Five Things Critical Infrastructure Owners Need to Know About the NIS2 Directive

Elevating Cyber Resilience

An increasingly harsh reality in our modern world is that critical infrastructure operational technology (OT) isn’t protected the way it should be. As cyber threats grow more sophisticated, the European Union (EU) Network and Information Security 2 (NIS2) Directive represents a significant step forward in protecting critical infrastructure. It’s not just about compliance—it’s about creating resilient and secure systems.

The NIS2 Directive builds on previous EU mandates, focusing on fortifying cybersecurity across critical sectors. While the first directive, NIS1, laid a foundation, NIS2 introduces stricter standards and expands its reach to 18 sectors including energy, transportation, healthcare, and telecommunications. This is no longer just about safeguarding data; it’s about protecting physical assets and national security from disruptions that cyber incidents can cause.

Here’s what owners and operators of critical infrastructure need to know to prepare for and comply with the NIS2 Directive:

1. Who needs to comply with NIS2?

The directive applies to both EU-based organizations and non-EU companies engaging with EU entities, underscoring its global implications. Compliance is multifaceted, demanding robust risk management, incident response and supply chain oversight. There are also significant consequences for non-compliance, including fines of up to €10M (equivalent to over $10M U.S. dollars). As organizations align with NIS2, it’s key to remember that compliance alone isn’t enough to secure critical infrastructure; it’s just the starting point for a much-needed cultural shift toward proactive security.

2. How important is risk management to NIS2?

At the heart of NIS2 is risk management, which involves identifying prioritizing vulnerabilities to allocate resources effectively. Knowledgeable cybersecurity experts help critical infrastructure organizations build triage systems, ensuring efforts focus on high-impact risks. This approach enables organizations to implement controls based on the potential consequences of each risk, aligning with NIS2’s objectives while optimizing resource use.

3. How does NIS2 aim to protect operational continuity?

A key component of the directive is the need for effective incident response plans. It’s also important for these incident response plans to cover both intentional attacks and unintentional mistakes; not all cybersecurity issues are malicious, but they must be mitigated nonetheless. Real-time monitoring and robust response protocols enable critical infrastructure operators to quickly identify and mitigate threats, minimizing potential physical and operational damage. Incident response plans should be established to empower organizations to act swiftly, reducing the impact of both cyberattacks and unintentional incidents caused by third parties.

4. How does NIS2 address supply chain security?

With supply chain vulnerabilities increasingly exploited by cyber adversaries, NIS2 mandates a proactive stance on assessing third-party risk. Evaluating supply chain security helps organizations mitigate risks at every stage, from procurement to deployment. This thorough assessment process ensures that all components of critical infrastructure adhere to a unified security standard.

5. What is the global impact of NIS2?

NIS2 applies to all companies who do business with EU entities, regardless of where they are based. Understanding and complying with NIS2 is essential for business continuity—and legally required. The directive pushes for a collaborative, international approach to cybersecurity. Cybersecurity experts can help organizations navigate these cross-border requirements, facilitating compliance and fostering trust with EU-based partners.