Cybersecurity

The NIS2 directive for increased cybersecurity – how will it impact your company?

April 2023

NIS2 is a new set of regulations that aim to improve the cybersecurity of critical infrastructure within the European Union. NIS2 requires certain entities within member nations, including many manufacturers, to take appropriate measures to manage and mitigate the risks posed to their network and information systems.

All relevant organizations within the EU are expected to comply with the new requirements in 2024.

What you need to know about NIS2

Read on to learn what your company needs to do to prepare, and how Secomea’s secure remote access solution can help you ensure compliance with NIS2 regulations.

Who does NIS2 apply to?

The impact of NIS2 on companies and organizations depends on their industry and the level of criticality of their services. However, all operators of essential services and digital service providers in the EU will need to comply with the directive’s cybersecurity requirements, such as risk management, incident response planning, and regular security assessments. 

The NIS2 Directive covers entities from the following sectors:

Sectors of high criticality

Energy: Electricity, district heating and cooling, oil, gas, and hydrogen. 

Transport: Air, rail, water, and road. 

Banking: Financial institutions, payment service providers, and stock exchanges. 

Health: Including manufacture of pharmaceutical products, hereunder vaccines.

Drinking water supply and distribution: Water treatment and supply companies. 

Digital infrastructure: Internet exchange points, DNS service providers, etc. 

Public administration: Government bodies and agencies that provide essential services. 

Food supply chain: Food processing, distribution, and retail companies. 

Other critical sectors

In addition to sectors of high criticality, the NIS2 Directive also applies to sectors such as chemicals, food, manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, postal and courier services, and more.

Note: The above overview of sectors is an abbreviated list – see full overview here.

How do I ensure compliance as a manufacturer?

As a manufacturer, here are some steps you can take to ensure compliance with the NIS2 directive:

• Conduct a risk assessment: Evaluate the risks to the security of your network and information systems. Consider the impact of potential incidents on the availability, integrity, and confidentiality of your systems.
• Implement appropriate security measures: Develop and implement security measures that are proportionate to the risks identified during the risk assessment. These measures must be designed to ensure the security of your network and information systems.
  
• Ensure continuous monitoring: Regularly monitor your network and information systems for security incidents, and take appropriate measures to prevent and mitigate them.
• Report security incidents: Report any significant security incidents to the relevant national authority as required by the directive.
• Appoint a competent authority: Appoint a competent authority in the EU to ensure compliance with the NIS2 directive. The competent authority must have the necessary knowledge, resources, and expertise to oversee compliance with the directive.
• Keep records: Maintain records of your compliance with the NIS2 directive, including risk assessments, security measures, and incident reports. 

By following these steps, you can help ensure compliance with the NIS2 directive as a manufacturer. 

How the Secomea Solution can help ensure NIS2 compliance

Secomea’s secure remote access solution can help you ensure compliance with the NIS2 directive in several ways. With the Secomea Solution you get: 

1. Access to critical systems and data for authorized personnel from remote locations, without compromising security.
   This is particularly important for manufacturers who have distributed teams, contractors, or service providers that need to access production environments or critical infrastructure. 
2. Granular control over user access and permissions.
   You can ensure that only authorized users are allowed to access critical systems, and that they can do so only with the appropriate level of access. 
3. Robust monitoring and logging capabilities.
   You can track and audit user activity to ensure compliance with NIS2 and other regulatory requirements. 
4. State-of-the-art cybersecurity.
   The Secomea secure remote access solution helps you safeguard your networks against cyberattacks, including those that are specifically targeting the manufacturing industry.  

By deploying the Secomea Solution, you can establish a strong defense against cyberthreats by enabling secure, controlled access to critical systems, providing monitoring and auditing capabilities, and enhancing overall cybersecurity for your company. 

What happens if a company does not comply with NIS2?

Organizations that fail to comply with the NIS2 directive may face penalties and fines, which could have significant financial and reputational consequences. Conversely, companies that invest in improving their cybersecurity posture and complying with NIS2 may benefit from improved customer trust, increased resilience against cyber threats, and more competitive advantage. 

Cybersecurity has never been more important 

The reason behind the new NIS2 regulations, as stated by the European Parliament Think Tank, is to respond to the growing threats posed with digitalization as well as the surge in cyberattacks on a global level. 

Indeed, cybersecurity is more important than ever due to the increasing reliance on technology across sectors. As the world becomes increasingly digitized, companies become more vulnerable to cyber threats. 

Manufacturers are no exception to this trend, as they rely heavily on technology to automate production processes, manage supply chains, and communicate with customers. As such, they are exposed to cyber risks that can impact not only their bottom line but also their reputation and customer trust. 

For Secomea, security is a key fundament of our remote maintenance solution, which is tailored to the automation industry. Security is built-in, not bolted on, and designed from the ground up to meet both operational technology (OT) and IT requirements. A crucial part of cybersecurity is our secure development practice and security controls.  

Secomea has pursued and conducted audits for compliance with the IEC 62443-3-3 standard and IEC 62443-4-2 standard for many years. However, we also recognize the importance of staying up-to-date with emerging standards and regulations. Recently, Secomea has achieved certification for our compliance to IEC 62443-4-1, meaning we are committed to following the requirements for Security Development Lifecycle Assurance (SDLA). The standard mandates security concerns to be proactively addressed at an early stage in the product lifecycle and thus ensures that security measures are built into the product.  

“In light of the upcoming NIS2 directive and EU Cyber Resilience Act, providing our customers with proof of certification as a result of a successful assessment is not only important for maintaining trust, but it has become a business-critical requirement. Our commitment to meeting these standards is unwavering, and we will continue to prioritize the security and trustworthiness of our solution for our customers’ benefit.”
– Anette Svendsen, Compliance Project Manager at Secomea

Don’t hesitate to reach out if you want to learn more about what NIS2 will mean for your company, and how Secomea can help increase your uptime and cybersecurity. 

Talk to one of our experts and learn more →