Cookie consent(s)
We use cookies on our website to personalize content and ads, to provide social media features and to analyze traffic to our website. Please click "ACCEPT ALL" to enable us to offer you the best possible experience on our website. By doing so, you consent to the processing and sharing of your information with our social media, advertising and analytics partners. You can revoke your consent at any time on the cookie settings page​.
Privacy statement

NIS2 and IEC 62443

Oct 01, 2024

Two crucial pillars for cybersecurity in 2024

The global digital transformation has brought unprecedented benefits to businesses, but also new risks. Cyberattacks have become an everyday phenomenon, and their impact on organizations can be devastating. To address these challenges, the EU introduced the new cyber legislation NIS2 last year. Together with IEC 62443, an industry-developed standard, both play a crucial role in strengthening organizations' cyber resilience.

What is NIS2?

NIS2 (Network and Information Systems Directive) is European cybersecurity legislation and the successor to the original NIS Directive introduced in 2016. This legislation focuses on increasing the security level of network and information systems within the EU, particularly in companies providing essential services such as energy, transport, and healthcare. The extension to NIS2, which came into force in 2023, expands the scope to other sectors such as the food industry, the financial sector, and government services. The following sectors fall under NIS2:
  • Manufacturing
  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Healthcare
  • Drinking water
  • Digital infrastructure
  • ICT service providers
  • Wastewater
  • Government services
  • Local authorities
  • Space
  • Digital providers
  • Postal and courier services
  • Waste management
  • Food
  • Chemicals
  • Research
An important aspect of NIS2 is the emphasis on the responsibility of organizations to identify and address cybersecurity risks within their supply chain. This means that companies must not only secure their systems but also those of their partners and suppliers, covering the entire chain. The ultimate goal is to create a more resilient digital ecosystem, significantly reducing the likelihood of disruptions caused by cyberattacks.
Fines for non-compliance NIS2
Now that NIS2 has been legally established, the supervisory authority can impose fines for non-compliance. You have until the end of 2024 to prepare for NIS2.

IEC 62443: The industrial standard for cybersecurity

While NIS2 focuses on the responsibility of a broad range of companies, the IEC 62443 standard specifically targets the security of Industrial Automation and Control Systems (IACS). Developed by the International Electrotechnical Commission (IEC), this standard provides a systematic approach to evaluating and improving cybersecurity in industrial environments.
IEC 62443 is especially relevant for sectors such as manufacturing, energy supply, and infrastructure, where the consequences of a cyberattack can be particularly severe. The standard covers various aspects of cybersecurity, including the design and implementation of security measures, risk management, and the evaluation of cybersecurity programs. Below are the sub-frameworks of the standard:
  • IEC 62443-4-1 covers R&D site certification based on 47 requirements for secure product development and support.
  • IEC 62443-4-2 focuses on the product itself and can only be issued if 62443-4-1 has already been certified.
  • IEC 62443-3-3 assesses systems as a whole. Sometimes, it is not feasible to apply 4-2 to each component within a system, which would require more than 30 certificates. In such cases, the system can be assessed as a whole under 3-3, with the scope determined by the organization (e.g., an EV charging station or the entire high-voltage grid of the Netherlands).

IEC 62443 as compliance for NIS2

Although NIS2 and IEC 62443 address different aspects of cybersecurity, they complement each other perfectly. NIS2 is mandatory legislation, and to demonstrate compliance, you can use a standard like IEC 62443. NIS2 emphasizes a holistic approach to cybersecurity, examining the entire supply chain from suppliers to end-users. In an industrial setting, IEC 62443 can be used to meet these requirements.
NIS2 requires the entire supply chain, from developer to end-user, to be involved in cybersecurity. For industrial products, this is achieved through a simple four-step process:
Step 1
The asset owner must comply with NIS2 cybersecurity requirements and use IEC 62443-2-1 to set appropriate requirements for the system integrator. This sub-part is used to establish an IACS security program, requiring the asset owner to build a cybersecurity management system and have processes in place.
Step 2
Step 3
Step 4
By complying with both the mandatory NIS2 legislation and the industrial standard IEC 62443, organizations can ensure regulatory compliance and enhance their overall cyber resilience. This is crucial in an era where cyber threats are becoming increasingly sophisticated and numerous.

DEKRA’s role in cybersecurity

At DEKRA, we understand the complexity of cybersecurity and the challenges organizations face. We offer comprehensive services, including certifications according to the NIS2 directive and IEC 62443 standards, as well as other standards like ISO 27001, EN 18031, and ETSI EN 303 645. Our experts support organizations in meeting relevant regulations. Investing in these certifications, carried out by an independent certification body like DEKRA, is a significant step towards a safer, more robust, and future-proof digital ecosystem, enhancing both your cyber resilience and customer trust.

DEKRA Cybersecurity services

Show all articles