Skip to Main Content

Back to all Resources

Navigating NIS2 Directive: Key Takeaways from Articles 21 & 23 for European Utilities

Path to Robust Compliance: The Value of Continuous Monitoring, Enforcement and Ongoing Risk Assessment

In our previous blog, we introduced the significance of the NIS2 Directive for European utility providers. NIS2 sets comprehensive cybersecurity obligations for Entities, focusing on strengthening the resilience of critical infrastructure. Articles 21 and 23 of the Directive focused on cybersecurity risk management and reporting obligations. They encapsulate the essence of strong cybersecurity and responsive incident management. European utility providers can leverage these mandates to not only meet compliance but fortify their operations against a rapidly evolving cyber threat landscape.

 

 

Let’s look at each of these articles in detail and explore effective ways to navigate them to enable your organization to build robust defenses, streamline incident management, and maintain continuous monitoring—all essential for cellular IoT systems to remain secure and compliant.

 

Article 21: The Core of Security Measures and Risk Management

Ensure that entities implement comprehensive security measures and critical network systems.

1. Conduct Risk Assessments and Enforce Strong Security Policies: Regular risk assessments are emphasized, ensuring potential vulnerabilities are identified and mitigated. Aligning internal policies to address emerging risks strengthens an organization’s defense posture.

  • Advocate an “always-on” risk management approach that enables continuous protection against cellular IoT security risks and safeguards against potential disruptions that could impact services, revenue, or customer trust.
  • Enable continuous monitoring and enforcement to ensure that critical infrastructure and cellular IoT devices are proactively protected and compliant. Regular risk assessment reports with actionable recommendations prevent vulnerabilities from being overlooked, ensuring a proactive approach to cybersecurity.

2. Evaluate and Improve the Effectiveness of Cybersecurity Measures: Constantly assess your security strategies to adapt to the evolving threat landscape including periodic reviews, audits, and updates to your cybersecurity protocols.

  • Use an “all hazards approach” that supports automated risk assessments and zero trust policies enforcement ensuring robust security resilience across all of your cellular IoT devices.
  • Fast, automated behavioral-based detection and enforcement of unapproved activities significantly reduces downtime and damage from cyberattacks, providing historical data for incident forensics while improving operational reliability.

3. Use Multi-factor Authentication and Data Encryption: Multi-layered access control and encryption policies are mandated to protect sensitive data and bolster system access security.

  • Monitor for unencrypted data transmission to protect your sensitive information and infrastructure from threats, maintaining data integrity and trust in service operations.
  • Multi-factor authentication (MFA) adds a critical layer of security, reducing unauthorized access risks, enhancing overall system protection.

4. Strengthen Supply Chain Security: Assessment of third-party suppliers is critical to ensure they meet the same security standards, mitigating any supply chain vulnerabilities.

  • Incorporate safeguards that mitigate the impact of supply chain attacks and provide compensating controls through Zero Trust, protecting interconnected systems, limiting the potential damage from unauthorized actors.

 

 

Article 23: Elevating Incident Management and Reporting

Effective incident response and timely reporting is pivotal for minimizing the impact of cyber incidents.
1. Develop and Execute Incident Response Plans: Detailed plans are essential for responding effectively to security breaches.

  • Identify anomalies in data transmission that signal potential operational disruptions or breaches. Detecting anomalies in real-time minimizes impact, ensuring regulatory compliance proof, while supporting quicker recovery and transparency during cybersecurity incidents.
  • Report incidents within 24 hours for prompt intervention. Use a solution with advanced visibility and detection that understands your cellular IoT devices and their interactions, logging all activity to help comply with regulatory timelines and demonstrate due diligence.
  • Enable regular updates post-incident to assist in ongoing incident updates and real-time risk management with detailed metrics to maintain transparency and ensures that key stakeholders, including regulatory bodies, are informed of the evolving situation.

2. Maintain Data Access Policies and Asset Inventories: For effective incident reporting, maintain accurate records of assets and data access protocols.

  • Support comprehensive incident status reports, requiring asset tracking and data access clarity. Store data, aiding in comprehensive incident and status reports to regulators, showing accountability and resolution.
  • Generate regular risk reports with actionable recommendations to prevent vulnerabilities from being overlooked, ensuring a proactive cybersecurity approach.

 

Conclusion

Meeting NIS2 requirements doesn’t have to be a burden. Traditional cybersecurity solutions are not well suited for protecting cellular IoT devices. With Aeris as your partner, you gain not only a purpose-built solution but a reliable ally in your compliance journey. By leveraging advanced monitoring, threat intelligence, and proactive security features, you can focus on what matters most — keeping your cellular IoT operations secure and compliant. Let Aeris make your path to NIS2 compliance straightforward and effective.

Don’t let cybersecurity gaps put your utility business at risk.

Find out more about how Aeris can help you stay secure and compliant now.

Learn more

Sign up for the latest on IoT intelligence