How can European Manufacturers comply with NIS2 through IEC 62443

The manufacturing sector in Europe is currently poised at a critical juncture. The digital transformation, while offering immense opportunities for innovation and efficiency, has also opened new attack vectors, expanded the threat surface and brought in new cyber risks that have made industrial operations increasingly vulnerable to cyber threats.

Against this backdrop, the European Union's Network and Information Security 2 (NIS2) Directive, which officially came into effect on October 17, 2024, and the International Electrotechnical Commission (IEC) 62443 series of standards, present a monumental opportunity. For European manufacturers, understanding and strategically aligning these two powerful frameworks can turn their operations resilient and futureproof.  

What is NIS2 all about?

NIS2 represents a significant evolution from its predecessor, NIS1, broadening its scope and tightening its requirements to address the escalating cyber threat landscape. It is designed to enhance the overall level of cybersecurity across sectors, particularly for entities providing "essential" and "important" services.

Manufacturing entities, especially those involved in medical devices, computers and electronics, machinery and equipment, motor vehicles, chemicals, and critical industrial machinery, are now within its purview. NIS2 lays down a comprehensive set of obligations, moving beyond mere incident reporting to mandate a proactive and holistic approach to cybersecurity.

NIS2 covers these security requirements

· Robust Risk Management: Entities must implement relevant and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems. Robust risk management measures should not be limited to identifying risks but also acting on them in a way that in case the risk manifests, its impact is limited to well within acceptable limits.  

· Prompt Incident Handling: Strict reporting obligations are a cornerstone of NIS2. Companies must have processes in place for swift detection, containment, and recovery from cyber incidents. An initial notification to the relevant national authorities such as national CERT is generally required within 24 hours of becoming aware of a significant incident, followed by more detailed reports within 72 hours, and a final report within one month.

· Business Continuity and Crisis Management: Maintaining operational continuity in the face of a cyberattack is important. NIS2 requires entities to have robust business continuity plans, including backup management, disaster recovery capabilities, and crisis management procedures in place and tested.

· Supply Chain Security: Recognizing the interconnectedness of modern industrial ecosystems, NIS2 places a strong emphasis on securing the entire supply chain. Manufacturers are now responsible for assessing and managing the cybersecurity risks posed by their direct suppliers and service providers. This means scrutinizing the security posture of third-party vendors and ensuring they meet adequate security standards.

· Enhanced Governance and Accountability: Cybersecurity is no longer solely an IT department concern. NIS2 elevates cybersecurity to the boardroom, placing direct responsibility on senior management. Board members are required to oversee, approve, and receive training on their entity's cybersecurity measures, with potential liabilities for non-compliance, including administrative fines and, in some cases, personal responsibility.

· Basic Cyber Hygiene and Training: The directive mandates the implementation of basic cybersecurity hygiene practices, such as multi-factor authentication, secure communication, and regular cybersecurity training and awareness programs for employees. This aims to address human-centric vulnerabilities, often a primary entry point for cyberattacks.

· Vulnerability Handling and Disclosure: Entities must have policies and procedures for the acquisition, development, and maintenance of network and information systems, including robust vulnerability handling and disclosure processes.

NIS2 clearly articulates what European manufacturers must achieve and intentionally provides flexibility how they can achieve it. This is where the IEC 62443 series emerges as an indispensable guide.

How can IEC 62443 be used for NIS2 compliance?

The IEC 62443 series of standards, developed by the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA), provides a comprehensive, systematic, and practical framework specifically tailored for securing Industrial Automation and Control Systems (IACS) and Operational Technology (OT) environments.

Unlike broader IT security frameworks, IEC 62443 understands the unique characteristics of OT – including real-time constraints, legacy equipment, long lifecycles, and the potential for physical harm from cyber incidents.

Key principles of importance from an ICS security perspective include:

· Clear ownership of security measures and interventions

· Clarity on a roadmap for improving security and maturity levels

· Risk-Based Approach: It emphasizes identifying, analyzing, and mitigating risks based on their potential impact and likelihood, allowing organizations to prioritize security investments effectively.

· Defense-in-Depth: The standard advocates for a layered security approach, deploying multiple security controls at different levels to protect critical assets and ensure resilience even if one control fails.

· Zones and Conduits: This model helps segment networks and systems into logical security zones with defined communication pathways (conduits), enabling granular control over data flow and limiting the blast radius of an attack.

· Secure Development Lifecycle: It provides guidance for product suppliers to integrate security considerations throughout the entire product development process, from design to end-of-life.

· Shared Responsibility: IEC 62443 acknowledges that cybersecurity is a collective responsibility involving asset owners, system integrators, and component suppliers, fostering collaboration across the industrial ecosystem.

· Security as a culture: Gives a detailed approach for embedding security into the operational framework of an organisation

· Measuring and addressing risk: Through a comprehensive IEC 62443-based risk assessment, the risk exposure levels can be brought down

The alignment between NIS2 and IEC 62443 is synergistic. NIS2 provides a legal impetus and the broad strokes of regulatory obligation, while IEC 62443 offers the detailed, industry-specific framework to effectively implement those obligations within the complex world of industrial operations.

For European manufacturers, integrating IEC 62443 practices directly translates into a concrete, demonstrable pathway to NIS2 compliance.

Let's examine how the different aspects of IEC 62443 directly support NIS2 requirements:

Risk Management (NIS2 Article 21(2)(a)):

· NIS2 mandates robust risk assessments. IEC 62443-2-1 (Establishing an IACS Security Program) and IEC 62443-3-2 (Security Risk Assessment for System Design) provide detailed methodologies for conducting risk assessments tailored to IACS environments. These standards guide manufacturers in identifying critical assets, assessing threats and vulnerabilities, and determining appropriate security levels to mitigate risks. This structured approach ensures that the risk management process is systematic, repeatable, and effective, directly fulfilling NIS2's foundational requirement.

Incident Handling (NIS2 Article 21(2)(b)):

· NIS2 demands swift incident detection, response, and reporting. IEC 62443-2-1 addresses Incident Planning and Response (Clause 4.3.4.5), outlining processes for incident identification, analysis, containment, eradication, recovery, and post-incident review. Implementing these procedures, including establishing clear communication channels and defined roles, prepares manufacturers to meet NIS2's stringent reporting deadlines and recovery expectations.

Business Continuity, Backup Management, Disaster Recovery, and Crisis Management (NIS2 Article 21(2)(c)):

· NIS2 prioritizes operational resilience. IEC 62443-2-1's Business Continuity Plan (Clause 4.3.2.5) directly supports this by providing guidance on developing and implementing strategies to maintain essential IACS operations during and after cyber incidents. This includes defining backup strategies, recovery procedures, and establishing crisis management teams, ensuring that production capabilities are restored swiftly and safely.

Supply Chain Security (NIS2 Article 21(2)(d)):

· NIS2 places significant emphasis on the security of the supply chain. IEC 62443 offers critical tools here:

· IEC 62443-2-4 (Security Program Requirements for IACS Service Providers): Defines security requirements for third-party service providers, allowing manufacturers to vet their integrators, maintenance providers, and cloud service providers against a recognized standard.

· IEC 62443-4-1 (Secure Product Development Lifecycle Requirements): Specifies processes for product suppliers to integrate security throughout the development of components used in industrial systems. This allows manufacturers to demand "security by design" from their vendors.

· IEC 62443-4-2 (Technical Security Requirements for IACS Components): Details the technical security features that components should possess, enabling manufacturers to verify the security posture of the hardware and software they integrate into their OT environments. By demanding adherence to these standards from their suppliers, manufacturers can build a more secure supply chain, addressing a key NIS2 concern.

Security in Network and Information Systems Acquisition, Development, and Maintenance (NIS2 Article 21(2)(e)):

NIS2 requires security to be embedded throughout the lifecycle of systems. IEC 62443-2-1's sections on System Development and Maintenance (4.3.4.3), and vulnerability handling and disclosure are directly applicable. Furthermore, IEC 62443-4-1 (Secure Development Lifecycle) and IEC 62443-4-2 (Technical Security Requirements for Components) provide the granular detail for ensuring that all acquired, developed, and maintained systems and components are inherently secure, including robust vulnerability management processes.

Policies and Procedures for Evaluating the Effectiveness of Cybersecurity Risk Management Measures (NIS2 Article 21(2)(f)):

· Both frameworks emphasize continuous improvement. IEC 62443-2-1 includes requirements for Review, Improve and Maintain the Cybersecurity Management System (Clause 4.4.3), which involves regular audits, vulnerability testing (e.g., penetration testing), and performance monitoring to ensure that security controls remain effective against evolving threats. This aligns perfectly with NIS2's demand for ongoing evaluation.

Cybersecurity Hygiene and Training (NIS2 Article 21(2)(g)):

· NIS2 stresses the human element of cybersecurity. IEC 62443-2-1's Organizing for Security (Clause 4.3.2.3) includes requirements for Security Awareness Training and Competence (Clause 4.3.4.1), ensuring that personnel involved with IACS operations are adequately trained in cybersecurity best practices. This directly supports NIS2's mandate for basic cyber hygiene and regular training.

Access Control and Asset Management (NIS2 Article 21(2)(h)):

· IEC 62443-3-3 (System Security Requirements and Security Levels) provides detailed requirements for access control, including strong authentication mechanisms, role-based access control, and the principle of least privilege, which align with NIS2's expectation for robust access management. The concept of Zones and Conduits within IEC 62443 facilitates comprehensive asset identification and management by logically segmenting the industrial environment.

The Use of Multi-Factor Authentication, Secured Communications, and Secured Emergency Communications (NIS2 Article 21(2)(i)):

· IEC 62443-3-3 and IEC 62443-4-2 detail technical requirements for secure communication, including encryption and secure protocols, and the implementation of multi-factor authentication for IACS. These specific technical controls directly enable compliance with NIS2's advanced authentication and secure communication mandates.

Beyond Compliance: Unlocking Strategic Advantages

While NIS2 compliance is a legal imperative, leveraging IEC 62443 to achieve it offers European manufacturers a wealth of strategic benefits that extend far beyond avoiding penalties:

· Enhanced Operational Resilience and Uptime: By systematically identifying and mitigating OT cybersecurity risks, manufacturers can significantly reduce the likelihood and impact of cyber incidents, leading to fewer unplanned downtimes, consistent production, and improved overall operational efficiency.

· Reduced Safety Risks: Cybersecurity in OT is inextricably linked to physical safety. By adhering to IEC 62443, manufacturers can prevent cyberattacks from leading to equipment malfunctions, environmental damage, or harm to personnel.

· Improved Trust and Reputation: Demonstrating a robust cybersecurity posture through adherence to globally recognized standards like IEC 62443 can enhance trust with customers, partners, and regulators. This can open doors to new contracts and collaborations, particularly in sensitive sectors.

· Cost Optimization: A structured, risk-based approach to cybersecurity, as championed by IEC 62443, allows for targeted investments, preventing wasteful spending on ineffective controls. Proactive security measures are also typically less expensive than reactive incident response and recovery.

· Competitive Differentiation: In an increasingly security-conscious market, manufacturers who can demonstrably prove their adherence to rigorous cybersecurity standards will gain a significant competitive edge, especially when tendering for contracts involving critical infrastructure.

· Streamlined Audits and Assessments: Having a well-documented Cybersecurity Management System (CSMS) based on IEC 62443 provides a clear framework for demonstrating compliance during NIS2 audits and regulatory assessments, making the process smoother and more efficient.

· Future-Proofing Cybersecurity Investments: Both NIS2 and IEC 62443 are designed to be adaptable to evolving threats and technologies. By building a cybersecurity program founded on these principles, manufacturers are better positioned to respond to future challenges and regulatory changes.

The Road Ahead: A Call to Action for European Manufacturers

The October 17, 2024, deadline for NIS2 transposition into national laws has passed, meaning that legal obligations are now in effect across EU member states, even if some countries are still working to fully implement the directive. Manufacturers covered by NIS2, particularly those in critical sectors, must not delay their compliance efforts.

What does a NIS2 aligned IEC 62443 compliance roadmap look like:

NIS2 through IEC 62443 involves several key steps:

· Scope Assessment: Determine if your organization and specific industrial assets fall within the scope of NIS2 as an "essential" or "important" entity. Understand which national authorities will be responsible for oversight.

· Gap Analysis: Conduct a comprehensive assessment of your existing IT and OT cybersecurity posture against both NIS2 requirements and the relevant parts of the IEC 62443 series (e.g., IEC 62443-2-1 for your CSMS, IEC 62443-3-3 for system security, IEC 62443-4-1 for product development). Identify areas where gaps exist.

· Risk Assessment: Perform a thorough risk assessment for your IACS environments, as guided by IEC 62443-3-2, to identify critical assets, potential threats, and vulnerabilities. This will inform the prioritization of your security measures.

· Develop a Strategic Roadmap: Based on the gap analysis and risk assessment, create a detailed cybersecurity roadmap. This should outline specific projects, timelines, resource allocation, and key performance indicators for implementing the necessary technical and organizational measures derived from IEC 62443 to meet NIS2 obligations.

· Implement a CSMS: Establish or mature your IACS Cybersecurity Management System (CSMS) in accordance with IEC 62443-2-1. This is the overarching framework that will govern your industrial cybersecurity efforts.

· Secure the Supply Chain: Work proactively with your direct suppliers and service providers. Communicate NIS2 requirements and encourage or mandate their adherence to relevant IEC 62443 standards (e.g., IEC 62443-2-4, IEC 62443-4-1).

· Invest in Training and Awareness: Implement ongoing cybersecurity training programs for all employees, from the shop floor to the boardroom, emphasizing the importance of basic cyber hygiene and incident reporting.

· Continuous Monitoring and Improvement: Cybersecurity is not a one-time project. Establish mechanisms for continuous monitoring of your IACS, regular security audits, vulnerability testing, and periodic reviews of your CSMS to ensure ongoing effectiveness and adaptation to the evolving threat landscape.

By embracing the synergistic power of IEC 62443 and NIS2, European manufacturers can transform regulatory compliance from a daunting task into a strategic initiative. This dual-pronged approach will not only secure critical industrial operations against the escalating tide of cyber threats but also reinforce Europe's position as a hub of resilient, secure, and technologically advanced manufacturing.  

Learn more about our offerings for IEC 62443 and NIS2 compliance

Test drive our solutions. Book a custom demo.