The NIS2 Directive focuses on increasing the resilience of entities providing essential services and ensuring the continuity of those services in the face of potential cyber threats .
Resilience in cybersecurity, especially in industrial and critical environments, requires a model based on the PDCA (Plan-Do- Check – Act ) cycle . This cycle is essential to effectively manage resilience because it allows for continuous improvement and the ability to adapt to changing threats.
The NIS 2 Directive primarily introduces compliance schemes that impose specific obligations on organizations in terms of cybersecurity. While some of its requirements, such as those detailed in Articles 20 and 21, are aligned with a risk management approach that could be associated with the PDCA (Plan, Do, Check, Act) cycle, this alignment is partial and limited. For example, Article 20 obliges entities to implement security measures proportionate to the risks, which reflects the planning and execution phase of the PDCA cycle. Similarly, Article 21 addresses incident reporting, which connects to the verification and action phase, where organizations must adjust their responses based on the analysis of past incidents , however, the overall focus of the directive is oriented towards regulatory oversight and compliance, rather than directly promoting a continuous cycle of improvement in cybersecurity.
Industrial organizations are legally required to comply with rigorous regulations in both quality management and operational and/or functional safety . These regulations, although necessary to protect workers and the environment, as well as to ensure product quality, often impose a significant burden on companies, especially smaller ones. Compliance with standards such as ISO 9001 or ISO 45001 requires a PDCA-based model that not only entails a considerable investment of resources in the implementation of management systems, but also an effort to maintain certification through periodic audits and controls, but necessary for continuous improvement.
Leveraging this effort and applying the same PDCA model to cybersecurity is not only natural, but more efficient. By integrating it with already established processes in quality and operational security, organizations can maximize invested resources, strengthen their cybersecurity posture , and ensure consistent and aligned management on all critical fronts, without duplicating efforts or generating friction between operational and security areas.
The NIS2 approach, by focusing on compliance with static regulations and established standards, risks pigeonholing organizations into a “comply to avoid penalties” mentality rather than encouraging a true evolution in their cybersecurity posture. This approach undoubtedly represents a substantial improvement for the cybersecurity of operators providing essential services for the welfare society, but this regulatory rigidity could stifle much-needed innovation and proactivity in the face of ever-changing threats. Instead of incentivizing dynamic adaptation, these regulations can generate a dangerous complacency, where compliance becomes the end-all , relegating real security to the background. Companies could simply tick boxes rather than developing a comprehensive and adaptive strategy, leaving them vulnerable to emerging risks that do not fit within the predefined regulatory framework.
Industrial organizations have a high physical impact and this requires cybersecurity to be implemented in a more robust and adaptive way with a PDCA model that strengthens its posture against critical and changing threats.
Cybersecurity and Operations
Cybersecurity requirements should not interfere or conflict with daily industrial operations, where downtime or disruption can be not only extremely costly, but also dangerous to process integrity and worker safety. Security measures should be agile and consistent with the operational demands of the industry, rather than imposing burdens that can paralyze operations. In this regard, a PDCA model, by allowing for continuous and adaptive improvement, should be considered a key strategy. This approach not only balances protection with operational efficiency, but also minimizes friction between security needs and the fluidity of critical industrial processes, avoiding rigidities that could put productivity and safety at risk.
Integrating new security protocols into legacy OT systems presents significant challenges , both in terms of complexity and costs . It is therefore crucial to adopt a PDCA model-based approach in the transposition of the NIS2 directive. This approach would allow legacy technologies to be gradually adapted to new security requirements without compromising the operability of critical infrastructures. The PDCA continuous improvement cycle facilitates the progressive implementation of security measures, minimising disruptions and ensuring that legacy systems remain operational while being strengthened against emerging threats.
Compliance with sector regulations
One of the main objectives of the NIS2 directive is to establish a common framework that unifies the existing regulatory dispersion in cybersecurity. In its Article 4, the directive establishes how it should relate to other EU legal acts, prioritising the application of specific sectoral regulations over the general NIS2 standard. This means that, in case of conflict, the sectoral legal acts will prevail. Therefore, it is essential to have clear sectoral regulations in place and the applicable standards to ensure that industrial organisations can fulfil their obligations without generating inconsistencies or regulatory conflicts. Clarity in the applicability of these sectoral frameworks will be key to avoid duplications and guarantee an efficient and coherent implementation of the regulations.
Fragmentation of responsibilities
In OT environments, cybersecurity often suffers from a lack of clear responsibility, as tasks are scattered across IT cybersecurity, operations , maintenance, engineering and third-party vendors. This fragmentation not only creates confusion, but also opens the door to security gaps that could be exploited with serious consequences for critical infrastructures. The new obligations arising from the transposition of NIS2 cannot simply add more regulations on top of this already dysfunctional structure; they must urgently and concretely address the precise allocation of responsibilities. This must be done with an approach based on the PDCA model, ensuring not only clarity in roles, but also continuous improvement in integration and cooperation between teams, thus preventing operational gaps from compromising the overall security of the OT environment. Ignoring this need for clarity and coordination would be to perpetuate the same chaos that endangers industrial resilience.
Critical Incident Management
Cybersecurity incidents in OT systems not only compromise the technological infrastructure, but can trigger catastrophic physical consequences, seriously affecting the safety of people, the environment and the operational continuity of critical sectors. However, the new obligations imposed by the NIS2 directive seem insufficient if they do not specifically and robustly address the response to high-impact incidents that could put public health and the integrity of industrial systems at risk. To mitigate this deficiency, it is crucial that organizations develop contingency plans that go beyond NIS2 regulatory compliance, focusing on operational resilience and the ability to recover from complex and coordinated attacks.
Likewise, encouraging large-scale cyber incident drills and strengthening cooperation between critical sectors and authorities can help bridge the gap between regulatory theory and effective risk mitigation practice. Only by adopting an integrated and adaptive approach that combines cybersecurity best practices with NIS2 regulations can more effective protection against the highest risk scenarios be ensured.
Although NIS2 promotes cooperation and information sharing between companies and national authorities, this collaborative approach, while positive, risks remaining a mere formality if effective and concrete implementation is not ensured. Lessons learned from previous incidents do not always translate into real preventive actions, and the transposition of the directive must go beyond theory, encouraging the creation of sectoral spaces where the exchange of information and experiences becomes a common practice and not an exception. Without ensuring active and tangible collaboration, any progress in resilience at national or European level will be superficial, leaving organisations vulnerable to increasingly sophisticated threats.
The regulatory compliance that will be required by the transposition of the NIS2 directive is only one piece of the cybersecurity puzzle in industrial environments. Without a continuous improvement approach, organizations risk falling into a static compliance dynamic, unable to adapt to a constantly evolving threat environment. The PDCA model offers a proactive alternative, allowing companies to not only comply with regulations, but also evolve their industrial resilience.
Author:
José Valiente
Industrial Cybersecurity Center General Director
