Blog / 8 min read
The first European Union (EU)-wide law on cybersecurity, the NIS Directive (Directive 2016/1148/EC), came into effect in 2016 and helped to improve the level of security of networks and information systems across the EU. The NIS Directive paved the way for a significant change in mindset in relation to the institutional and regulatory approach to cybersecurity in many Member States. However, since the implementation of NIS, digital transformation, intensified by the COVID-19 pandemic, has expanded the threat landscape and brought about new challenges which required adapted and innovative responses. As the number of cyber attacks continued to rise, with increasingly sophisticated attacks coming from a wide range of sources inside and outside the EU, the NIS2 Directive was created to ensure stronger cybersecurity measures and enforcement across the EU.
The NIS2 Directive is a piece of legislation that aims to enhance the cyber resilience of critical infrastructure in the EU by establishing a minimum set of cybersecurity requirements that all EU member states must impose on their respective in-scope entities. NIS2 replaces and builds upon its predecessor, the original NIS Directive, with an expanded scope and additional requirements developed in response to increases in the frequency and impact of cyberattacks against EU critical infrastructure in recent years.
NIS2 provides legal measures to boost the level of cyber-resilience and incident response capacities of a comprehensive set of businesses operating in the EU. The NIS2 Directive extends significantly the scope of the original NIS Directive by adding new sectors such as manufacturing of certain critical products, food, and waste management. It establishes that all active medium-sized and large entities covered by the NIS2 framework have to comply with the security rules, and removes the possibility for member states to customize the requirements, which was permitted in the original NIS Directive. NIS2 also improves cybersecurity risk management and introduces reporting obligations across sectors such as energy, transport, health, and digital infrastructure. NIS2 was formally adopted by Parliament in November 2022 and entered into force on 16 January 2023 — leaving Member States until October 2024 to transpose its measures into national law. With limited time left to prepare, it is important for organizations to understand who NIS2 impacts, if penalties for noncompliance will be enforced, and how they can seek guidance from trusted advisors to assist with implementation.
NIS2 impacts all entities that operate in the EU, employ at least 50 people or exceed €10 million in revenue, and are deemed critical to society. The directive categorizes all in-scope entities as either essential — which covers sectors such as energy, healthcare, transport, and water — or important — which covers sectors such as manufacturing, food, waste management, and postal services. These important and essential entities must take at least the following 10 measures aimed at protecting network and information systems, and the physical environment of those systems, from incidents:
policies on risk analysis and information system security
incident handling (prevention, detection, and response to incidents)
crisis management and business continuity, such as backup management and disaster recovery
supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers
security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures
basic cyber hygiene practices and cybersecurity training
policies and procedures regarding the use of cryptography and, where appropriate, encryption;
human resources security, access control policies and asset management
the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
If organizations fail to comply with the requirements of NIS2, management bodies of the essential and important entities may be held liable for noncompliance. NIS2's noncompliance penalties vary based on an entity's categorization. Essential entities will face fines up to €10 million or at least 2% of the total annual worldwide turnover in the entity's previous fiscal year. While important entities will face fines up to €7 million or at least 1.4% of the total annual worldwide turnover in the entity's previous fiscal year. To ensure effective compliance, organizations can work with a trusted advisor who can provide guidance on how to effectively adhere to the NIS2 Directive.
Claroty’s cyber-physical systems (CPS) cybersecurity portfolio both supports and simplifies NIS2 compliance by extending robust protection, monitoring, and other cyber risk management controls to all CPS — including those that underpin the essential and important services provided by EU entities deemed in-scope for NIS2. Specifically, Claroty assists organizations on their road to NIS2 compliance by helping to support the 10 key measures to manage and mitigate cyber risks we discussed above. The support Claroty provides for these requirements includes:
Claroty discovers and assesses all assets, systems, vulnerabilities, and cyber and operational risks in CPS environments and uses this extensive visibility to automatically define and enable the enforcement of network security policies that mitigate exposure to such risks.
Claroty continually monitors the entire CPS environment for the earliest indicators of known and unknown threats, contextualizes all alerts to optimize response, and integrates with SIEM, SOAR, and related solutions to extend existing SOC workflows across all CPS.
Claroty delivers a comprehensive, real-time inventory for all CPS, logs all asset and network changes and anomalies, defines and enables enforcement of network segmentation policies and access controls that help protect against and contain incidents, and offers ready-made integrations with backup and recovery tools — all of which help drive and improve entity-wide crisis management and continuity efforts.
Claroty correlates all CPS against the latest CVEs and other weaknesses, continually assesses risk in the CPS environment, and provides secure-yet-frictionless remote access to OT for all internal and third-party users, enabling customers to effectively and efficiently assess, manage, and mitigate third-party risk across their supply chains.
Claroty correlates all CPS against the latest CVEs, misconfigurations, and other weaknesses in real-time, continually assesses risk exposure in the entire CPS environment, and provides highly secure-yet-frictionless remote access to OT for all internal and third-party personnel, enabling customers to effectively and efficiently assess, manage, and mitigate cyber risk across their environments.
Claroty offers a custom risk-scoring mechanism, the ability to simulate the impact of risk remediation measures, proactive monitoring and historical assessments to measure how respective controls impact enterprise-wide risk posture over time, and flexible reporting to simplify the communication of this information for stakeholders across disciplines.
Claroty’s risk reporting and simulation include remediation recommendations that help inform cyber hygiene and training needs. Additionally, Claroty’s SRA solution enables easy enforcement of role-based access controls (RBACs), password policies, and other cyber hygiene practices among both internal and third-party personnel.
Claroty encrypts all user-, CPS-, and other system-related data in accordance with NIS2, GDPR, and other regulatory requirements. Claroty also alerts on events in which sensitive data, such as personal health information (PHI), is processed against policies or otherwise, enabling customers to preempt incidents involving potential data exposure.
Claroty’s risk mitigation recommendations help inform and priorities cyber hygiene and access control policies. Additionally, Claroty’s secure remote access (SRA) solution enables easy enforcement of RBAC, password policies, and other cyber hygiene practices for internal and third-party personnel. Claroty’s seamless integration with CMDB, CMMS, and related solutions enables easy extension of existing asset management workflows to all CPS entity-wide.
Claroty SRA offers Zero Trust-based access controls including granular RBAC and MFA for all internal and third-party OT personnel, as well as secure remote and onsite access to all CPS within OT environments with the added peace of mind of high availability, an OT purpose-built UX, and full recordings to support audits, forensics, and related use cases.
As an often-overlooked risk blind spot for critical infrastructure entities and other industrial, healthcare, commercial, and public sector organizations, CPS are imperative to secure not only because doing so is required by NIS2 and other regulations — but also because the health, safety, and stability of our society rely on CPS. With the help of a trusted advisor, like Claroty, organizations can ensure they are securing the OT assets, IoT and IIoT devices, building management systems (BMS), and internet of medical things (IoMT) devices that underpin their critical environments, as well as ensure compliance with the NIS2 Directive. As we now understand, compliance with NIS2 can be complex and difficult to make sense of with such a short window for compliance, that's why it is essential to work with a trusted partner to minimize regulatory risk while driving resilience across critical operations and infrastructure.