NIS2: Is Your Manufacturing Business Prepared?

By Temi Akinlade, vCISO Security Advisor at Armor

The Network and Information Systems Directive 2 (NIS2), a crucial update that has replaced the original NIS directive, significantly expands the scope and cybersecurity requirements for various sectors, including manufacturing. With its enforcement date in October 2024, it’s imperative that manufacturers understand and implement the necessary changes to protect their critical infrastructure and ensure operational resilience.

Understanding NIS2 Requirements

NIS2 aims to establish a higher level of cybersecurity across the EU by mandating security measures for operators of essential services. For the first time, manufacturing businesses designated as ‘essential’ or ‘important’ must reassess their cybersecurity practices as part of a move to fortify and protect some of our most important supply chains.

Manufacturers impacted by the new changes include - amongst otherthose involved in the production of machinery, vehicles, medical devices, electronics and food.

1. Risk Management: NIS2 emphasises the importance of risk management processes.

Manufacturers must identify and assess risks to their network and information systems, prioritise them based on their potential impact, and implement appropriate security measures to mitigate those risks.

2. Incident Reporting: NIS2 introduces stricter incident reporting obligations. Manufacturers must report significant cybersecurity incidents to the relevant national authorities within a specific timeframe:

• Significant incidents: Must be reported to Computer Security Incident Response Team (CSIRT) no later than 72 hours after the organisation becomes aware of the incident.

• Incidents having a substantial impact: Require early warning within 24 hours of becoming aware of the incident, followed by a final report.

Security Measures: NIS2 mandates a set of security measures that manufacturers must implement to protect their systems. These include measures such as:

• Network security (firewalls, intrusion detection/prevention systems)

• Data security (encryption, access controls)

• System security (patch management, vulnerability scanning)

• Resilience measures (backup and recovery, business continuity plans)

1. Supply Chain Security: Manufacturers must also consider the security of their supply chain. NIS2 requires them to assess and manage risks associated with their suppliers and subcontractors, ensuring that they too have appropriate cybersecurity measures in place.

Preparing Your Manufacturing Business

To ensure compliance with NIS2 and protect your manufacturing business from cyber threats, consider the following steps:

1. Conduct a Risk Assessment: Identify and assess the risks to your network and information systems.

This assessment should consider both internal and external threats and the potential impact – and cost - of a cyber-attack on your operations.

2. Implement Security Measures: Based on your risk assessment, implement the necessary security measures to mitigate the identified risks. This may involve upgrading your existing security infrastructure, implementing new security technologies, training your staff on cybersecurity best practice or employing the services of an external Security Operations Centre.

3. Establish Incident Reporting Procedures: Develop procedures for reporting cybersecurity incidents to the relevant authorities. Ensure that your team are trained on these procedures and understand the importance of timely reporting.

4. Review Supply Chain Security: Assess the cybersecurity of your suppliers and subcontractors. Ensure that they have appropriate security measures in place and that you have contractual agreements that address cybersecurity requirements.

5. Monitor and Review: NIS2 is an ongoing process. It’s important to regularly monitor and review your cybersecurity measures to ensure that they remain effective in the face of evolving threats.

Conclusion

NIS2 represents a significant step in strengthening cybersecurity across the EU. By understanding and implementing the new requirements, manufacturing businesses not only protect their critical infrastructure and ensure operational resilience but also play a vital role in contributing to a more secure digital environment.

However, its implementation will not be without its challenges. Manufacturers may need to allocate more budget, time and potential people resource towards cybersecurity initiatives, which could impact profitability and result in smaller companies being unable to keep up with the additional costs.

However, by leveraging external services such as Managed Detection and Response, manufacturers can ensure compliance with NIS2 without the need for significant upfront investment or the recruitment of specialised security personnel. This enables them to remain competitive and profitable while meeting the stringent cybersecurity requirements of NIS2.