The time is now: EU member states are currently transposing NIS2, the EU’s mandatory cybersecurity directive, into national law, and in most countries, these laws will go into effect in 2025. Which means: the water industry has no more time to lose. It is among those industries that will have to comply with the new requirements – and those requirements are getting stricter and broader. The big question is: Are you ready for NIS2? Let’s find out.
What is NIS2?
The revised Network and Information Security Directive (Directive [EU] 2022/2555, i.e., the NIS2 Directive, or NIS2 for short) represents a significant enhancement to the original NIS Directive (Directive [EU] 2016/1148). NIS2 mandates EU member states to adopt and rigorously enforce stricter cybersecurity regulations. The NIS2 Directive aims to enhance the resilience and incident response capabilities of both the public and private sectors. The directive specifically focuses on combating cybercrime and improving both European and national cybersecurity management.
How is NIS2 different from NIS?
NIS2 is an updated version of NIS that provides improved guidance and clarity on the EU’s cybersecurity requirements. It expands the scope of what are regarded as essential and important entities, specifies management liabilities, outlines how controls should be carried out, and addresses how breaches should be reported. Companies in certain industries must demonstrably take appropriate cybersecurity measures and report serious incidents.
Does it affect you?
If your organization is a water or wastewater utility or a service provider for the water and wastewater industry, the answer is yes. Compliance with the NIS2 Directive Is mandatory for medium and large drinking water and wastewater facilities. Non-compliance can result in hefty fines – and that is not all. For the first time, directors can held accountable, along with their personal assets. It is not only your organization that is on the line—it could be you, personally.
How can you make things easier?
One of the best ways to improve and ensure cybersecurity is to select pre-tested, secure products for your systems. The good news: there is also a regulation that will help you. The EU Cyberresilience Act enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products as of 2027. Siemens is already offering cybersecurity built into systems and solutions for industrial applications, such as automation and control systems, and using these will greatly facilitate meeting the requirements of NIS2.
Are you ready to find out if you’re ready for NIS2?
The first step in assessing your readiness is to check how the new regulations will affect your plants and networks and learn what you need to do. To begin the process we recommend completing this short checklist available from Siemens online. All you need to do is answer four short questions, and you will receive your NIS2 checklist free of charge. If you need more in-depth guidance (or are too busy to assess your NIS2 readiness yourself), you can book an individual NIS2 assessment with the Siemens cybersecurity experts team: siemens.com/nis2-assessment. Refer to this chart for more details (pdf).
Challenge accepted?