Compliance with NIS 2 Directive Requirements

Consultancy for the application of the NIS 2 Directive
The NIS and NIS 2 Directives were created to incentivize EU states to adopt national cybersecurity strategies in response to security incidents affecting essential services.

Learn about compliance requirements for critical sectors

The NIS 2 Directive, scheduled to take effect on October 18, 2024 as an evolution of the 2018 Network and Information Security Directive, divides critical sectors into two different categories of significance:

  • Essential sectors, which include organizations that are larger than medium-sized enterprises and provide services in the sectors listed in Annex I, namely energy (electricity, oil, gas), transport (air, rail, water, road), healthcare, drinking water, wastewater, Public Administration, space activities, digital infrastructures (including cloud computing services, DNS, content delivery network services)
  • Important sectors, medium-sized enterprises providing services in the sectors listed in Annex II, a category that was not present in the first Directive and which is added to the legal obligations in this second revision

 

The following fall under essential services:

  • Energy (electricity, oil, gas)
  • Transport (air, rail, water, road)
  • Healthcare
  • Drinking water
  • Wastewater
  • Public Administration
  • Space activities
  • Digital infrastructures (including cloud computing services, DNS, content delivery network services)

 

The following fall under important services:

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacture of medical devices and in vitro diagnostic medical devices
  • Manufacture of computers and electronic and optical products
  • Manufacture of electrical equipment
  • Manufacture of machinery and equipment n.e.c.
  • Manufacture of motor vehicles, trailers and semi-trailers
  • Manufacture of other transport equipment
  • Digital services, such as search engines and social networking platforms

 

Each of the stakeholders is required to apply the measures listed in Article 21 (2), including, for example, the adoption of risk analysis and systems security policies, incident management policies, basic computer hygiene practices and training.

 

What we can do for you if your industry is considered critical:

Within the sector, and pending the transposition of the NIS 2 Directive, ATECO codes must be applied. Having agreed that your industry falls into one of the categories listed in Annexes I and II of the Directive, our consultancy service includes an initial audit to highlight the gaps that need to be addressed with respect to the obligations required under NIS 2 (Article 21).

The GAP Analysis:

  • The purpose is to analyze the status of the measures required by Article 21, the level of maturity and coverage, with reference to the cyber perimeter to be protected
  • What we do is evaluate the obligations under NIS 2 and how you respond to them
  • End result will be your awareness of the GAPs in NIS 2, for which we will help you estimate and plan adaptive measures

 

Subsequent work phases, to be initiated step-by-step according to your needs:

 

1) Governance Support

  • Support in choosing the most suitable reference framework (NIST/IEC 62443) and integrations with ISO 27001
  • Definition of responsibilities, organizational charts and job descriptions for cybersecurity
  • Definition of methods, criteria and methods for risk and security analysis of systems
  • Definition of procedures for incident management, impact mitigation and notification system
  • BIA analysis (ISO 22317) for operational continuity, business continuity and disaster recovery plans
  • Analysis and securing of the supply chain, definition of vendor qualification criteria
  • Change management, security in the acquisition, development and maintenance of systems
  • Definition of strategies, KPIs/KRIs and evaluation of the effectiveness of risk management measures
  • Definition of Policies for OT Systems
  • Training of staff involved in cybersecurity
  • Procedures for managing assets and documentation
  • Procedures for managing vulnerabilities and updating OT systems
  • Development of manuals for safety management systems and related documentation
  • Performance of periodic audits on the level of compliance and security

 

2) Technical Support

  • Cybersecurity risk assessment
  • Cybersecurity Site Assessment and vulnerability analysis
  • High Level Design on site architectures, addressing plans, segmentation and segregation of networks
  • Support for managing vendors and integrators, technical specification development, vendor verification and monitoring, FAT/SAT testing procedures on cybersecurity
  • Development of device Hardening plans
  • Patch Management, support in choosing the most suitable technical solutions according to the applications and vendors used
  • Support in choosing IDS, remote access, access management solutions

FAQ

The NIS 2 Directive stems from the revision of NIS to ensure the effective continuity of essential services in case of critical events; services over time that have become indispensable to accelerate digital transformation at the societal level, and, inexorably, increasingly targeted by malicious intrusions. NIS 2 expands the scope to include other entities.

Having said that operators under NIS are also to be considered essential entities for the purposes of NIS 2, the updated Directive considers critical sectors to be all organizations that are larger than medium-sized enterprises and provide services in the sectors listed in Annex I, namely:

  • Energy (electricity, oil, gas)
  • Transport (air, rail, water, road)
  • Healthcare
  • Drinking water
  • Wastewater
  • Public Administration
  • Space activities

NIS 2 also adds medium-sized enterprises providing services in the sectors listed in Annex II, referred to as “important entities,” to the list of stakeholders.

It covers the following:

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacture of medical devices and in vitro diagnostic medical devices
  • Manufacture of computers and electronic and optical products
  • Manufacture of electrical equipment
  • Manufacture of machinery and equipment n.e.c.
  • Manufacture of motor vehicles, trailers and semi-trailers
  • Manufacture of other transport equipment

The NIS 2 Directive will entry into force on October 18, 2024. Each Member State may decide to apply the concept of essentiality to other organizations, based on different security criteria (e.g., in the case of a sole provider or significant impact), and will have a certain period to transpose the NIS 2 Directive into national law and set fines for non-compliance with the Directive.

Recommended Posts

NIS 2 direttiva recepimento
IEC 62443 industrial cyber security

Why Choose us

  • We have gained experience in the OT Cyber Security field since 2014
  • We test every solutions thanks to our in-house OT Cyber Security laboratory
  • Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
  • Automation and OT Network Security are some of our most performing competences
  • We have bulit a wide network of partnerships with the main international OT solution suppliers
  • Our BYHON internal division is the ISASecure® accredited certification body

For more information about this service or to request a quote