What does NIS2 mean for CNI organisations

Any organisation operating within Critical National Infrastructure (CNI) has many regulations with which to comply. One of these is the NIS2 Directive, which came into force across the European Union in January 2023 (EU Member States have until 17 October 2024 to transpose its measures into national law) in response to the growing threats posed by digitalisation and cyber-attacks.

NIS2 is targeted at essential CNI sectors such as energy, transport, banking and digital infrastructure. However, the full scope of sectors has expanded significantly compared to the original NIS Directive to now include other critical sectors such as space, waste water, food, and manufacturing. Even IT service providers fall under NIS2’s extended remit.

Essentially, NIS2 delivers a more extensive and harmonised set of cybersecurity rules with the aim of improving collective cyber resilience, primarily focusing on enhancing governance and cybersecurity management. It addresses supply chain security, and introduces stricter incident reporting and enforcement requirements – including significant financial penalties for non-compliance similar to GDPR. It also brings about improved sharing and cooperation: specifically, the European Union Agency for Cybersecurity (ENISA) is mandated to implement a European vulnerability disclosure database to facilitate sharing of such information across European Union states.

As such, the Directive puts increased pressure on CNI organisations to establish various technical and operational processes in order to safeguard their systems, mitigate cyber threats, and boost resilience. So, what does this all mean in terms of ensuring compliance?

Levelling up cyber

Given the growing rate of cyber threats as CNI infrastructure has become ever-more digital and connected over the last decade, CNI organisations should already have a solid foundation of digital resilience in place. However, there are always improvements that can be made to enhance cybersecurity posture.

A key focus of NIS2 is encouraging organisations that form part of their nation’s critical infrastructure to recognise their responsibility in supporting a safe and prosperous society. Within the context of NIS2, this starts by understanding the requirements and how it differs from the previous NIS Directive. The next step involves assessing current levels of cybersecurity maturity and assessing how the cyber threats they face as a CNI organisation can be appropriately mitigated.

Organisations should also focus on the following key areas:

• Risk management: this involves implementing policies and procedures to more effectively identify and assess and mitigate risks. What is the organisation’s level of risk? What could an attack look like? Where might vulnerabilities lie? Are there potential supply chain risks to be addressed? These are all critical questions that must be answered. A key point included in NIS2 is that “Cybersecurity risk-management measures should be proportionate to the degree of the essential or important entity’s exposure to risks and to the societal and economic impact that an incident would have.”
• Incident prevention and response: organisations are obligated to report serious incidents to the relevant authority and customers within strict timeframes (24 hours for early warning to competent authorities and 72 hours for a fuller incident notification). Therefore, they must take steps to prevent attacks based on a thorough risk analysis and development of a robust incident response plan in the event of a successful intrusion. Focus on building crisis management capabilities and assessing how to handle vulnerabilities and disclosure.
• The human factor: organisations can’t afford to overlook the importance of enhancing employee training and awareness, both for spotting potential attacks and reporting / responding to incidents. What’s more, every organisation should have a dedicated person (or team) accountable for compliance who fully understands their responsibilities.
• General digital hygiene: This covers things like ensuring sufficient multifactor authentication, implementing comprehensive data handling and password policies, and ensuring these are implemented throughout the entire organisation. These are all critical steps on the journey to NIS2 compliance.

How BAE Systems can help

Our cyber specialists have vast experience of helping CNI organisations understand and manage cyber risk. They understand both the threat landscape and the sector-specific challenges facing CNI organisations of all shapes and sizes.

This includes: ensuring the security of customer and staff personal and financial data, which are attractive targets to cyber-criminals; protecting against the threat of ransomware attacks, particularly those designed to take critical operational technology systems offline and impact critical CNI services; and modernising legacy IT systems to help CNI organisations securely transition to cloud services or SAAS service providers.

For example, our Security Threat and Risk Assessment (STARA®) framework combines the domains of technical, cyber, personnel and physical security to deliver a comprehensive analysis of an organisation’s exposure to attack. The flexible and robust methodology identifies organisational threats, measures maturity against the world’s most advanced threat actors, and delivers specific and actionable recommendations.

NIS2 compliance will soon be a necessity for all CNI organisations. As such, the time to start assessing existing infrastructure and building compliance is now. With cyber threats only going to increase in volume and sophistication over the coming months and years, NIS2 can act as a focus for cyber security investment as organisations work to increase their resilience and manage the risks they face from both cyber criminals and nation state threats.