As of June 2025, only 9 countries in the European Union (EU) have transposed the NIS2 Directive into national law. These countries include Croatia, Hungary, Belgium, Italy, Latvia, Greece, Lithuania, Romania, and Slovakia. Several other countries are in advanced stages with draft laws being actively discussed in parliaments. However, that leaves a large majority of EU countries still not enforcing the NIS2 cybersecurity regulation!

What is NIS2?

On October 17, 2024, critical organizations operating in the EU were expected to comply with the updated version of the Network and Information Security directive. NIS2 elevates the stakes with stricter cybersecurity requirements, incident reporting guidelines, and significant financial penalties for non-compliance. NIS2 makes compliance mandatory for all organizations with revenues over E10 million active in various sectors such as energy, transportation, manufacturing, and more. So, you're probably concerned.

You might be one of the organizations in the EU still waiting for the directive to be transposed to see exactly what you need to implement. But many of the NIS2 measures are simply cybersecurity best practices that any organization should implement regardless of any regulation. By complying with NIS2, you can improve your organization's cyber resilience, better protect employees, and help to ensure uptime of your operations.

Compliance is the key to success

Although securing operational technology (OT) and industrial networks has become top of mind, IT and CISO teams are just starting to make it a priority and often lack the visibility and control required to comply with NIS2 for both their IT and OT networks. Maybe you've looked at NIS2 for the enterprise networks, but you should consider these few steps to make your industrial operations comply as well:

1. Drive cyber hygiene in your industrial operationsby using Cisco Cyber Vision to automatically build a detailed inventory of all connected assets and their communication patterns so you can assess your security posture and define your OT security strategy.
2. Improve vulnerability managementby using risk scores calculated by Cyber Vision to prioritize actions and areas of your industrial infrastructure to secure first.
3. Minimize risk from OT suppliers and service providers. Use Cyber Vision to identify unmanaged remote access gateways and build a plan to replace them with a zero-trust remote access solution made for OT such as Cisco Secure Equipment Access (SEA).
4. Prevent and minimize the impact of incidentsby implementing zone segmentation as recommended by the ISA/IEC-62443 industrial security standard. Work with the line of business to create virtual segments in Cyber Vision by grouping assets. This information is automatically used by Cisco ISE and/or Cisco Secure Firewalls to enforce zero-trust access control in the industrial network.
5. Ensure you can detect and report incidents. Cyber Vision can detect intrusion, malicious activities and abnormal behaviors in the industrial network. All these events can be sent to Splunk to be correlated with those from Cisco Secure Firewall and other security tools. Now you have one repository to run advanced investigations and report comprehensive information as required by NIS2.

As you're accelerating your industrial digitization efforts, you're also expanding the attack surface. NIS2 is designed to ensure your organization and your nation become cyber-resilient. Regardless of when this regulation will be effectively enforced in your country, you can start implementing best practices and ensure your industrial operations are properly protected. Don't wait. Act now.

To learn more about what industrial organizations should implement to secure operations and how Cisco can help with your NIS2 compliance journey, check out these resources:

• 4 Steps to Prepare your OT for NIS2
• NIS2 Compliance for Industrial Operations Solution Overview
• NIS2 Compliance for Industries White Paper

Subscribe to the Industrial IoT Newsletter