NIS2 Map

The EU's NIS2 Directive elevates the importance of cybersecurity, and Thales is here to help you navigate this challenge. Our self-assessment tool, aligned with NIS2 Article 21.2, offers a comprehensive evaluation of your cybersecurity strengths and weaknesses. But we go beyond assessment. With our expertise and the ISA/IEC 62443 standard, we collaborate with you to implement effective cybersecurity measures for your Industrial Automation and Control Systems (IACS)/Operational Technology (OT) and prepare for NIS2 compliance. Take the first step: assess your readiness with our tool. For more in-depth self-assessment options based on additional aspects of 62443, and for expert guidance on NIS2 preparation, contact us today.

nis 2.0 mapping intro
NIS2 ARTICLE 62443-2-1
21A ORG1.1; ORG1.2; ORG1.3; ORG1.4; ORG1.5; ORG1.6; ORG2.1; ORG2.2; ORG2.3; ORG2.4
21B EVENT1.1; EVENT1.2; EVENT1.3; EVENT1.4; EVENT1.5; EVENT1.6; EVENT1.7; EVENT1.8; EVENT1.9
21C EVENT1.1; EVENT1.3; EVENT1.4; EVENT1.5; EVENT1.6; EVENT1.7; EVENT1.8; EVENT1.9; AVAIL1.1; AVAIL1.2; AVAIL1.3; AVAIL2.1; AVAIL2.2; AVAIL2.3; AVAIL2.4; AVAIL2.5
21D ORG1.6
21E ORG1.1; ORG1.2; ORG1.3; ORG1.4; ORG1.5; ORG1.6; COMP2.1; COMP2.2; COMP2.3; COMP3.1; COMP3.2; COMP3.3; COMP3.4; COMP3.5
21F ORG1.1; ORG2.1; ORG2.2; ORG2.3; ORG2.4
21G ORG1.1; ORG1.2; ORG1.3; ORG1.4; ORG1.5; ORG1.6; EVENT1.1; EVENT1.3; EVENT1.4; EVENT1.5; EVENT1.6; EVENT1.7; EVENT1.8; EVENT1.9
21H DATA1.1; DATA1.2; DATA1.3; DATA1.4; DATA1.5; DATA1.6; DATA1.7; DATA1.8; DATA1.9
21I ORG1.1; ORG1.2; ORG1.3; ORG1.4; ORG1.5; ORG1.6; ORG3.1
21J DATA1.1; DATA1.2; DATA1.3; DATA1.4; DATA1.5; DATA1.6; DATA1.7; DATA1.8; DATA1.9; USER2.1; USER2.2; USER2.3; USER2.4
Objective A Managing security risk
Objective B Protecting against attack
Objective C Detecting events
Objective D Minimizing impact

NIS2: Your cybersecurity readiness chart

formulaire mapping
Objective A : Managing Security Risk
Does your company ensure that the IACS security program is coordinated with your formal information security management system (ISMS), if you have one?
Does your company perform background checks on all personnel who have access to the IACS, including employees, contractors, and vendors, to the extent allowed by applicable law?
Does your company assign security roles and responsibilities to qualified personnel?
Does your company provide formal cybersecurity awareness training to all personnel who interact with the IACS, and is this training updated regularly?
Does your company provide formal cybersecurity training to all personnel who interact with the IACS that is relevant to their IACS cybersecurity responsibilities?
Does your company have a formal security supply chain process that specifies requirements for suppliers of products and services to address cybersecurity risks to the IACS?
Does your company periodically use manual or automated processes to discover and address undocumented or unauthorized devices/software, network traffic, vulnerabilities, and other security anomalies in the IACS?
Does your company ensure that systems and components used in the IACS are developed and supported using formally defined secure development lifecycle processes?
Does your company regularly review the security program to verify that it is being properly applied and to address changes in the organization, its processes, technical changes in the automation solution, and changes in the threat environment?'
Does your company control physical access to the IACS, including access to facilities, equipment, and cabling, to meet risk targets?
Does your company control physical access to the IACS, including access to facilities, equipment, and cabling, to meet risk targets?
Does your company ensure that all devices have malware protection software installed (where feasible) that is verified to detect and respond to known malware and is compatible with the device?
Does your company test malware protection software and malware definition files for compatibility with the IACS before installation and install them in a timely manner after release?
Does your company verify the authenticity and integrity of all installed security patches?
Does your company test malware protection software and malware definition files for compatibility with the IACS before installation and install them in a timely manner after release?
Does your company document and maintain the security patch status of all devices to be current?
Does your company ensure that security patch installation does not reduce the security of the device?
Does your company assess the risk of not installing applicable security patches, and if the risk is not tolerable, address the risk and document the resolution?
Does your company identify and classify all IACS data requiring safeguarding according to their protection requirements?
Does your company protect all data requiring safeguarding, whether at rest or in motion, from compromise according to their classification?
rIf your company uses safety systems in the IACS, does it ensure that safety system configuration updates are only performed when configuration mode is enabled, and is configuration mode only enabled when configuration changes are necessary?
Does your company have the IACS set to a predetermined state if normal operation cannot be maintained due to a detected security breach?
Does your company ensure that cryptographic mechanisms used in the IACS are commonly accepted by both the industrial and security communities?
If your company uses cryptographic mechanisms with keys in the IACS, does it ensure that the use, protection, and enforcement of the lifetime of cryptographic keys follow commonly accepted practices in the industrial and security communities?
If your company uses a public key infrastructure (PKI) in the IACS, does it follow commonly accepted practices and ensure that all certificates are validated, generated by a trusted certificate authority, and access to certificates and the certificate revocation list is controlled?
Does your company enforce assigned access rights for all users?
Does your company ensure that IACS users logged onto the operating system (OS) with administrative privileges cannot access control system functions?
Does your company require explicit elevation of privileges, including supervisor overrides, for all operations that require elevated privileges?
Does your company have data retention policies and capabilities that support security operations before, during, and after a cyber event?
Does your company detect IACS events to support security management activities like reporting, logging, analysis, and response?
Does your company report IACS events in a timely manner?
Does your company use commonly accepted interfaces for reporting IACS events?
Does your company write events to protected event/audit logs and retain them for an adequate time period?
Do IACS security-related audit and event log entries contain enough information to support non-repudiation and time-correlated analysis of events?
Are event logs accessible through commonly accepted interfaces?
Does your company analyze security-related events to identify and characterize attacks, security compromises, and security incidents?
Does your company have an up-to-date process for evaluating and responding to IACS security incidents?
Does your company address and resolve existing and newly identified IACS vulnerabilities?
Does your company have an up-to-date site disaster recovery plan (DRP), business continuity plan (BCP), or both, that includes disaster scenarios, failure handling procedures, and processes for maintaining operational continuity?
Does your company protect the IACS from resource/equipment failures due to power disruptions, capacity/processing overloads, and hardware failures?
Does your company protect the IACS from denial of service (DoS) attacks?
Does your company purge all data requiring safeguarding when a device is decommissioned or removed from the IACS?
Does your company require approval by two or more users for actions that can seriously impact the industrial process, unless not performing the action would have a greater impact?