EU NIS2 Directive

Select Language
  • English
  • Deutsch
  • italiano
  • magyar
  • français
  • polski
  • español
  • čeština
  • Ελληνικά
  • Nederlands (België)

The Network and Information Security 2 Directive (NIS2) is legislation that aims to establish a high, common level of cybersecurity across member states of the European Union. Here’s what you need to know to be successful, and how ABB can help you during your journey.*

Ready to get started?

What

What is NIS2?
The European Union (EU) introduced the Network and Information Security 2 Directive in December 2022 as an update to the original EU cybersecurity rules introduced in 2016. The NIS2 Directive is legislation that modernizes the existing legal framework to keep pace with increased digitization, and an evolving cybersecurity threat landscape.

NIS2 expands the scope of EU cybersecurity rules to new sectors and entities with the goal of improving the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole. This new directive is also a positive step for all citizens of the EU because it aims to secure the critical infrastructure that all EU citizens need and rely on.

What’s the difference between NIS and NIS2?
Introduced in 2016, Directive (EU) 2016/1148 (the NIS Directive) was the first piece of EU-wide legislation on cybersecurity. It introduced a significant change in how members states of the EU approached cybersecurity. NIS2 replaces the NIS Directive, providing legal measures to boost the overall level of cybersecurity in the EU. NIS2 also addresses several weaknesses that prevented the NIS Directive from unlocking its full potential. NIS2 widens the scope of the rules to more industries, strengthens risk and incident management and cooperation, and introduces stronger penalties and other compliance requirements to achieve a high, common level of cybersecurity across the EU.

NIS2 Document

Looking for the directive?

Open document

Discover key differences in legislative guidelines across various EU countries with our comprehensive study.

Download report

Who

Which industries are affected by NIS2?
NIS2 affects all EU organizations, industrial and non-industrial, including their suppliers, in critical sectors.
Other critical sectors
  • Energy: Electricity, oil, gas, heat, hydrogen
  • Health: Healthcare providers, labs, R&D, pharma
  • Transport: Air, rail, water, road
  • Banks and financial markets
  • Water and wastewater
  • Digital: IXP, DNS, TLD, DC, CSP, CDN, TSP, MSP, MSSP
  • Public administration
Other critical sectors
  • Postal and courier
  • Waste management
  • Chemicals
  • Food
  • Manufacturing technology and engineering
  • Digital services: Social, search, markets
  • Research
Compliance jurisdiction
Essential and important entities within the sectors of high criticality and the other critical sectors listed above are under the jurisdiction of the Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under each Member state's jurisdiction. Entities where the service is provided or dependent on operations outside the EU should ensure the continuity of their EU services in case of disruption of their non-EU operations.

Does NIS2 affect your industry?

Learn more

What steps must you take?

NIS2 describes 10 categories of cybersecurity risk-management measures that firms must implement, + substantial reporting requirements.
Policies on risk analysis and information system security.
Operators must conduct a cybersecurity risk assessment of production systems and define critical components.
ABB conducts IEC 62443-based risk assessments of any production system independent of the ICS vendor.

Learn more

Watch video
Improved incident handling.
Operators must detect cybersecurity compromises and incidents and report these incidents to the asset owner.

Learn more

Watch video
Improvements in business continuity planning...
Operators must define their procedures to ensure prompt restoration of production in case of a cyber incident, starting with the business impact analysis.

ABB helps with contractual commitments of resources with appropriate response times and creating technical recovery plans. How ABB can help:

Learn more

Watch video
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers in order to harden one of the most common attack vectors. Operators must determine IS requirements for their direct suppliers, and establish programs for supplier monitoring and verification (supplier audits).

ABB got you covered with our certifications (ISO/IEC 27001, IEC62443-2-4), and monitoring of suppliers.
Learn more:

Learn more

Watch video
Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure. Operators must specify requirements for the entire information system lifecycle (planning, development, testing, maintenance, replacement).

Learn more

Watch video
Policies and procedures to assess the effectiveness of cybersecurity risk management measures. Operators must establish procedures for evaluating the effectiveness of protective measures in the area of information security.
ABB helps you with stay on top of your security with solutions and services.
Learn about our:

Learn more

Watch video
Basic cyber-hygiene practices and cybersecurity training to improve organizational preparedness and resilience. Operators must ensure that they assign only service-provider personnel to automation-solution-related activities.
ABB improves your team's capacity to recognize and tackle cyber threats.
How ABB can help:

Learn more

Watch video
Policies and procedures regarding the use of cryptography and encryption to harden organizations against attacks. Operators must develop definitions and documentation for use of cryptography, encryption, and signing in to information systems.
ABB helps implement cryptographic measures, including encrypted communication, signed software packages, and secure remote access.
How ABB can help:

Learn more

Watch video
Increased human resources security, access control policies, and asset management to encourage a culture of cybersecurity awareness. Service providers must create and maintain an inventory register, and ensure that their automation solutions support account management.
ABB can assist you in creating procedures that promote a culture of cybersecurity and securely manage users and accounts.
Learn about our.

Learn more

Watch video
Multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems to protect networks against the latest threat actors and tactics. Service providers must support multi-factor authentication for automation solution workstations as required by asset owners.
ABB supports multifactor authentication at the HMI level.
How ABB can help:

Learn more

Watch video

Notify without undue delay and, in any event, within 24 hours after having become aware of the incident. 
The act of notification does not make the notifying entity subject to increased liability.

The first step is to detect incidents and hopefully prevent the malicious actor access to the systems. ABB can help with our monitoring solutions. 
Learn about our:

Learn more

Watch video

How


What are your organization’s next steps (and who can help you)?
As an organization that must comply with NIS2, you need to understand your compliance and reporting obligations, and perhaps find a partner to help you on the journey. For example, you must notify the appropriate authorities, without undue delay, of any significant cyber threat that you identify that could have resulted in a significant incident.

Standardization (Article 25 of the Directive)
To promote the convergent implementation of Article 21(1) and (2), Member States shall, without imposing or discriminating in favor of the use of a particular type of technology, encourage the use of European and international standards and technical specifications relevant to the security of network and information systems.
Incident notification

NIS2 imposes notification obligations in phases, for incidents which have a “significant impact” on the provision of their services.
These notifications must be made to the relevant competent authority or CSRT (Computer Security Incident Response Team).

When

When must you act?
If your organization is affected by NIS2, you have until October 17, 2024, to adopt and publish the measures necessary to comply with the NIS2 Directive. There are other key deadlines, too.

ABB support and solutions

Partner with ABB to meet the NIS2 Directive with confidence 

The ABB Ability™ Cyber Security portfolio reduces cyber risks by implementing security controls with a defensible architecture enabling customers to identify and address cyber threats before they create harm.
Wondering where to start

Wondering where to start?

You likely have questions around NIS2 and how it impacts your organization. ABB Ability™ Cyber Security offers a comprehensive solution. Our industrial cyber security experts can help to reduce the likelihood and impact of a cyber incident and have deep experience in guiding customers through such compliance transitions.

Let’s collaborate to ensure your compliance with the EU NIS2 Directive.
Wondering where to start
* Disclaimer: Please note that the information provided on this page is not intended to be legal advice. It is based on the EU NIS2 Directive. It is important to note that a final decision on whether companies are affected can only be made after NIS2 is transposed into national law. Our recommendations are just a small part of the preparations that should be carried out. Despite our best efforts, errors may still exist in the content. Therefore, ABB will not be held liable for any damages.
  • Contact us

    Submit your inquiry and we will contact you

    Contact us
Select region / language