Operators of critical infrastructure are digitalising and automating industrial systems to make society safer, bring down costs, and increase efficiency, but digital transformation comes with both risk and opportunity. With manufacturing being the world’s most cyber-attacked industry - according to IBM - there is therefore far more at stake than reputations and balance sheets when it comes to security.
Below Manufacturing Digital speaks to Jalal Bouhdada, Global Segment Director for Cyber Security at DNV and Founder of Applied Risk to discusses the new NIS2 directive.
What does the NIS2 mean for manufacturers?
To strengthen the cyber security of critical infrastructure in Europe, the European Union (EU) adopted the Network and Information Security 2 (NIS2) Directive in January 2023. While EU member states have until October 2024 to transpose NIS2 into national regulation, for companies operating across member states it represents a complex task that will take many months to prepare.
Companies with industrial operations that have not yet prioritised cyber security will be driven to do so by this tightening regulation. For example, organisations providing essential services – such as energy, drinking water, transport, and healthcare – in the EU, will soon face tougher cyber security regulation than ever, with the threat of more and greater fines and/or withdrawal of their license to operate if they do not comply.
The revised NIS2 Directive strengthens cyber security requirements for companies. It introduces top management accountability for non-compliance and streamlines reporting obligations. Crucially, it is likely to make individual businesses responsible for addressing cyber security risks in supply chains and supplier partnerships.
What is new with NIS2 compared to NIS?
NIS2 builds on the Network and Information Security (NIS) Directive which has been in force since 2018. The first regulation of its kind across the EU, it was designed to combat the increasing and evolving threats that companies face.
While its initial iteration, NIS, sets out a framework, NIS2 is about regulation and enforcement. This reflects how operators of essential services need more than ever to manage the cyber risk posed to both their IT and OT (Operational Technology).
The directive will expand the scope of regulation to new industrial sectors managing critical infrastructure. Organisations need to pay close attention to whether they – or the companies they supply – fall within NIS2's expanded scope. In-scope businesses should monitor how NIS2 is implemented in the important EU jurisdictions where they conduct business. Many will need to invest to strengthen their cyber security. For instance, the European Commission anticipates that organisations' ICT security spending will increase by up to 22% in the first few years following the introduction of NIS2.
What opportunities lie ahead for manufacturers?
Although the new NIS2 Directive is about resilience and enforcement, it represents an opportunity for companies to future-proof the cyber security of their IT and operational technology (OT). Ultimately, the directive will lead to a more joined-up, cross-industry approach to fighting cybercrime in the EU.
To assist planning and decision-making, DNV has published its NIS2 Directive Whitepaper summarising what NIS2 requires and proposing a three-step readiness approach to prepare for compliance.
Over the coming months, companies must embrace what may seem a daunting challenge and welcome the tightening of regulation. It is an opportunity to consider the financial, technological, and human resources needed to ensure the safety and reliability of EU critical assets.
Such investment in cyber security will help ready organisations for future digital transformations, but regulatory compliance does not guarantee cyber resilience. Operators of critical infrastructure and their suppliers will need to think beyond compliance to stay ahead of the threat.
They can also stay ahead of the competition, as the view of cyber security shifts from a cost of doing business to an investment in competitiveness and sustainable business.
Other magazines that may be of interest - Healthcare Digital.
BizClik is a global provider of B2B digital media platforms that cover 'Executive Communities' for CEO's, CFO's, CMO's, Sustainability Leaders, Procurement & Supply Chain Leaders, Technology & AI Leaders, Cyber Leaders, FinTech & InsurTech Leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare + Food & Drink.
BizClik, based in London, Dubai & New York offers services such as Content Creation, Advertising & Sponsorship Solutions, Webinars & Events.