As water and air are for our bodies, critical infrastructure sectors are the vital lifelines for our modern world. These essential services power communities, transport food, and provide medical services, among other essential functions. Each sector maintains reliable operation despite depending on network and information systems, including operational technology (OT), that face a myriad of cyber threats daily—threats with the potential to disrupt services, with a snowball effect on other businesses. This impactful nature of essential services is why the European Parliament adopted the original NIS Directive (hereafter, NIS1) in July 2016 to address the network security of critical infrastructure.
Security, however, is an ever-changing field. Threats are continually on the rise, and the risks associated with cyberattacks on critical infrastructure are always increasing. Beyond these external threats, the promise of new efficiencies has inspired a wave of digital transformation, which has increased the connectivity between OT and business networks. The result is an expanded attack surface that now includes traditionally isolated industrial control systems (ICSes). These trends, combined with an analysis of the effectiveness of NIS1, led to an update of this major regulation. The NIS2 Directive (NIS2) is an improved approach to cybersecurity controls, with an expanded scope and mandatory penalties.