registry for essential and important entities for NIS2. Until then, you can perform a precheck to determine if you could be in scope. Because the methodology is rather complex (and flexible to be extended for the EU Commission), we provide a quick check-up chart:

To perform a pre-check if you are considered an essential or important entity, you need to know the following:

  • Is your industry/subindustry listed in Annex I or II?
  • (see table below)
  • your company size (see image right)

 

 

Annex I sectors:

SectorSubsectorType
EnergyElectricityEnergy supply, selected Distribution System Operators, selected Transmission System Operators, selected Electricity Producers, nominated Electricity Market Operators and selected participants
District heat/coolingOperators for district heating or district cooling
OilOperators of transmission pipelines, Operators of oil production, refining and treatment facilities, storage, and
transmission, selected Central oil stockholding entities
GasSelected Suppliers, selected Distribution system operators, selected Transmission system operators, selected Storage system operators, selected LNG system operators, selected Natural gas undertakings
HydrogenOperators of hydrogen production, storage, and transmission
TransportAirSelected Air carriers, selected Airport managing bodies, Air Traffic Control Services Providers (ATC)
RailSelected infrastructure managers, selected Railway undertakings
WaterSelected inland, sea and coastal passenger and freight water transport companies, selected Managing bodies of
ports, selected Operators of vessel traffic services
RoadSelected Road authorities, selected Delegated traffic management control regulations, selected Operators of
Intelligent Transport Systems
HealthPharma, Manufacturing, Laboratories, ServicesSelected Entities manufacturing medical devices considered as critical during a public health emergency, selected Healthcare Providers, EU reference laboratories, selected Entities carrying out research and development activities of medicinal products, selected Entities manufacturing basic pharmaceutical products and pharmaceutical preparations
WaterDrinkSelected suppliers and distributors of water intended for human consumption, excluding those with majority of other general activity
WasteSelected undertakings collecting, disposing, or treating urban, domestic, and industrial wastewater when essential part of the business.
SpaceInfrastructure, ServicesSelected Operators of ground-based infrastructure, owned, managed, and operated by Member States or by private parties, that support the provision of space-based services.
B2B ICT ServicesManaged Services Providers (MSP), Managed Security Services Providers (MSSP)
Digital Infrastructure(eg. selected providers of public electronic communications networks and services, Data Center Service
Providers), selected medicinal products, selected cosmetics, tobacco, narcotics,
Banking, Financial Markets, Public AdministrationNot in the focus of this document

Annex II sectors:

SectorSubsectorType
Postal and courier servicesSelected postal service providers
Waste managementSelected entities, carrying out waste management but excluding undertakings for whom waste management is not their principal economic activity
Food production, processing, distributionEntities engaged in wholesale distribution, industrial production and processing of any food and drink. Not a food business (e.g. feed, live animals unless for human consumption, plants prior to harvesting)
ManufacturingChemicalsSelected undertakings carrying out the manufacture, production and distribution of substances and articles.
Medical DevicesEntities manufacturing medical devices
Computer, electronic and optical productsEntities that manufacture computers, electronic and optical products, electronic components and boards, loaded electronic boards, computers and peripheral equipment, communication equipment, consumer electronics, instruments and appliances for measuring, testing and navigation; watches and clocks, irradiation, electromedical and electrotherapeutic equipment, optical instruments and photographic equipment, magnetic and optical media
Electrical equipmentEntities that manufacture electrical equipment, electric motors, generators, transformers and electricity distribution and control apparatus, batteries and accumulators, wiring and wiring devices, fiber optic cables, other electronic and electric wires and cables, wiring devices, electric lighting equipment, domestic appliances, non-electric domestic appliances, other electrical equipment
Manufacture of machinery and equipment n.e.c.Entities that manufacture general-purpose machinery, engines and turbines (except aircraft), vehicle and cycle engines, fluid power equipment, other pumps and compressors, taps and valves, bearings, gears, gearing and driving elements, other general-purpose machinery, ovens, furnaces and furnace burners, lifting and handling equipment, office machinery and equipment (except computers and peripheral equipment), power-driven hand tools, non-domestic cooling and ventilation equipment, other general-purpose machinery n.e.c, agricultural and forestry machinery, metal forming machinery and machine tools, other special-purpose machinery, machinery for metallurgy, machinery for mining, quarrying and construction, machinery for food, beverage and tobacco processing, machinery for textile, apparel and leather production, machinery for paper and paperboard production, plastic and rubber machinery, other special-purpose machinery n.e.c.
Motor vehicles, trailers, and semi-trailersEntities that manufacture motor vehicles, trailers and semi-trailers, bodies (coachwork) for motor vehicles, parts and accessories for motor vehicles, electrical and electronic equipment for motor vehicles, other parts and accessories for motor vehicles
Transport equipmentEntities that manufacture transport equipment, ships and boats, ships and floating structures, pleasure and sporting boats, railway locomotives and rolling stock, air and spacecraft and related machinery, military fighting vehicles, transport equipment n.e.c., motorcycles, bicycles and invalid carriages, other transport equipment n.e.c.

 

If your sector or company size is not on either list, you may still be in scope if:

  • You are a major services provider to a client that is considered in the scope of NIS2. In this case, you will not face mandatory duties but will require some cybersecurity practices, like a defined process for vulnerability disclosure and communication with the client. Providers of managed security services are in scope.

Member states can exclude areas of defense, national security, public security, or law enforcement from the requirements of the directive.

 

NIS2 compliance requirements

Duty to provide entity contact details:

All entities in scope must provide contact details:

  • Initially notify ENISA of your entity name, addresses of main and other legal establishments in the EU, up-to-date contact details, including email addresses and telephone numbers
  • Foreign corporations not established in the EU but providing services (e.g., data center and content and service providers) must provide a designated representative contact
  • Update of changes within three months the change became effective

 

Reporting obligations for a potential severe incident:

All entities in scope must report severe incidents. Local government, authorities, and CSIRT support and information sharing across entities are one of the main areas of regulation. The importance of the topic is reflected in tight deadlines and can become subject to sanctions. A notification does not make the notifying entity subject to increased liability.

A severe incident that must be reported to local authorities or the CSIRT is characterized as:

  • severely impacting services, or
  • imposing a significant financial loss, or
  • significant immaterial or material impact on a natural or legal person

The EU is building tools to support the reporting process and allow quick escalation and support of the incident response. Entities can ask to be supported by authorities.

ReportWhat?Deadline
Early warning• Cross-border impact?
• Unlawful or malicious act?		Within 24 hours after being aware
Incident notification• Update to early warning data?
• Initial assessment?
• Severity and impact?
• Indicators of compromise? (if available)		Within 72 hours after being aware
Intermediate report• Relevant status updates?Government requested (anytime)
Final report

(Progression report if attack is ongoing)		• Detailed description of the incident, including severity and impact
• Type of threat or root cause
• Applied and ongoing mitigation measures
• Cross-border impact of the incident		One month after submission of initial notification
Final report after ongoing attacks(see above)Within one month of handling the incident

Who and when to notify?

  • The national competent authority or CSIRT
  • Recipients of the services (incidents and potential incidents)
  • Without undue delay, within 24 hours after having become aware of the incident

A final incident report must be sent no later than one month after the submission of the incident notification. It must at least include:

  • A detailed description of the incident, its severity, and its impact
  • Type of threat or root cause that likely triggered the incident
  • Applied and ongoing mitigation measures
  • Whether the incident has a cross-border impact or is caused by unlawful or malicious action

In Chapter II, we will discuss how incident handling measures can be expected to look based on the recently released EU member state security methodology.

 

Minimum security risk management measures:

Like NISD, NIS2 only provides a minimum mandatory set of measures to cover. These are not necessarily interconnected or even directly related. In many cases, additional steps, processes, or security functions lay in between. Security measures are not specified in detail. This is normal for EU directives; they only describe a broad outcome and allow national legislations to choose the desired level of detail they regulate. Later, there will also come an implementing regulation for NIS2 with more detailed requirements, which are binding to the Member states. The following list contains minimum mandatory areas of coverage for all entities; exceptions are mentioned.

All entities must take effective, appropriate, and proportionate technical and organizational measures to manage the cybersecurity risks posed to the security of networks and systems. These measures shall ensure the level of security is related to the risk presented. All measures and respective non-compliance are accounted for by management.

 

The following measures represent the minimum requirements to be covered:

  • Asset management
  • Basic cyber hygiene practices and cybersecurity training
  • Incident handling (we discuss potential expected measures in Chapter II)
  • Policies for risk analysis, information system security, and access control
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Business continuity, such as backup management, disaster recovery, and crisis management, are in place
  • Supply chain security, incl. security of relationships between the entity and its direct suppliers/service providers, are in place and considered
    • vulnerabilities specific to each supplier/service provider, and
    • product quality and cybersecurity practices of their supplier, including secure development procedures
    • results of coordinated security risk assessment of critical supply chains
  • Security in network and information systems lifecycle, including vulnerability handling and disclosure
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption
  • Use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate

 

 

Quick checklist for the first steps:

  • Relevant assets are detected to a very high degree within an appropriate timeframe. This also applies to OS-based and embedded systems in OT.
  • Security policies are documented, communicated, and assessed.
  • Is a process to report potential significant incidents in place?
  • Assets in scope have been identified, are monitored, and are vulnerabilities and threats managed?
  • The entity is capable of identifying, monitoring and alerting and possessing capabilities to respond to a threat.
  • A ticketing system to manage and document incident detection triage and response is in place?
  • Critical processes and their assets are known and documented, and security measures are in place.
  • Supply chain risks are identified, and mitigating measures are in place.
  • Can evidence from a security management system be relied on for industrial assets?

 

An overview of a timeline with preventive and detective risk management measures (A3), a security incident, and the following reporting duties (A2) was provided in the presentation we gave on the final NIS2 directive.

 

Supervision, enforcement, fines, and penalties

As a general rule, essential entities are subject to a stronger supervisory regime, while important entities are subject to lighter supervisory: They have no initial obligation to systematically document compliance with cybersecurity risk management requirements up to the point of a major incident or threat happens. At that point, they will be supervised, face enforcement of violations, and can be subject to fines and penalties.

Supervision:

Essential and important entities face equal baseline measures. Additional requirements for essential entities will be covered in the next paragraph.

Supervision all entities in scope:

  • Is coordinated with the legal representative of the entity
  • Includes on-site inspections
  • Includes off-site inspections
  • Authority can request information to assess compliance
  • Authority can request evidence of security policy implementation

Additional supervision for essential entities covers:

  • Regular and ad hoc audits, including a collection of evidence
  • Random, unplanned checks by authorities

 

Enforcement of violations:

Should the supervision identify compliance violations, enforcement will come into effect. Again we will separate baseline enforcement from enforcement for essential entities alone.

For all entities in scope, local authorities can

  • issue warnings
  • issue binding instructions to remediate incidents within the deadline
  • order to cease and make infringing public, provide guidance
  • order to implement security audit recommendations within the deadline
  • impose administrative fines

Additional enforcement for essential entities includes:

  • Initiate temporary prohibition to exercise managerial function at the CEO or legal representative level
  • Designate a monitoring officer to oversee compliance
  • Issue binding instructions to prevent incidents with deadlines for implementation and reporting

 

When issuing enforcement actions and penalties, both entity types authorities must consider

  • the severity of the infringement, such as
    • repeated violations,
    • failure to notify or remediate significant incidents/binding instruction,
    • obstruction of audits or monitoring activities,
    • providing false or grossly inaccurate information
  • the duration of the infringement
  • previous infringements
  • the material/non-material damage caused and users affected
  • any intent or negligence
  • measures are taken to prevent or mitigate damage
  • the level of cooperation

 

Penalties and fines:

The directive states multiple times that penalties defined by each member state must be effective, proportionate, and dissuasive.

For all entities in scope, local authorities can

  • impose periodic penalty payments to cease infringement
  • additional sanctions (effective by Jan 2025)

Important entities face maximum penalties of at least 1,4% of global turnover, or €7M, whichever is higher.

Essential entities face maximum penalties of at least 2% of global turnover, or €10M, whichever is higher.

 

How Verve helps with NIS2

One of the major changes for entities in the scope of NIS2 is the requirement to actively manage risks and not only detect and document but also remediate them. The image below shows Verve’s unique capability to collect rich, asset-related security information, which helps to detect risks as well as incidents (left circle) and the capability to remediate incidents as the Verve platform enables organizations to actively take informed actions to remediate risks and incidents.

360 degree risk assessment

Taking action is provided in a sophisticated way that reflects the reality of most security departments in OT: Limited personnel and limited expertise. Risk data related to incident causes are collected through the OT environment (data arrow up). The data is then analyzed, and a strategic and methodical (global/regional or local) response is orchestrated by a small expert team. The suggested response action is prepared and suggested to the local operations team before it is executed (actions arrow down), and the local field level stays in control.

chart for think global, act local concept

 

NIS2 Webinar

Watch our on-demand NIS2 webinar as we dive deeper into the new EU cybersecurity regulation.

Watch now

Related Resources

Whitepaper

Addressing New ICS/OT Cybersecurity Regulations

How to achieve a successful and efficient programmatic response to the current and future regulatory environment for ICS/OT cyber security.

Learn More
Webinar

Designing the Right OT Governance Structure & Approach

Align IT and OT security initiatives to make progress against a chosen standard for an efficient and effective cyber security program.

Learn More
Whitepaper

Practical Advice for NIS2 Directive

Here's how to prepare to act on the new NIS2 cybersecurity directives for basic security guidelines, operations and monitoring.

Learn More