Cybersecurity for manufacturing companies: Countdown for the implementation of the EU directive NIS2 is running

The risk of cyberattacks increases with the degree of digitalization. The number of entry points is growing, and hackers know how to exploit them: Phishing emails are becoming more professional, and ransomware attacks are increasing. Many companies are aware of the problem, but preparation for IT attacks is often not given the necessary priority. This is also evidenced by the current Cisco Cybersecurity Readiness Index 2023. In almost all countries in Europe, less than 10% of companies are considered mature enough to deal with today's cybersecurity problems. The UK recorded the best values with a Readiness Index of 11% and Germany of 17%.[1] In plain English, this means that around 90% of European organizations are not sufficiently armed against attacks.

[1] cybersecurity-readiness-index-report (cisco.com).

The European Commission already responded to the threat situation in 2016 by issuing the NIS1 (Network and Information Security) Directive, which required advanced security measures against cyberattacks. This covered critical infrastructures such as energy, water, finance and health, as well as digital service providers in the EU. Now, new regulations are intended to further strengthen the resilience of organizations against cyberattacks. Manufacturing companies are also in the spotlight. For example, the new EU Machinery Regulation (EU) No. 2023/1230 contains cybersecurity requirements for the first time. The regulation is valid in all EU countries and is to be applied from January 20, 2027.

New NIS2 directive also affects manufacturing companies

The new NIS2 directive is particularly relevant for many manufacturing companies. It came into force at the beginning of 2023 and must be implemented in national law by October 2024. NIS2 affects significantly more sectors than NIS1, so more companies fall within its scope. The regulation addresses all sectors in which a failure poses a risk to public safety or health or poses systematic risks. In addition to "essential entities" such as water supply or healthcare organizations, this now includes "major entities" such as chemical, food, medical device, engineering, computer, electronics and automotive manufacturers. They will all be required to implement appropriate security measures and report security incidents. Companies where NIS2 will take effect in the future must keep the following aspects in mind, among others:

Strict reporting requirements: To reduce response time to cyberattacks, they must be reported to the competent national authority within 24 hours of becoming known. The affected institution must submit a final report no later than one month after the attack.

Cybersecurity becomes a management issue: Serious violations or infringements of NIS2 are subject to severe sanctions: Member states can impose fines of up to 10 million euros or 2% of annual global turnover. In addition, management bodies such as leadership teams can be held personally liable for violations.

Strengthened Risk Management: NIS2 strengthens cybersecurity and risk management requirements. Article 21 requires essential and key entities to implement sound systems, policies and best practices covering a broad range of cybersecurity measures and disciplines. Article 21(2) provides a list of measures that must be implemented. These include:

• Concepts related to risk analysis and security for information systems.
• Continuity of operations, such as backup management, disaster recovery and crisis management.
• Concepts and procedures for evaluating the effectiveness of cybersecurity risk management measures.
• Basic cyber hygiene practices, e.g., zero-trust principles, software updates, device configuration, network segmentation, identity and access management.
• Concepts and procedures for the use of cryptography and, where appropriate, encryption.
• Personnel security, access control concepts and management of facilities.
• Use of multi-factor authentication or continuous authentication solutions.

Advanced authentication solutions for NIS2 implementation from ELATEC

Authentication and access control solutions play a crucial role in the implementation of NIS2 in accordance with the catalog of measures in Article 21. Implementing a solution that regulates authentication, access and entry in accordance with the new directive requires a high level of expertise. As a specialist in authentication solutions based on Radio-Frequency Identification (RFID), Bluetooth® Low Energy (BLE) and Near-Field Communication (NFC) technologies, ELATEC can accompany organizations across all implementation phases.

This is how ELATEC supports the implementation:

Security: ELATEC readers support advanced encryption that meets the requirements of companies subject to NIS2 and can be used as part of a multi-factor security concept. Together with our partners, we develop the entire security concept, including encryption methods and tamper-resistant reader installation. The ability to perform regular remote updates and upgrades ensures that the solution is always up to date with the latest technology and security patches. In addition, our software development kit, which allows readers to be customized, ensures the highest security standards: it offers the possibility of using our TWN4 readers with an advanced cryptography method (ECC elliptic-curve cryptography).

Compatibility: Compatibility with a wide range of badge formats ensures seamless integration with existing systems.

Scalability and adaptability: If requirements or specifications change, the solutions can be easily expanded or adapted.The member states have until October 2024 to transpose the requirements into national law. Companies subject to NIS2 are therefore well advised to start implementing the necessary measures in good time.