If there was a question about how the water and wastewater industry view the implementation of NIS2, it was answered at the recent 15th SWAN Annual Conference in Berlin, Germany. What I heard from delegates – along with the engagement and insights from a roundtable session that I chaired – is that industry believes the roll out of this framework is critical to the future security of the sector.
High interest, different perspectives, varying readiness
The roundtable “NIS2 in a European country comparison: How are the member states implementing the new EU Cybersecurity Legislation?” was one of the most attended among 17 concurrent sessions. Understanding where our customers are in their journey, the challenges they face and how different countries implement the new legislation is vital for plotting the way forward, and it was encouraging to see that it resonated with so many others, too.
There was an obvious mixed sentiment towards EU regulation in the room. Several utility representatives expressed concern that the EU might be overshooting with regulations, and they were left feeling overwhelmed by the volume of compliance requirements. However, this concern was balanced by a genuine recognition of the need for robust cybersecurity measures.
The discussion, led by an ABB team that included Giuseppe Fraddanno, Sales Manager, ABB Energy Industries – Central and Southern Europe, Ragnar Schierholz, ABB Global Cyber Security Product Manager, and myself, highlighted a clear disparity in readiness levels. Larger utilities showed confidence in their preparatory work, with many having already begun implementing ISO 27001 standards for information security management systems. These organizations expressed trust that their existing efforts would help them meet NIS2 requirements. They feel comfortable with it.
Smaller utilities, however, faced a different reality. Their primary challenge wasn't the technical implementation but rather defining the scope itself. Questions arose about what should be included: Is it just IT systems? Does it encompass operational technology? What about procurement and HR processes? The answer – yes, all those areas need consideration at some level – highlighted the comprehensive nature of NIS2 compliance.
Bringing man and machine together
The 24-hour incident reporting requirement under NIS2 sparked significant discussion about event detection and monitoring systems. To meet such tight timeframes, utilities need both advanced technology and properly trained personnel. This dual requirement of technological capability and human expertise emerged from the discussions as an acute success factor.
Delegates emphasized that people remain the biggest risk and challenge as they don’t always understand that they need to also take care of the OT part and not only the IT part. Without proper understanding of both IT and OT security requirements, organizations cannot adequately detect and respond within the specified timeframes – right now the reporting obligations are within 24 hours. This human element cannot be overlooked in the drive to implement the technical solutions that will ensure NIS2 compliance.
Collaborative solutions and future considerations
The conference highlighted several collaborative initiatives within the industry. There's growing interest in establishing a SWAN working group specifically focused on NIS2, and I believe this could provide valuable peer-to-peer guidance and sharing of best practice. Risk assessments also featured prominently in discussions, with participants recognizing that standard IT risk assessments aren't sufficient. OT-specific risks require specialized expertise and tailored approaches. This is an area where companies like ABB can provide valuable support through our risk assessment offerings.
The broader conference themes of digitalization, AI, and IT/OT interconnectivity reinforce why cybersecurity must be considered from the beginning of any digital transformation project, not as an afterthought. As the water and wastewater industry continues its digital journey, cybersecurity becomes increasingly important for operational resilience.
While the SWAN Annual Conference successfully addressed key industry challenges, I believe future events would benefit from greater utility participation alongside the current mix of vendors and solution providers. Real-world perspectives from end users are essential for meaningful progress on these complex regulatory challenges.
The NIS2 journey is just beginning, but the collaborative spirit and shared commitment to cybersecurity excellence that I witnessed gives me confidence that the industry can – and will – rise to meet these challenges effectively.
