Introduction
The European Union’s leading security agency, ENISA [5], has identified significant challenges faced by six critical infrastructure sectors in complying with the NIS2 directive, which was enacted in January 2023. This directive establishes new baseline cybersecurity requirements to address escalating threats, aiming to enhance sector maturity and resilience across the EU [5].
Description
The NIS2 directive mandates that both public and private entities with tax residency in Spain or operating from another EU member state integrate cybersecurity regulations into their operations. The directive emphasizes collaboration within and between sectors and the development of tailored guidance for specific NIS2 requirements. The sectors encountering difficulties include:
- IT Service Management: The cross-border nature and diversity of entities complicate supervision and collaboration.
- Space: Limited cybersecurity knowledge and reliance on commercial off-the-shelf components pose significant challenges.
- Public Administrations: A lack of support and experience compared to more mature sectors affects their ability to implement necessary cybersecurity measures.
- Maritime: Operational technology-related challenges necessitate customized cybersecurity risk management guidance.
- Health: Complex supply chains, legacy systems [3] [4], and poorly secured medical devices increase vulnerability to cyber threats.
- Gas: There is a need to enhance incident readiness and response capabilities to better protect against potential attacks.
Additionally, the digital infrastructure sector [3] [4], which includes critical services such as internet exchanges, top-level domains [3] [4], data centers [3] [4], and cloud services [3] [4], is noted to be below the required maturity level [4]. This sector faces varied challenges in supervision and collaboration due to its cross-border nature [5].
ENISA is working with EU Member States to implement the NIS2 directive by providing expertise and guidance [3] [4]. It is also tasked with preparing a biennial report on the state of cybersecurity in the Union [5], focusing on the impact of the NIS2 Directive on cybersecurity investments and overall sector maturity [5].
In Spain [1], the National Cybersecurity Center oversees all cybersecurity initiatives and is responsible for developing the National Cybersecurity Strategy. This includes compiling a list of essential cybersecurity entities by April 17, 2025 [1]. Organizations are required to implement technical and operational measures to effectively manage cybersecurity risks [1], and companies may have the option to self-register under this framework [1]. There is a consensus among ministers to develop a common financing policy and identify priority investment areas [2], particularly focusing on the protection of critical infrastructure and the establishment of national cybersecurity incident response centers [2].
Key recommendations from ENISA include enhancing cooperation among sectors, developing sector-specific guidance [5], and improving incident response capabilities to bolster cybersecurity resilience across the EU. This reflects the commitment of EU Member States to create a shared and resilient digital space [2].
Conclusion
The implementation of the NIS2 directive is crucial for strengthening the cybersecurity posture of critical infrastructure sectors across the EU. By addressing the identified challenges and enhancing collaboration, the directive aims to mitigate risks and improve resilience. The ongoing efforts by ENISA and national bodies, such as Spain’s National Cybersecurity Center, are vital in ensuring that sectors can effectively manage cybersecurity threats. The future implications of these initiatives include a more secure digital environment and increased investment in cybersecurity measures, ultimately contributing to the EU’s goal of a unified and robust digital space.
References
[1] https://identityweek.net/nis2-directive-enters-into-law/
[2] https://polish-presidency.consilium.europa.eu/en/news/warsaw-call-declaration-adopted-at-the-informal-tte-telecom-council-on-cybersecurity/
[3] https://ciso2ciso.com/six-critical-infrastructure-sectors-failing-on-nis2-compliance-source-www-infosecurity-magazine-com/
[4] https://www.infosecurity-magazine.com/news/critical-infrastructure-sectors/
[5] https://www.enisa.europa.eu/news/enisa-nis360-2024-report
