Leverage IEC 62443 for EU NIS2 Directive compliance

Article by Gennady Kreukniet, Senior OT Security Consultant Applied Risk, a DNV company.


Earlier this year, the European Union enforced its NIS2 Directive to respond to the growing threats posed by digitalization and the surge in cyber-attacks as well as to improve the cyber security capabilities of its member states and their critical infrastructure in the long run. It covers multiple areas such as incident response, security of supply chains and leadership accountability. The directive describes what needs to be achieved, although it doesn’t prescribe how one must achieve it targets. For critical infrastructure in the operational technology space, IEC 62443 set of standards helps asset owners to implement the right set of controls to secure their operations. This article will help you to map the NIS2 requirements against IEC 62443 security requirements.

NIS2 compliance is not directly enforced by the European directive but through national laws, which are transposed from the directive. This means that until national authorities have created national laws and requirements, we must work with the guidance from the directive. The directive is written for all 27 member states and, therefore the language is kept high-level to be applicable in all situations. This means that we get many questions from asset owners and operators on how to implement the NIS2 Directive and how it relates to international standards.

IEC 62443 is a set of security standards that are dedicated and/or applicable to asset owners and operators to safeguard industrial automation and control systems. These standards offer a robust framework, which covers the topics of risk assessment, security policies, network architecture, access control, incident response, and security testing. The most relevant IEC 62443 standard for the EU NIS Directive is IEC 62443-2-1 security program requirements for IACS asset owners. This standard provides guidelines for establishing a systematic approach to maintain industrial automation and control systems. This includes aspects such as risk assessment, policies, security measures and a review mechanism to safeguard critical infrastructure from cyber-attacks.

Looking at IEC 62443, we can see a lot of guidance for implementing cyber security risk-management measures that NIS2 requires.

EU NIS2 Directive Article 21.2: IEC62443-2-1

EU NIS2 Directive Article 21.2:

a. Policies on risk analysis and information system security

IEC62443-2-1

4.3.2.3 Organizing for security
4.3.2.6 Security policies and procedures
4.4.3 Review, improve and maintain the CSMS.

EU NIS2 Directive Article 21.2:

b. Incident handling

IEC62443-2-1

4.3.4.5 Incident planning and response

EU NIS2 Directive Article 21.2:

c. Business continuity, such as backup management and disaster recovery, and crisis management

IEC62443-2-1

4.3.2.5 Business continuity plan
4.3.4.5 Incident planning and response

EU NIS2 Directive Article 21.2:

d. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers

IEC62443-2-1

4.3.2.2 CSMS scope
4.3.2.3 Organizing for security
4.3.4.3 System development and maintenance
4.4.3 Review, improve and maintain the CSMS

*Also use IEC62443-2-4 Security program requirements for IACS service providers

EU NIS2 Directive Article 21.2:

e. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

IEC62443-2-1

4.2.3 Risk identification, classification and assessment
4.3.3.4 Network segmentation
4.3.4.3 System development and maintenance

EU NIS2 Directive Article 21.2:

f. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

IEC62443-2-1

4.3.2.6 Security policies and procedures
4.2.3 Risk identification, classification and assessment
4.4.2 Conformance
4.4.3 Review, improve, and maintain the CSMS

EU NIS2 Directive Article 21.2:

g. Basic cyber hygiene practices and cybersecurity training

IEC62443-2-1

4.3.2.4 Staff training and security awareness

*IEC62443-2-4 SP 01.01-03 Solution Staffing - Training

EU NIS2 Directive Article 21.2:

h. Policies and procedures regarding the use of cryptography and, where appropriate, encryption

IEC62443-2-1

4.3.4.3 System development and maintenance

EU NIS2 Directive Article 21.2:

i. Human resources security, access control policies and asset management

IEC62443-2-1

4.3.2.4 Staff training and security awareness
4.3.3.2 Personnel security
4.3.3.5 Access control – account administration
4.3.3.6 Access control – authentication
4.3.3.7 Access control – authorization
4.3.4.4 Information and documentation management

EU NIS2 Directive Article 21.2:

j.  The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

IEC62443-2-1

4.3.2.5 Business continuity plan
4.3.3.5 Access control – account administration


4.3.3.6 Access control - authentication


National laws will be in effect by October 2024, meaning that you have a little over a year from now to develop a cybersecurity roadmap wherein you:

  • discover what you already have in place,
  • assess the risks of your systems and processes,
  • act on the security gaps, and
  • sustain your cyber security management system as business-as-usual.

We are aware that there are more articles described in the directive, those are either for member states and the competent authorities to implement or too detailed for this article.

If you would like more advice on how to further implement those requirements and have more mappings to other international industry standards that your organization may be familiar with, don’t hesitate to reach out to the specialist industrial cyber security teams at DNV and Applied Risk, a DNV company. You can contact us here: www.dnv.com/cybersecurity/contact.