NIS-2: Understanding the Digital Dilemma for Critical National Infrastructure

Over the past decades, most stakeholders across highly critical and critical sectors – such as CPS, railway, maritime and Critical National Infrastructure (CNI) discussed in this white paper – have introduced automation and digitalisation across various (sometimes legacy) critical systems. As a result, they have significantly increased their efficiency and revenue and exposed themselves to more cyber security risks. Such is the digital dilemma inherent to the era of the digital economy. Key stakeholders rely on critical information to implement innovative business practices, eventually leading to more efficiency and revenue. This information, however, is based on data collected, aggregated, and analysed through the interconnection of automated and digitalised systems. This door into the digital world creates a new potential vulnerability to cyber-attacks.

Implementing the NIS-2 regulation

The introduction of NIS-2, which also covers several entities in highly critical and critical sectors, is meant to address this dilemma. Strengthening cyber security measures for critical and highly critical sectors by introducing clear responsibilities and appropriate planning encourages key stakeholders to focus on innovative, digitalised (data-driven) business practices. The rationale behind NIS-2 focuses on the premise that if owners/managers are confident in their cyber security strategy, they are more likely to continue their digitalisation journey and, consequently, foster business innovation.

NIS-2 regulation: a focus on cyber risks and responsibilities

However, looking beyond the necessity to comply reveals that implementing NIS-2 requirements is simpler than many stakeholders in the CPS, railway, maritime, and CNI sectors have perceived thus far. Indeed, the objective of the new directive is to ensure that everyone is protected and can carry out their business with a certain level of peace of mind. In practice, this translated into an equation based on risk levels: a company assesses the risks it may be incurring – i.e., potential vulnerabilities to cyber-attacks – then balances those out with the cost of addressing or not addressing those risks – i.e., cost of protection versus the cost of a potential attack – and decides where cyber controls should be implemented. Essentially, NIS-2 requires that risks be assessed and those responsible for cyber security be able to explain why they chose a specific course of action.

Learn More About NI2 Appliances for Critical National Infrastructures

The remainder of this white paper provides a more detailed description of NIS-2's impact on the CPS, railway, maritime, and CNI sectors. It highlights that tools are already in place to ensure compliance with NIS-2 requirements and that, by requiring key stakeholders to strengthen their cyber security, the new regulatory framework is an important milestone in these stakeholders’ digitalisation journey.

Discover more on how Maritime, Transportation, Critical production systems and Utilities should specifically comply !