NIS 2 Directive Compliance
If you are either an essential or an important organization, learn about compliance requirements
The NIS and NIS 2 Directives were created to incentivize EU states to adopt national cybersecurity strategies in response to security incidents affecting essential services.
The NIS 2 Directive, scheduled to take effect on October 18, 2024 as an evolution of the 2018 Network and Information Security Directive, divides critical sectors into two different categories of significance:
- Essential sectors, which include organizations that are larger than medium-sized enterprises and provide services in the sectors listed in Annex I, namely energy (electricity, oil, gas), transport (air, rail, water, road), healthcare, drinking water, wastewater, Public Administration, space activities, digital infrastructures (including cloud computing services, DNS, content delivery network services)
- Important sectors, medium-sized enterprises providing services in the sectors listed in Annex II, a category that was not present in the first Directive and which is added to the legal obligations in this second revision
The following fall under essential services:
- Energy (electricity, oil, gas)
- Transport (air, rail, water, road)
- Healthcare
- Drinking water
- Wastewater
- Public Administration
- Space activities
- Digital infrastructures (including cloud computing services, DNS, content delivery network services)
The following fall under important services:
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing, and distribution of food
- Manufacture of medical devices and in vitro diagnostic medical devices
- Manufacture of computers and electronic and optical products
- Manufacture of electrical equipment
- Manufacture of machinery and equipment n.e.c.
- Manufacture of motor vehicles, trailers and semi-trailers
- Manufacture of other transport equipment
- Digital services, such as search engines and social networking platforms
Each of the stakeholders is required to apply the measures listed in Article 21 (2), including, for example, the adoption of risk analysis and systems security policies, incident management policies, basic computer hygiene practices and training.
What we can do for you if you are either an essential or an important organization:
Within the sector, and pending the transposition of the NIS 2 Directive, ATECO codes must be applied. Having agreed that the sector with which you interact falls into one of the categories listed in Annexes I and II of the Directive, our consultancy service includes an initial audit to highlight the gaps that need to be addressed with respect to the obligations required under NIS 2 (Article 21).
The GAP Analysis:
- The purpose is to analyze the status of the measures required by Article 21, the level of maturity and coverage, with reference to the cyber perimeter of the end infrastructure to be protected
- What we do is evaluate the obligations under NIS 2 and how you respond to them
- End result will be your awareness of the GAPs in NIS 2, for which we will help you estimate and plan adaptive measures
Subsequent work phases, to be initiated step-by-step according to your needs:
1) Governance Support
- Support in choosing the most suitable reference framework (NIST/IEC 62443) and integrations with ISO 27001
- Definition of responsibilities, organizational charts and job descriptions for cybersecurity
- Definition of methods, criteria and methods for risk and security analysis of systems
- Definition of procedures for incident management, impact mitigation and notification system
- BIA analysis (ISO 22317) for operational continuity, business continuity and disaster recovery plans
- Analysis and securing of the supply chain, definition of vendor qualification criteria
- Change management, security in the acquisition, development and maintenance of systems
- Definition of strategies, KPIs/KRIs and evaluation of the effectiveness of risk management measures
- Definition of Policies for OT Systems
- Training of staff involved in cybersecurity
- Procedures for managing assets and documentation
- Procedures for managing vulnerabilities and updating OT systems
- Development of manuals for safety management systems and related documentation
- Performance of periodic audits on the level of compliance and security
2) Technical Support
- Cybersecurity risk assessment
- Cybersecurity Site Assessment and vulnerability analysis
- High Level Design on site architectures, addressing plans, segmentation and segregation of networks
- Support for managing vendors and integrators, technical specification development, vendor verification and monitoring, FAT/SAT testing procedures on cybersecurity
- Development of device Hardening plans
- Patch Management, support in choosing the most suitable technical solutions according to the applications and vendors used
- Support in choosing IDS, remote access, access management solutions
Try our consulting options to reach your goals.
Faq
- Energy (electricity, oil, gas)
- Transport (air, rail, water, road)
- Healthcare
- Drinking water
- Wastewater
- Public Administration
- Space activities
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing, and distribution of food
- Manufacture of medical devices and in vitro diagnostic medical devices
- Manufacture of computers and electronic and optical products
- Manufacture of electrical equipment
- Manufacture of machinery and equipment n.e.c.
- Manufacture of motor vehicles, trailers and semi-trailers
- Manufacture of other transport equipment
Why choose us
We have gained experience in the OT Cyber Security field since 2014
We test every solutions thanks to our in-house OT Cyber Security laboratory
Our specialists are IEC 62443/ISA 99-certified personnel (Fundamentals Specialist and Cyber Security Risk Assessment Specialist)
Automation and OT Network Security are some of our most performing competences
We have bulit a wide network of partnerships with the main international OT solution suppliers
Our BYHON internal division is the ISASecure® accredited certification body