In this interview with Tomomi Aoyama, Head of Product and Co-founder at Omny, sheds light on the evolving landscape of cybersecurity regulations in Europe and how industrial organizations can prepare for the EU's recently released NIS2 Directive.
Q: How has the cybersecurity landscape in Europe evolved over the last decade, especially in the context of protecting critical infrastructure from cyber-attack?
Tomomi: If we look back more than a decade ago, Europe had more of a self-regulatory approach to cybersecurity related to critical infrastructure, meaning it was reliant on the asset owners’ effort. However, as the threat levels escalated, the limitations of individual efforts became evident. This led to a shift towards more control by public regulators. In 2016, NIS1 was introduced as a first step towards regulated protection of ‘essential services’ in the EU. And now in 2023, its successor, NIS2, has entered force.
Q: What’s the difference between NIS1 and NIS2?
Tomomi: NIS1 focused on protecting a small set of critical infrastructure in EU member states. It was the beginning of a more controlled approach to the prevention and mitigation of cyber risks in essential services, from telecommunications to electricity. Now with NIS2, the scope has expanded. The requirements are greater, and the directive casts a wider net in terms of the organizations to which it applies. NIS2 also includes smaller companies (50+ employees) and a wider range of industries, including manufacturing, waste management and chemical companies.
Q: How will NIS2 impact industrial organizations in Europe?
Tomomi: Even though it will take several months for NIS2 to be adopted into national legislation among EU member states, it’s important for the asset owners to understand what’s coming and begin to take action. Compliance with NIS2 will require organizations to adopt a risk management approach in cybersecurity strategy, while also enforcing their incident reporting obligations. It’s a process that will require investment and education for the whole organization.
Q: What’s the ultimate goal of the NIS2 directive?
Tomomi: The intention of NIS2 is not to burden businesses with more paperwork, but rather to help all organizations that own and operate critical services to maintain basic cybersecurity hygiene. It encourages these companies to understand their baseline, invest wisely in protective measures, and avoid chasing after ‘shiny’ solutions.
Q: What should an organization do to get started on their NIS2 compliance journey?
Tomomi: My advice is for asset owners to begin with a gap assessment. Seek support if they are unsure of where to start. It’s also important to educate the leadership on their responsibility and gain support from them. Showing the financial impact of an attack can help ensure that everyone is on the same page and ready to invest in preparedness.
Q: How can organizations on an NIS2 compliance journey leverage Omny’s expertise?
Tomomi: Omny offers a unique perspective on achieving compliance. Instead of viewing NIS2 requirements as the goals, we recognize them as the key elements of an organization's journey towards cyber resilience. NIS2 is fundamentally about managing cyber risk effectively, and we empower companies to confidently validate the protection of their mission critical systems and the return on their security investments. We specialize in industries such as energy, manufacturing, and transportation, and we work with companies in these domains to help them meet their security maturity target by achieving compliance, analyzing cyber risks and measuring the effectiveness of their cybersecurity programs.
What to learn more about how Omny can help with your compliancy journey? Talk to a member of our team but clicking the link below.
