NIS2 for Operational

Technology Professionals:
A Guide to Cybersecurity
Compliance

Jesus Molina 1
Why another Guide?
In this guide, we look at the European
NIS2 (Network and Information Security)
legislation from an Operational
Technology (OT) perspective. There is no
question that new legislation, especially
one as far-reaching as NIS2, requires a
considerable number of deep breaths,
and simply reading the legislation might
not be the best approach: legislation
needs to be placed into the European
Cybersecurity context.
Like any legislation, understanding the
precise language can be daunting. In the
OT world, legislation that encompasses
both IT and OT verticals can be complex
to interpret as well. While NIS2 is
agnostic when it comes to
Number of countries affected:
27 EU
Member States
Amount of fines:
10 EUR million or up
to 2% of the total worldwide turnover
of an entity for non-compliance
Figure 1: NIS2 by the numbers
implementation, it refers to other
legislation and expert guidelines, which
further complicates comprehension.
In this guide, our goal is not only to
provide information on cybersecurity
compliance and standards to be used
and developed around NIS2, but also to
make the NIS2 directive more accessible.
While the words are already printed and
millions of articles and chatbots can
answer your questions (although be
cautious, as the information provided by
chatbots ranges from factually correct to
utterly incorrect), this guide aims to be
clear, offering visual summaries and
actionable insights for OT professionals.
46 articles in the
NIS2 Directive
Deadline for
transposition
into national law
October 17, 2024
2
Introduction to NIS2 Directive

What is it?
The NIS2 Directive is an updated EU cybersecurity law that builds on the original NIS
Directive (NISD). The goals of NIS2 are to boost cybersecurity, simplify reporting, and
create consistent rules and penalties across the EU. By expanding its scope, NIS2
requires more businesses and sectors to take cybersecurity measures, with the ultimate
goal of enhancing Europe’s cybersecurity in the long run. With stricter rules to
overcome previous limitations, NIS2 will impact a wider range of industries. Entities
under NIS2 are classified as essential or important, and the directive outlines security
requirements as well as a process for incident reporting.
Timeline
Following a two-year legislative journey, consensus on NIS 2 was reached in May 2022.
Subsequently, it was published in the Official Journal of the European Union (OJ L
333/80) and came into effect on January 16, 2023. The deadline for transportation into
national law by member states is October 17, 2024. There are other important dates
that we need to be aware of as well:

Member States must Member States shall

NIS2 comes adopt and publish establish a list of
into effect measures to comply with essential and
the NIS 2 Directive important entities

January July October January April October

16, 2023 17, 2024 17, 2024 17, 2025 17, 2025 17, 2027

First Cyber Crises Liaison CSIRTs network shall assess Revision of

Organisation Network progress made with regard the directive
( EU-CyCLONe) report to operational cooperation

Figure 2: NIS2 timeline

3
Approach for OT Professionals
Affected OT sectors include energy,
transport, healthcare, drinking water,
wastewater, ground installations serving
space-based services, and manufacturing
(for mid-sized companies and larger). OT
cybersecurity professionals need to read
behind the lines and look at far-reaching
practical implementations that will be
enforced.
In this guide we avoid the obvious and
discuss the practical implications of NIS2
for OT professionals, we look at
legislation and standards that will be
required by NIS2 in the near future, and
From NISD to NIS2. Why a new regulation?
Problems with NISD
There were several factors that
necessitated the replacement of the
previous Network and Information
Security Directive (NISD) by legislators.
These factors primarily revolved around
the consensus that the legislation
needed to be more stringent, and that its
implementation required a greater level
of uniformity across all member states.
This was based on the following
evidence:
• Insufficient cybersecurity investment
in the EU: A 2020 study by ENISA
found that EU organizations allocated
41% less to information security than
their US counterparts. This was
despite the fact that the NISD had
been in place for four years, a point
reflected by Figure 3.
we will look at related and referenced
works. These include the Network Codes
for Cybersecurity (NCCS) and the
upcoming standard that the current
technical specification TS-50701 for rail is
transitioning into.
OT cybersecurity
professionals need to read
behind the lines and look
at far-reaching practical
implementations that will
be enforced.
• Unclear expectations from NISD: In
the same study, 35% of the
respondents applying the NISD
reported unclear expectations. This
led to an inconsistent application of
the directive across EU states.
• Rise in cyberattacks: The EU’s
infrastructure has been increasingly
affected by ransomware and other
types of cyberattacks. Some
infrastructures lacked even basic
protections, such as segmentation at
the IT/OT interface. Additionally, there
was a perceived lack of transparency
in the reporting of cyberattacks.
4
 Figure 3: Percentage of Cybersecurity investments by EU Organizations + UK and US
for Reference in 2020
Expanded and Clarified Scope
The new regulation, NIS2, addresses
these issues by introducing a size-cap
rule, incorporating additional entities
into the “essential” category, and
creating a new category termed
“important.”
Size-Cap Rule: Under the previous NIS
directive, member states held
responsibility for determining which
entities met the criteria to qualify as
operators of essential services. The NIS2
directive clarifies and expands the scope
of the entities subject to the regulation.
Unlike in NISD, where member states
could individually decide which
operators were essential, NIS2
introduces a size-cap rule. This rule
applies to medium-to-large-sized entities
(those with over 50 employees and an
annual turnover exceeding €10 million)
within the relevant sectors, bringing
them under the purview of NIS2.
Expansion of Essential Entities: NIS2
includes additional sectors deemed
“essential”, such as space, wastewater,
public administrations (with some
exceptions), data center service
providers, trust service providers,
content delivery networks, and public
electronic communications networks and
services. Other critical sectors, including
postal services, chemicals, and the
manufacturing of key products, are also
mandated to comply with the
regulations.
Defining Important Entities: Under
NIS2, OT sectors such as food production,
manufacturing, and waste management
are also required to adhere to the
directive as “important” entities. The
supervisory and enforcement regimes for
such entities must be differentiated to
reduce the burden of obligations and
administrative requirements, while still
being targeted by the directive’s broad
requirements.
5
 > 10m revenue
> 49 employees
NISD NIS2 > 43m € balance

Essential Entities 1. Additional Essential Entities 3. Selected Entities

• Energy
• Transportation
• Baking
• Financial Market
Infrastructure
• Health
• Drinking Water Supply
and Distribution
• Digital Infrastructure
• Online Marketplaces
• Online Search Engines
• Cloud Computing Services
• Drinking & wastewater of national
• Manufacturers of pharmaceutical
products/preparation
importance
• Space infrastructure and services of any size
2. Important Entities 4. Including
• Food production, processing & distribution
connected
• Manufacturing of chemicals, medical • Subcontractors
devices, computers, electronics, optical • Infrastructure &
products, electrical equipment, machinery • Services providers
and equipment,
motor vehicles, and
transport vehicles Reporting obligation:
• Heating, electricity Major incidents/threats must be
market, oil storage declared within 24h since aware. Must
• Waste management cooperate with local authorities. Fines
up to 2% of turnover (max. €10M)

Figure 4: From NISD to NIS2

Increased Accountability and Reporting: Organizations are required

Reporting Requirements
In NISD, there was a lack of clarity on
what needed to be reported, in what
time span, who was accountable for a
cyber attack, and what where the final
fines. This is clarified in NIS2:
Accountability: NIS2 imposes direct
obligations on management bodies
concerning the implementation and
supervision of their organization’s
compliance with the legislation. The
results of non-compliance could be fines,
but also if individuals are found
responsible for not complying with the
required cybersecurity standards, they
could be temporarily barred from their
managerial duties in that organization.
to report significant cyber threats and
incidents to competent authorities or
Computer Security Incident Response
Teams (CSIRTs). Additionally, entities
classed as "essential" or "important"
must produce and implement an
Incident Response Plan and must report
annually on its progress. The new
directive introduces phased notification
obligations, including an initial
notification within 24 hours of becoming
aware of certain incidents or cyber
threats. This is a change from the
existing requirement of reporting
"without undue delay" under the NIS
Directive. Following the initial
notification, there are "intermediate"
and "final" reporting obligations.

6
Manufacturing is now under
NIS2
The manufacturing sector was not
explicitly included in the sectors covered
by the first NIS Directive. However, NIS2
has expanded its scope to incorporate
the manufacturing of certain critical
products such as pharmaceuticals,
medical devices, and chemicals. This
means that a portion of the
manufacturing sector now needs to
comply with the same obligations as
other OT entities.
Presently, the manufacturing sector is
the second-largest target of ransomware
attacks with tangible consequences,
leading many companies to experience
production outages. Much of this
vulnerability stems from improper
segmentation between Information
Technology (IT) and OT systems. The new
legislation, NIS2, aims to enforce
improved cybersecurity risk
management practices. It also introduces
Power
Process Manufacturing
Oil & Gas
Metals & Mining
Food & Beverages
Discrete Manufacturing
Figure 5: Attacks with Physical Consequences by Industry
the potential imposition of severe fines
for non-compliance, encouraging entities
to take their cybersecurity obligations
seriously.
As a result, the manufacturing sector is
advised to work urgently towards
achieving a similar level of compliance as
other OT verticals already impacted by
the original NIS Directive. The expanded
scope of NIS2 signifies the European
Union's commitment to achieving a high
common level of cybersecurity across a
broader range of sectors, reflecting the
evolving landscape of digital threats and
the necessity of robust safeguards.
NIS2 has expanded its
scope to incorporate the
manufacturing of certain
critical products such as
pharmaceuticals, medical
devices, and chemicals
Water
Transportation
7
Best practices and controls for OT
professionals to comply with NIS2

Articles 21 and 23
Articles 21 and 23 are the two primary articles in the NIS2 Directive that OT
professionals need to act upon. Article 21 addresses the management of cyber risk,
while Article 23 pertains to reporting. The NIS2 Directive specifically outlines the
penalties for non-compliance with these two articles: The maximum fine is either
€10,000,000 or 2% of the entity's global annual turnover from the previous financial
year, whichever amount is greater.
Understanding how Article 21 will be To address Article 21
implemented in OT networks is crucial. Article 21
states that, taking into account the state-of-the- in the legislation,
art and relevant European and international asset owners should
standards, organizations must ensure a level of
security for network and information systems prioritize addressing
appropriate to the risks posed. This is further cybersecurity issues
specified in Article 25, which encourages the use
of European or international standards.
present in their OT

Articles 21 Appropriate Level of Security

Articles 23 Report in 24 Hours

Figure 6: Article 21 and Article 23

To address the "appropriate" wording in Technology (IT) systems. However,

the legislation regarding cybersecurity
requirements, asset owners in these
industries should prioritize addressing
cybersecurity issues present in their OT
networks. This need does not apply in
many other sectors covered by the NIS
Directive, where the primary concern
remains the vulnerability of Information
upcoming standards and legislation will
focus on OT networks, and the wording
of NIS2 (which states that protection of
assets should match the risks) points in
that direction. In this guide, we will look
at how the current Network Codes for
Cyber Security (NCCS) for electricity
illustrate this point.

8
For mid-sized manufacturing or health
care sectors, Article 21 will have a
significant impact, as cybersecurity
standards in these sectors are relatively
weak and owners and operators in these
sectors know that they will be labeled as
essential and highly critical. As such,
affected organizations will need to
develop cybersecurity policies to comply
with the directive.
Article 23 discusses reporting.
Organizations must report any cyber
incidents quickly – an early warning must
be issued within 24 hours, followed by
an incident notification within 72 hours,
and a complete incident report within
one month.
Additionally, operators must collaborate
with established national and EU-wide
organizations. EU member states will
create national organizations such as
Computer Security Incident Response
Teams (CSIRTs) to supervise the adoption
of the directive. These organizations will
report to pan-European bodies such as
the European Cyber Crisis Liaison
Organization Network (EU-CyCLONe).
High
Risk Determination
Assessment of High or
Critical Impact
Critical
Figure 7: NCCS Rules
NCSS: An example of
Implementing Article 21 for
Operators In Energy Sector
For OT operators in critical infrastructure,
more focused standards and directives
should be considered to guide
compliance with article 21, such as the
upcoming Network Codes on sector-
specific rules for cybersecurity aspects of
cross border electricity flows (NCCS) or
sector-specific standards. NIS2 focuses
on reporting, creating agencies, and
imposing fines for non-compliance. As
attacks and their consequences become
more severe, we should expect local
rules to evolve quickly. Establishing
security programs that do more than the
minimum currently required will be
essential to staying ahead of rapidly-
evolving regulations.
The Network Code on Cybersecurity aims
to establish a unified European standard
for safeguarding cross-border electricity
flows' cybersecurity. This code includes
regulations on assessing cyber risks,
implementing shared minimum
requirements, certifying cybersecurity
for products and services, monitoring,
reporting, and managing crises.
Minimum
Controls
Verification
Advanced
Controls
9
The NCCS approach to cybersecurity
involves establishing both high-impact
and critical-impact perimeters based on
the Electricity Cybersecurity Impact
Index (ECII). This methodology is likely to
categorize systems according to business
consequences and reliability/safety
consequences.
The minimum cybersecurity controls
should be applied to both perimeters,
while the critical-impact perimeter
should be protected with advanced
cybersecurity controls. This requires a
strict separation between critical and
non-critical impact perimeters,
potentially at the IT/OT interface or
micro-segmentation within OT around
the critical assets such as gas turbines
and its safety systems, and utilizing
advanced perimeter solutions, including
hardware-enforced segmentation using
unidirectional gateways. In addition, the
minimum and advanced cybersecurity
controls and the electricity controls to
standards mapping Matrix (ECSMM) will
map security controls to a selected set of
international standards, such as
IEC_62443. NIS2 also requires that the
consequences of cybersecurity attacks
be considered in risk assessments. These
consequences include loss of load,
reduction of power generation, loss of
capacity in the primary frequency
reserve, and loss of capacity for a black
start.
TS50701: An example of
Implementing article 21 for Rail
Professionals
A problem that operators will face in
Light of Article 21 is finding relevant EU
standards for the their vertical. Railway
and Public Transport Operators (PTOs), in
2022 saw an unprecedented number of
cyber-attacks with physical conse-
quences around the globe. In addition to
the rise in the number of attacks, there
was an increase in attack sophistication
enabled by tools and methods now
freely available on the dark web – tools
that were historically seen only in the
hands of state-sponsored actors.
To address this threat, TS 50701 is as of
today the most comprehensive and
detailed guideline for cybersecurity in
rail systems, as it is derived from the IEC
62443 family of standards, with added
considerations for extended security
levels and safety. The European Union
Commission instructed CENELEC to
incorporate EU directives into this
Technical Specification to address the
rising number and complexity of cyber
threats. TS 50701 is the security standard
that resulted from this effort, specifically
designed for rail networks to protect
communications, signaling, processing,
rolling stock, and fixed installations
domains.
10
As an example, the IEC 62443 standard is focused on automation and describes four
levels of network and system criticality, but in rail we also have systems that are
deemed as “safety systems,” such as the signaling system in the ground or the Train
Control Management System (TCMS) on board. TS 50701 adds an additional level of
criticality, over and above the four specified in 62443. The extra-high level in TS 50701
was added because, the specification argues, rail networks are more complex than
conventional automation networks and require an additional security level for safety
systems.

Eg ISO ISO/IEC JTC1

Applicable cybersecurity law and regulation

Business enterprise ISO/IEC 27000,
27001 ISO/IEC 15408
zone or “IT” - for
planning, logistics,
sales & engineering

EN TS IEC
50701 62443
Railway IACS NIS2 Directive
Control zone or system
“OT” - operational IEC TC 65: IEC 62443
IEC TC 9 – AHG 20
technology

Figure 8: Business and Control Networks for TS 50701. Source: TS 50701

Guidance documents based on TS 50701 are beginning to emerge, such as the

tendering guide released by the International Association of Public Transport (UITP),
estitled “Practical Guidance on Cybersecurity: Requirements in Tendering.” This guide is
a first of its kind in the transportation industry. It provides information on how to
approach cybersecurity tendering in accordance with TS 50701. This is relevant for the
public transportation industry, spanning multiple passenger rail modalities such as
Metro, Commuter Rail, and Tramway, as well as bus services.

11
US Regulation for OT
One of the catalysts for the enactment of
NIS2 was the comparative lack of
spending on cybersecurity in the EU as
opposed to in the USA. Given this, it is
worth examining US regulations and
their potential impact on NIS2. The new
Biden-Harris cybersecurity agenda
promotes an approach to protecting
critical infrastructure that is similar to
NIS2. This includes increased
accountability, improved reporting, and
the establishment of state-wide
organizations to ensure the correct
implementation of cybersecurity
measures.
In general, the response time of US
agencies to a cyberattack is shorter than
that of the EU, which could indicate
future trends in standards. For instance,
when the IT network at Colonial Pipeline
was compromised by ransomware, the
pipeline was shut down out of an
"abundance of caution." As a result, the
Transportation Security Administration
(TSA) updated its requirements to ensure
that OT systems are isolated from IT
systems in the event of a cyberattack.
This was intended to assure that
pipelines would continue functioning at
necessary capacity even if IT systems are
compromised. The TSA detailed that OT
and IT environments need to be
independent and segregated to prevent
cascading effects on OT systems in the
event of an attack targeting data.
It is reasonable to expect that future EU,
US, and regulations in other geographies
will continue to evolve in similar ways,
because all of these jurisdictions require
robust and adaptable cybersecurity
measures in a global economy that is
increasingly interconnected data-wise
and supply-chain-wise.
The US Transport Security
Administration requires
that OT and IT
environments are
independent and
segregated
12
Conclusion and Recommendations
The new Network and Information
Systems Directive (NIS2) focuses
primarily on Information Technology (IT)
and emphasizes the protection of
Internet infrastructures such as DNS
servers. It does not explicitly mention
Operational Technologies (OT) and
classifies sectors as diverse as energy
and banking as equally critical. However,
the mandate for taking appropriate
measures and the imposition of strict
accountability should prompt OT sectors
to raise their cybersecurity standards.
Key takeaways for critical OT
environments such as energy, transport,
and water management include:
• NIS2 establishes a set of rules and
minimum requirements to foster EU-
wide cooperation and reporting.
• NIS2 has evolved from the original NIS
Directive, including new OT verticals
such as certain manufacturing sectors,
and new requirements for increasing
accountability and reporting.
• Article 21 encourages the use of
appropriate measures based on risk,
which in the case of critical
infrastructures is likely to translate
into the application of stricter
standards and regulations.
• Article 23 requires the prompt
reporting of cyberattacks, which will
enhance transparency.
• Accountability provisions may include
fines for businesses and direct
responsibility for top company
officials.
• OT operators should use as guidance
enhanced EU vertical standards and
guidance such as NCCS for energy and
TS 50701 for rail, as well as evolving
US regulations.
• The strict separation of OT and IT
segments simplifies implementation of
NIS2 and is consistent with NCCS, TS
50701, and new US regulations.
Fundamentally however, compliance
with NIS2 regulations does not
guarantee protection against external
cyberattacks, and the minimum
measures outlined in NIS2 may be
inadequate for OT systems, where the
impact of a cyberattack could be
catastrophic. Non-compliance will still
trigger fines and personal accountability,
but if there is a serious cyber attack on
OT systems triggering loss of life or
threats to public safety, the question the
courts will ask is not merely “Did you do
the minimum the law required?” but also
“Did you implement those security and
safety precautions that any reasonable
person would have implemented had
they been in your place?”
Due care is more than compliance. And
the most important and most sensitive
OT systems always demand a different
approach to security, because human
lives, environmental disasters and critical
infrastructure services cannot be
“restored from backups.”
OT systems always
demand a different
approach to security –
human lives and
environmental disasters
cannot be “restored from
backups”
13