NIS2: A New Cybersecurity Paradigm in Europe

Posted by Matias Almeida Garzon

by Matias Almeida Garzon

Evolving Cybersecurity Mechanisms

The past decade has been an agitated period for issues related to cybersecurity regulations within the European context. Summarised, the European Union counts on three regulatory assets to guide its Digital Single Market Strategy.

The European Union Agency for Cybersecurity (ENISA) is the original governing body to regulate and advise on network and information security matters. EU GDPR focuses on general data protection and privacy law. Finally, the NIS Directive is concerned with the security of networks and information systems.

The European Parliament approved NIS in 2016 and translated it into member states having a determined period to incorporate regulation in their own national laws and guarantee enforcement. The overarching goal behind the initiative was to strengthen cybersecurity measures within the EU.

In November 2022, the NIS 2 directive was approved and applied to digital service providers (DSP) and operators of essential services (OES) among which energy operators are considered. The legislation will come into effect in October 2024, and utilities need to start drafting implementation roadmaps as soon as possible to meet the requirements in time.

It is important to mention that the directive would have no legal repercussions in the UK, nevertheless, it is expected that the government will formulate new updates in their own sovereign national legislation to avoid falling behind in terms of cybersecurity measures and resilience capabilities.


NIS 2 in a Nutshell

It is important to acknowledge the importance of the geopolitical pressures behind the initiative to upgrade cybersecurity regulation. The power grid has grown increasingly vulnerable as the adoption of intelligent electronic devices (IEDs), expanded digital IoTs and remote-control applications continue to be deployed. The 2016 ransomware attack on the Ukrainian power supply provided evidence of the concerning turn of this scenario.

NIS 2 introduces stricter risk management protocols, followed by a set of incident response and reporting obligations. The new stricter supervisory and enforcement measures are designed to guarantee the integrity of the energy supply chain as well as standardise sanctions across the EU.

It is important to note that the directive does not force utilities to follow a single-shape solution, but rather encourages them to conduct self-assessments that will shed light on the most appropriate path each organisation shall follow. Nevertheless, it does recommend the adoption of technology standards like IEC 62443 and ISO 27001 to assist with the technical aspects of the challenge.


Risk Management Practices

The European Union created the crisis management structure Cybersecurity Competence Centre and the Network of National Coordination Centres, thankfully also known as EU-CyCLONe. Operated by ENISA, the mission is to improve cybersecurity-related cooperation and coordination among EU member states, relevant regulatory bodies, and other interested parties. It will operate as a forum for exchanging information concerning cyber threats and occurrences as well as best practices.

Pointing towards the same direction, compliance is encouraged by a solid set of fines in case of failure to abide by legal predicaments. Fortinet reports fines could amount to a total of 10 million euros or the equivalent of the organisation’s 2% of generated revenue through global activities.


Current State and Road for the Future

The relevance of NIS 2 simply cannot be underestimated, news outlets report a total of 160 thousand organisations across 15 sectors included in the operators of essential services (OES) label. In many aspects, meeting the new requirements will represent a herculean task considering the current state of cyber resilience measures in the sector.

The Fortinet white paper acknowledges this situation by highlighting the following concerning statistics:

-       32% of the European energy sector does not monitor any OT service.
-       52% monitor both IT and OT operators through a single security operations centre (SOC)
-       Less than 20% of utilities, only 16%, have established SOCs exclusively monitoring OT operations.

The landscape is certainly challenging, the reality sheds light on the fact that most necessary elements are already available on the table. Organisations need to get an early start and plan the roadmaps incorporating the broad range of technologies available like cybersecurity standards, liaising with technology service providers, and facilitating dialogue with fellow industry players.