Facing numerous cyber threats, the European Union has decided to strengthen its cybersecurity regulations, with NIS 2 (Network and Information Security). This directive must be transferred into member states’ law by October 17, 2024, and will have a significant impact on European companies and administrations. SCADA teams will play a crucial role in implementing NIS 2: what is its content, and how can teams get prepared for it?
NIS 2, a new paradigm
NIS 1, the first version of the directive, was applied unevenly across member states. While the directive related to only 300 entities in France (67 million inhabitants), in Norway (5 million inhabitants) it involved more than 10,000 Norwegian entities.
In response to this inequality, NIS 2 significantly expands the objectives and scope of application of NIS 1. NIS 2 now covers more of every countries’ industry, with three possible labels: Critical Entities (CE), Essential Entities (EE) and Important Entities (IE). Size criteria have not yet been established, but it will certainly relate to a very wide range of entities, from SMEs (Small and Medium-sized Enterprises) to multinationals.
Member States are responsible for monitoring NIS 2related regulations on their territories, through dedicated agencies. In addition to advising and disseminating best practices, these agencies also conduct audits and investigations. They are free to investigate within companies. They can initiate proceedings on the basis of evidence, or on a simple report. These national agencies are grouped within the CyCLONe (Cyber Crisis Liaison Organisation Network), to strengthen cooperation on a European scale.
States can impose sanctions, which are now toughened by NIS 2. Managers are also now held responsible, with possible suspension. Entities must disclose security flaws, notably to the CSIRT (Computer Security Incident Response Team) local network. The European Union has set an array of fines, which are now substantial:
- EE (Essential Entity): up to €10m or at least 2% of worldwide sales,
- EI (Important Entity): up to €7m or at least 1.4% of worldwide sales.
Let’s not forget that NIS is a directive: it sets a series of objectives for member states to achieve, against a deadline. It is up to them to transfer the directive’s measures into national law.
How can Panorama help you comply with NIS 2?
Considering this paradigm shift, systems, Panorama E2 features several internal cyber security mechanisms:
- Encrypted communication protocols: based on certificates, these protocols ensure secure communication between different system objects (PLCs, servers, clients),
- External directory: Panorama users can be declared in an external directory (Active Directory/LDAP) → a trusted third party can therefore keep logon data confidential,
- Network Wizard: this tool helps you set the security parameters for exchanges between different objects.
Let’s not forget that these elements are an aid to secure the final application, not a guarantee of security. Development teams are responsible for building a fully secure application.
NIS 2 will require SCADA teams to upgrade their applications. Panorama, a platform certified and qualified by the French government, will be there to support them in this task.
NIS 2 should be seen as an opportunity: the best practices developed within SCADA systems can be adopted by the whole entity, in a dynamic of IT/OT convergence. Let’s work together to ensure the global security of all companies and European administrations!