Over the past decade, many industrial organizations have increasingly digitalized their environments to improve and streamline their operations. However, this modernization has also brought new opportunities for cybercriminals.
Operational Technologies (OT) are being connected to IT networks, which means that cybercriminals or state-sponsored actors now have the ability to impact critical industrial processes and cause disruptions or serious societal harm.
To address these threats, the NIS2 regulation was introduced. In general, such regulations provide organizations with guidance on how to approach cybersecurity and what measures they must implement to protect their assets from attacks—while also protecting society as a whole from the severe consequences of such incidents.
The second version of the Network and Information Security Directive—known as NIS2—is a legal regulation aimed at strengthening the cybersecurity posture and resilience of the European Union. It establishes a minimum set of cybersecurity measures and requirements imposed on entities of critical infrastructure and key supporting organizations within the EU Member States.
NIS2 builds upon the foundations laid by its predecessor, the original NIS directive, by expanding its scope and introducing additional requirements in response to the increased frequency and impact of cyberattacks against critical infrastructure entities in recent years.
Many businesses falling under Cybersecurity Act 69/2018 Z.z., and thus under NIS1, are not overly concerned about NIS2, as they should already have implemented cybersecurity measures. Therefore, the arrival of NIS2 affects them only minimally. In a worse position are sectors such as food production, courier services, wastewater treatment plants, etc., which have so far “avoided” the NIS requirements. With NIS2, however, they will need to start building cybersecurity—many of them completely from scratch.
So, what does NIS2 require?
It requires relevant organizations to implement appropriate cybersecurity measures to ensure the security and resilience of their systems and networks. These measures cover areas such as risk and vulnerability management, supply chain security, incident response, and secure authentication. The directive also specifies how and when cyber incidents must be reported.
NIS2 emphasizes the inclusion of the following measures in each entity's risk management program:• Policies on risk analysis and information system security
• Incident handling
• Business continuity, including backup management, disaster recovery, and crisis management
• Supply chain security, including aspects related to relationships between each entity and its direct suppliers or service providers
• Security in the acquisition, development, and maintenance of network and information systems, including the handling and disclosure of vulnerabilities
• Policies and procedures for assessing the effectiveness of cybersecurity risk management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies and procedures related to the use of cryptography and, where appropriate, encryption
• Human resources security, access control policies, and asset management
•
Use of multi-factor authentication or continuous authentication solutions
NIS2 places special attention on cyber incidents and introduces a two-phase incident reporting structure. Regardless of whether monitoring is proactive or reactive, the legislation requires that any significant incident be reported within 24 hours of its occurrence, with details to be provided within 72 hours. A more detailed report must then be submitted one month after the significant incident. This structure aims to quickly capture immediate details to prevent widespread consequences of similar attacks, while also enabling in-depth analysis for security analysts and resilience planning.
A significant cybersecurity incident is defined as an incident that has caused or is capable of causing serious operational disruption of services or financial loss to the affected entity and/or has affected, or could affect, other individuals or legal entities by causing substantial material or non-material damage.
Entities are also expected to indicate whether they suspect that the significant incident resulted from unlawful or malicious activity and whether the incident may have a cross-border impact.
Although the legislation provides detailed guidance, its effectiveness depends on how well entities understand attacks and their consequences. For example, critical infrastructure will need to quickly identify the potential impacts of incidents before or during their development—including scenarios such as loss of view and loss of control—that affect the operation of services and critical industrial processes. Stakeholders of each entity will need to assess the impact on the affected network and information systems, dependencies on these systems, and the expected duration and severity of service disruption.
Summary of the main measures defined by NIS2 for the OT environment:
1 | Incident Response Plan
Incident response planning is crucial for organizations to prepare for cyber incidents and practice their response. These plans should include cyber exercises so that organizations can test their response to various security incidents and minimize losses and damage. They should also include contact details for the entire incident response team, so they can act immediately if necessary.
2 | Secure Architecture
Security strategies in OT networks often begin by tightening rules—for example, removing external access points to the OT network, maintaining strong control at the IT/OT perimeter, and mitigating high-risk vulnerabilities in control systems.
3 | OT Network Visibility and Monitoring
Knowing all network assets is essential—this applies to IT, OT, mobile devices, and Bring Your Own Device (BYOD) equipment. You cannot protect what you cannot see, so all assets must be continuously monitored.
4 | Secured Remote Access
With the ongoing trend of remote work, secure remote access is extremely important. A key method is multi-factor authentication (MFA). If MFA is not possible, alternatives such as jump servers with targeted monitoring should be considered.
5 | Vulnerability Management
Knowing your weak points and having a plan to manage them is a key part of a secure OT architecture. Unlike IT systems, where patching is easier, shutting down operations in an OT environment can be costly. An effective OT vulnerability management program requires timely awareness of relevant vulnerabilities and proper risk assessment—ideally using passive scanners that do not disrupt the operation of control systems.