The NIS2 Directive is cleverly formulated. This is proven by its use of the idea of the trickle-down effect that will integrate all other sectors through the listed essential and important entities. In the end, NIS2 thus applies to all companies on the market.
This clever and absolutely correct dodge results from two NIS2 requirements:
- Cybersecurity must be a key aspect in the purchase of IT/OT systems or services.
- Cybersecurity must be a key aspect in the selection of supplier companies. This should even go so far that the supplier should be forced to have a secure product development.
Since the essential and important entities typically constitute a strong market power, supplier companies are urged to uniformly strengthen their cybersecurity on their own due to market constraints. Since the requirements directly affect their products and services, cybersecurity becomes the basic element of any product development.
With regard to the previous rather “insecure by design” OT components and systems, this is absolutely good news. It will obligate supplier companies through the demand to revise their products with regard to cybersecurity.
The EU focuses on the big picture of cybersecurity
Moreover, the NIS2 Directive must not be considered an individual regulation. It is embedded in the larger cybersecurity framework that is currently developing in Europe. Last but not least, the Cyber Resilience Act (CRA) makes this clear. If the act is adopted as currently formulated in the draft version, cybersecurity will become a part of every CE conformity process. Devices and systems that require a CE mark must therefore automatically be cyber secure.
What this can look like in practice is shown by the company Sonnen, which develops and markets energy storage systems for private households. The Shell subsidiary has been integrating industrial security monitoring and anomaly detection into its remote-controlled energy storage systems since the beginning of 2020 in order to protect its fleet and end customers.
As of October 2023, Rhebo IIoT Security is monitoring and protecting more than 50,000 Sonnen energy storage systems worldwide.
The CRA is an all-around effort that will have a broader impact than the NIS2 directive. And the EU wants to do it right and create clarity. This means: They want to formulate clear instructions and framework conditions so that no misunderstandings arise regarding all the applicable international, national, and sector-specific standards.
All signs point to IEC 62443
And the way it looks, the journey is heading toward ISO/IEC 62443, the comprehensive standard family for cybersecurity, especially in industrial companies.
Ultimately, the CLC/TC 65X Technical Committee was recently commissioned to work out the harmonization of the existing security standards. CLC stands for the European Committee for Standardization CENELEC. TC 65X is the connection between CENELEC and the IEC Committee TC 65. The latter is responsible for the IEC 62443 standard family.
All industrial companies and industrial suppliers are thus well advised to start having a good look at the IEC 62443 Standard. We explain how to do this in our IEC 62443 blog post.
Missed part 1 or 2 of our NIS2 blog post trilogy? No problem, let's start at the beginning.