Staying cyber safe: understanding NIS2

Digitalisation is driving a profound transformation of our industrial landscape. The Internet of Things already connects billions of devices and systems. Enabling data-driven applications for control, monitoring, automation, and analysis, it has the power to boost efficiency, safety, reliability, and profitability.

Electrification technologies are themselves becoming more connected. As systems become larger, more complex, and harder to manage, digitalisation unlocks valuable insights for plant and facility owners about the performance, health, and energy consumption of individual devices and entire systems. A non-stop stream of data from thousands of sensors, motors, actuators, and other devices can be harnessed to fine-tune process efficiency and optimise yields. Analytics assisted by artificial intelligence and machine learning plays a central role in condition-based monitoring, spotting anomalous behaviour and imminent signs of failure in electrical systems long before a human engineer would notice anything’s wrong.

As today’s industrial operations become progressively greater in their scale and geographical diversity, plant owners can link sites across regions, countries, or continents. Plants in far-flung or inaccessible areas can be monitored and managed remotely, while operational and engineering data from multiple facilities can be pooled to give a global picture of performance and sustainability.

With any kind of connectivity comes the risk of compromise. Petabytes of information flowing over public networks present an attractive target to hackers and other bad actors, inviting a spectrum of cyber-attacks that range from phishing and ransomware to denial of service and theft of intellectual property. At best, organisations can face the costs of plugging gaps in their cyber defences. At worst, a serious breach can mean halted production, lost revenues, and a tarnished corporate reputation.

In response to the evolving spectrum of cybersecurity vulnerabilities facing businesses and institutions, the European Union is implementing progressively stronger measures to protect and enhance the resilience of network and information systems across the EU, including UK entities doing business in Europe. Fully implemented since October 2024, NIS2 (Network and Information Security 2) Directive is a legislative framework that updates the original NIS Directive, establishing a high common level of cybersecurity to protect critical infrastructure owners and digital service providers. Introducing stronger risk management, incident reporting, and staff training obligations, NIS2 also imposes stringent penalties for non-compliance that can include fines of up to 10% of an organisation’s annual turnover.

Ensuring compliance with NIS2 sets some significant challenges for commercial businesses and other entities that are reliant on complex Internet-connected systems. The electrical infrastructures in a typical industrial facility represents a patchwork quilt of equipment and systems of varying vintages and conditions, with many devices no longer benefiting from manufacturers’ regular updates and support to

ensure their cybersecurity. Keeping these vulnerable legacy systems siloed from the rest of the plant – and the wider Internet – is no longer a viable option when ubiquitous connectivity is increasingly essential for business continuity and innovation. Equally, ripping out and replacing large amounts of obsolete equipment can be a daunting and costly prospect. Unsurprisingly, there’s no one-size-fits-all solution – and it’s vital that organisations have a clear understanding of their legal obligations as well as the options on the table to guarantee compliance.

It’s critical for British businesses to understand the full scope of NIS2 and its potential impact. While certain exemptions apply, the Directive is broadly applicable to medium and large organisations with over 50 employees, or a turnover of €10 million, operating across 18 business sectors. These requirements are applicable for any company that does business in Europe, even if it does not have a physical presence within the EU.

For detailed guidance on your own organisation’s obligations, it’s important to talk to an experienced partner who can help you build and implement a NIS2 action plan. One of the Directive’s key stipulations is the need for a risk assessment to identify potential cyber risks, prioritise assets that are in most urgent need of attention, and to assess whether further changes are needed in areas such as incident reporting, recovery plans and wider corporate governance. Working with a suitable partner, for example, doesn’t just ensure short-term compliance with the demands of NIS2. It can also ensure that systems and business are match-fit for further legislative changes being enacted in other territories.

NIS2 is just one element of cybersecurity regulation affecting organisations that are operating both within and outside the EU. The growing complexity of today’s connected electrification systems exposes organisations to an ever-changing spectrum of cybersecurity threats, putting critical systems and potentially staff safety at risk. The costs and long-term reputational damage caused by an attack can be huge. Adopting a proactive stance to cybersecurity is accordingly good business, irrespective of the regulatory landscape – and now’s a great time to take the next step. ABB Navigate, for example, is our own suite of consultancy and advisory services that includes cybersecurity assessments and solutions, ranging from high-level risk assessments to bespoke security software.