NIS 2 Directive and how to meet the requirements of Article 21

Reading time: 8 minutes - Difficulty: advanced

If you are an essential service provider or working in critical infrastructure, the date 18 October 2024 – i.e. the day when NIS 2 Directive comes into force – must already be marked in your diary. EU Member States need to transpose its content, but how can organizations meet the cybersecurity requirements set out in Article 21? We can advise you about some of the most suitable Siemens technologies for your company.

Application of the NIS 2 Directive

The NIS 2 Directive applies to a long list of services, divided into essential or important according to the nature of their role. There is a shared obligation to adopt cybersecurity strategies, in response to possible cyber attacks affecting infrastructure.

We should note that the suppliers of essential services listed in Annex I of NIS 2 are already regulated by the NIS Directive of 2018. These include suppliers of:

  • Energy (electricity, oil and gas)
  • Transport (air, rail, water and road)
  • Healthcare
  • Drinking water
  • Waste water
  • Public Administration
  • Space


As indicated in a previous article, NIS 2 extends the obligation for cybersecurity to the category of important services, listed in Annex II, i.e.:

  • Postal and courier services
  • Waste management
  • The manufacture, production and distribution of chemicals
  • Food production, processing and distribution
  • The manufacture of medical devices and in vitro diagnostic medical devices
  • The manufacture of computer, electronic and optical products
  • The manufacture of electrical equipment
  • The manufacture of machinery and equipment n.e.c.
  • The manufacture of motor vehicles, trailers and semi-trailers
  • The manufacture of other means of transport


The EU’s decision to extend the scope of the Network and Information Security Directive is based on the evidence that an increasing number of sectors are undergoing a digital transformation, with the associated cybersecurity risks.


One more suggestion:


How to comply with Article 21, paragraph 2

The NIS 2 Directive encourages providers of both essential and important services to collaborate with institutional bodies, introduces an obligation to report cybersecurity incidents, and sets out in Article 21 paragraph 2 the following measures for risk management:

  • Policies for risk analysis and system security
  • Incident management
  • Continuity of operations
  • Supply chain security
  • Security in systems acquisition, development and maintenance
  • Strategies and procedures for assessing the effectiveness of risk management measures
  • Basic computer hygiene practices and training
  • Security of human resources, strategies for controlling access and managing assets
  • Use of multi-factor authentication methods or continuous authentication


What we suggest you do in order to implement the requirements of the EU Directive, is to carefully analyze your current ways of responding to cyber incidents, so that you know which adaptive security measures you need to focus on. Discover our consultancy service for compliance with NIS 2.


Did you know that IEC 62443 is a possible framework for application of the NIS 2 Directive? Read here or contact us to learn more.


Technologies recommended for compliance with NIS 2

If it is apparent that your organization needs to review its cybersecurity measures to meet NIS 2 requirements, the first step is to choose technology solutions for this purpose.

An example is the Siemens portfolio; it includes a wide range of cybersecurity management applications, some of which meet the requirements of Article 21.

Siemens, as the founder of the Charter of Trust and with the Cyber Emergency Response Team at its disposal, can ensure maximum protection for customers and factories. The development and production processes are certified to offer products of high quality; and after their release, patches and updates are duly provided for an extended period, so that the products in the customers’ possession remain secure and up-to-date at all times.

  • Ensure business continuity with backup management and secure remote access for recovery

Industries, often with branches in other countries, require efficient management during the operational and optimization phases. The maintenance and repair of industrial plants and machinery must be carried out promptly to avoid prolonged interruption of activities and services. Disaster recovery and backup systems are essential to reduce recovery times from days to a few minutes. Siemens offers complete disaster recovery solutions, with online/offline backup options and a wide range of local and external alternatives, such as SIMATIC DCS SCADA Infrastructure.



Facilitating the creation of secure remote connections is a simple process that involves use of the SINEMA Remote Connect VPN management platform and the cRSP remote services platform. The maintenance technician uses a SINEMA Remote Connect or cRSP client, while the system is equipped with a SCALANCE S industrial security device, a SCALANCE M industrial router or a Industrial Next Generation Firewall. Both the technician and the machine establish on-demand (controlled) connections to a SINEMA Remote Connect or cRSP server, where the identity of the participants is verified with the exchange of certificates. Only in this way is remote access granted.


  • Strengthen security with advanced asset management

To fully address the cybersecurity challenges, it is essential to know how to identify, monitor, operate and manage critical assets with Operational Technology. Throughout the cybersecurity life cycle, a detailed view of OT assets is critical for effective management and for reducing the surface of attack. However, industrial infrastructures often contain a variety of assets from different suppliers, with inventories and documentation that are frequently obsolete. Not all assets come with the latest firmware update, and this poses potential cybersecurity risks.



The solution makes use of the centralized SINEC NMS (Network Management System), SMC (SIMATIC Management Console) and PRONETA systems to offer network monitoring, topology discovery, diagnostics and firmware management. In addition, the SINEC Security Inspector carries out high-performance, non-invasive, vendor-independent scans, generating an easily manageable installation overview.


  • Manage incidents with anomaly-based intrusion detection

As is well known, production departments have undergone a transformation, moving from disconnected islands to highly complex networks, with limited visibility of the assets and the communications between them. Zero-day attack schemes occur regularly during the stages of operation and optimization; and the lack of visibility of assets and communication protocols in industrial control systems increases the risk. Delayed detection of industrial cybersecurity incidents results in downtime and difficult recovery. The NIS 2 Directive defines essential or important reporting requirements for entities, and the ability to report depends on the effectiveness of detection.



Industrial Anomaly Detection provides a detailed view of the linked assets and data exchanges, continuously and proactively identifying changes in the system. Thanks to AI, the software analyzes network traffic during a learning phase and evaluates current traffic to detect anomalies, such as intrusions by hackers or data theft. This completely passive monitoring solution integrates seamlessly into industrial networks and control systems.


  • Minimize cyber risks by encrypting communication in OT networks

With the world of production now more dynamic than ever, access to data throughout the entire life cycle of products has become crucial. Devices, systems and users exchange data continuously or on demand, often without a proper system for managing access to data or without identification mechanisms. In the absence of safeguards, anyone can connect to the network, making the system vulnerable to man-in-the-middle attacks. Since the data are clear, they are exposed to risks such as theft, manipulation, espionage and sabotage. One of the cybersecurity risk management obligations of NIS 2 is, if appropriate, the adoption of encryption.



End-to-end encryption between TIA Portal, S7-1500/1200 controllers and HMI with secure communication based on Transport Layer Security (TLS) V1.3 ensures integrity of the system. This is based on the availability of endpoints, a fundamental measure to protect systems from the risks associated with malware. Siemens offers tested and approved solutions, with a diverse range of options for both signature and anomaly-based detection and prevention mechanisms, including Endpoint Detection and Response (EDR), Next-Gen antivirus software, and traditional air-gapped solutions.


  • Increase the security and availability of assets by managing vulnerabilities and updates

It is essential to update the systems regularly during the stages of operation and optimization. New vulnerabilities are reported daily, and can be exploited by attackers in the absence of suitable mitigation measures. Identifying new vulnerabilities early and minimizing the time it takes to apply updates is vital, as well as being one of the NIS 2 obligations.


Vilocify‘s vulnerability services allow you to protect your infrastructure with detailed vulnerability information and custom alerts. SINEC Security Inspector checks the network for potential vulnerabilities that could be exploited for cyber attacks. Update Management helps you perform critical updates of Microsoft products.


  • Manage users, roles and access rights in an easy and centralized manner

Preventing unauthorized access to user programs, the automation system and data during the stages of design and maintenance requires configuring user privileges and managing access. User management is often not centralized during engineering and especially during operation, while individual accesses must reflect the roles of users, while making it more difficult to maintain consistency and update projects in the event of changes of users.


Implementing centralized user management involves just a few steps – importing users and groups from Microsoft Active Directory to the UMC server and connecting the TIA Portal engineering station to the UMC server. The users and groups can then be imported from the UMC server to the TIA Portal, and finally, the rights and roles are assigned locally.


Now that we have reached the end of this journey into the world of technology, do you think you have the information you need to meet the requirements of NIS 2, and achieve your goals for compliance? Skip to practice: request a preliminary consultation.


Any questions or comments?


Share us your feedback

Do you want to help our page grow? Follow us on Linkedin


Go back to the blog
Send this to a friend