NIS2 Compliance for Process Industries: How to Stay Cyber Secure and Avoid Fines

Staying cyber secure with NIS2: what you need to know

The NIS2 Directive is here, obligating EU organisations to establish a high common level of cyber protection and resilience for their network and information systems. Jason Newby, Advisory Services Global Portfolio Manager at ABB, explains the implications for the process industries – and what steps you can take to ensure compliance.

Every connected device in the Internet of Things presents a potential target to cyber criminals and opportunistic hackers – and the mission-critical electrical systems in your process plant are no exception.

There might typically be hundreds or thousands of networked entities in a modern industrial facility, including sensors, actuators, meters, motors, controllers and more. Under control of the plant’s automation and supervisory systems, every smart device is generating (and consuming) its own round-the-clock stream of data.

This torrent of information can be the enabler for a variety of process control, monitoring, safety and predictive maintenance applications. Equally, data may be consumed by higher-level IT applications hosted on site or, increasingly, in the cloud where AI-powered analytics can reveal deep insights into plant efficiency, sustainability and reliability that inform business decisions at board level.

More connected devices, more data, greater risks

More network-enabled devices produce lots more data. And every connected node – whether it’s a valve, a motor or an actuator – presents an additional point of weakness that can be probed and potentially exploited by bad actors whose motivations may be mischievous, financial or even political.

These cyber threats are compounded by the increasing scale and complexity of the electrical infrastructure in a modern process plant that are becoming progressively bigger and harder to manage.

Brand-new equipment often shares floor or rack space with legacy elements that may no longer enjoy the original manufacturer’s support, missing all-important security patches and presenting yawning security vulnerabilities as a result.

What’s more, industrial plant owners’ operations may stretch across multiple sites at different physical locations, with facilities scattered across regions, countries or continents. The ability to aggregate control, monitoring and maintenance data from electrification systems across an operator’s entire estate is undeniably attractive. But the benefits offered by connectivity between remote sites must be balanced with a greater danger of critical systems and data being compromised.

“The relentless ambition of cyber criminals puts every industrial organisation at risk. And when an attack on your connected electrical systems comes – as it surely will at some point – the consequences can be disruptive and very costly indeed.”

The relentless ambition of cyber criminals puts every industrial organisation at risk. And when an attack on your connected electrical systems comes – as it surely will at some point – the consequences can be disruptive and very costly indeed.

A security breach that halts a process or an entire plant has an immediate impact on production and revenues.

But the wider implications can be equally serious, stretching from penalties imposed by regulators to a negative impact on brand reputation with customers and financial markets that can be hard for companies to shake off.

Strengthening Europe’s networked information systems

In response to the growing socioeconomic threats that cyber-attacks pose to European businesses and institutions, the EU has taken decisive action to ensure that organisations in both the private and public sectors take proper steps to strengthen the security of networked IT systems.

Fully implemented since October 2024, the NIS2 (Network and Information Security 2) Directive is a broad legislative framework updating the original NIS Directive that entered into force in 2016.

“The goal of NIS2 is to establish and maintain a high common level of cybersecurity to protect critical infrastructure owners and digital service providers.”

The goal of NIS2 is to establish and maintain a high common level of cybersecurity to protect critical infrastructure owners and digital service providers. In order to achieve this it directs organisations to adopt a stronger risk management framework, with significantly tightened information security practices and measures.

NIS2 also mandates a robust framework for incident reporting that spans the content of reports, who they must be directed to, and timelines for the production and delivery of reports.

In the case of ‘significant’ incidents the bar is raised further still, with additional requirements for addressing cybersecurity risks that impact on an organisation’s own ICT supply chains as well as those of its suppliers.

Another area that NIS2 puts under the microscope is business continuity in the event of major cyber incidents, dictating best practice for emergency procedures, system recovery and the establishment of crisis response teams to manage an incident.

Evaluating every organisation’s cyber responsibility

Compliance with NIS2 is mandatory for any entity within eighteen applicable categories that include energy, utilities, critical infrastructure and transportation as well as other critical areas like health.

A crucial differentiator from its predecessor is that the new Directive applies to any company throughout the world – regardless of its location – that provides services to other organisations which are themselves based within the EU.

NIS2 gives organisations plenty to think about, not least for businesses operating in the process industries. Ensuring the cyber security of a complex web of connected devices and their associated electrical systems in even a modestly-sized plant is no trivial task.

Ensuring that your organisation is fully compliant with NIS2 is more than just an inconvenience to daily business operations. With certain caveats the Directive is relevant to medium-sized and larger organisations employing over 50 people or turning over more than €10 million annually.

It’s mandatory to any company conducting business within Europe, and crucially this includes organisations that don’t themselves have a physical presence within the footprint of the EU. Another change from NIS1 is tightened accountability – and greater potential penalties – in the event of an entity’s failure to meet the demands of the Directive.

Under NIS2 the costs of non-compliance can include fines stretching up to 10% of an organisation’s annual turnover. What’s more, it imposes the additional burden of personal accountability on individuals working at senior managerial levels.

“Under NIS2 the costs of non-compliance can include fines stretching up to 10% of an organisation’s annual turnover.”

Protecting your business interests with the right partner

There’s no one-size-fits-all solution for ensuring that your own organisation is NIS2 compliant. A good place to start is by conducting a comprehensive risk assessment, in line with the key stipulations of the Directive.

This process will help identify and prioritise likely cyber risks. It will also identify areas where action may be required in areas such as incident response and reporting, recovery plans and staff training as well as corporate governance.

This is where organisations in the process industries can benefit from the advice, experience and practical resources of a suitable partner. As well as ensuring that your electrical systems – and wider ICT infrastructure – are NIS2 compliant, proper guidance can help you navigate successfully through an increasingly complex regulatory and legislative landscape that impacts on organisations with business interests both within and outside the EU.

An effective cyber security strategy isn’t just a legal obligation – it’s good for business too. And by engaging with an expert like ABB, NIS2 can be the starting point for a wider discussion about your critical electrical systems that pays dividends in other areas from energy efficiency and sustainability to employee safety.

Find out more about ABB’s suite of cyber security and other advisory services at www.abbnavigate.com

FAQs: NIS2 Compliance and Cyber Security in the Process Industries

What is the NIS2 Directive?
NIS2 (Network and Information Security 2) is an EU directive that mandates a high common level of cybersecurity across member states. It updates the original NIS Directive and applies to both public and private sector organisations that operate critical infrastructure or essential services.

When did NIS2 come into effect?
The NIS2 Directive came into full effect in October 2024, giving organisations a clear legal obligation to enhance the security of their networked information systems.

Who must comply with NIS2?
NIS2 applies to organisations in 18 critical sectors, including energy, utilities, manufacturing, transport, and healthcare. Any company doing business within the EU – regardless of its physical location, must comply if it provides services to EU-based entities and meets the size criteria.

Does NIS2 apply to companies outside the EU?
Yes. NIS2 has extra-territorial reach, meaning companies outside the EU that serve EU-based organisations must comply, even without a physical presence in Europe.

What are the penalties for non-compliance with NIS2?
Failure to comply with NIS2 can result in fines of up to 10% of an organisation’s annual turnover. Additionally, senior managers may face personal accountability for breaches.

What systems are at risk in the process industries?
Connected devices such as sensors, actuators, motors, controllers and other operational technology (OT) present attack surfaces for cyber criminals. These risks are compounded when legacy equipment remains unpatched and unsupported.

Why is NIS2 important for the process industry?
The process industry operates mission-critical infrastructure and often runs complex, interconnected systems. NIS2 helps protect these assets against increasingly sophisticated cyber threats that can disrupt production, damage brand reputation and lead to regulatory penalties.

What are the key requirements of NIS2?
Key obligations include:

• Implementing a robust risk management framework
• Enhancing incident detection and reporting
• Securing the ICT supply chain
• Ensuring business continuity planning
• Establishing crisis response teams

What size of organisation must comply with NIS2?
The Directive generally applies to medium and large organisations, defined as those with more than 50 employees or a turnover exceeding €10 million per year.

How can my organisation start its NIS2 compliance journey?
Start with a comprehensive risk assessment to identify potential cyber vulnerabilities. From there, develop or strengthen protocols for incident response, recovery planning, governance and staff training.

Can I manage NIS2 compliance internally?
While internal teams can begin the process, many organisations benefit from working with a cyber security partner. Experts like ABB offer advisory services to help you meet NIS2 requirements and improve your wider cyber resilience strategy.

How does NIS2 relate to operational technology (OT) security?
NIS2 addresses the security of networked and electrical systems in critical infrastructure. In process plants, this includes automation systems, connected devices and remote facilities, all of which must be secured against potential cyber threats.

Is NIS2 compliance just a legal requirement?
No. While it is a legal obligation, compliance with NIS2 also helps organisations improve business continuity, energy efficiency, sustainability and operational safety, making it a sound strategic investment.

Where can I learn more about cyber security services for NIS2?
Visit www.abbnavigate.com to explore ABB’s cyber security and advisory solutions tailored to the needs of the process industry.