Incidents like the Collins Aerospace cyberattack should serve as a warning for Europe’s critical infrastructure. They show just how fragile the digital backbone of transport, energy and manufacturing can be when cybersecurity stops at the organizational level.
To counter these risks, the European Union’s (EU) new Network and Information Systems Directive (NIS2) demands that cybersecurity goes beyond firewalls and passwords. The directive requires additional visibility, accountability and resilience – not only within an organization’s own individual systems but across its entire ecosystem.
NIS2 marks a turning point for industrial and energy companies. Cybersecurity has moved from a box-ticking exercise to something that can define an organization’s survival.
Directive (EU) 2022/2555, or NIS2, is the EU’s most ambitious cybersecurity legislation to date. It aims to establish a high common level of cybersecurity across the EU, expanding protection to a wider range of sectors including energy, transport, healthcare and digital infrastructure. The directive requires early warnings and strict reporting of significant incidents within 24 hours.
Companies must therefore adopt risk management measures covering access control, encryption, zero-trust architecture and business continuity planning. What distinguishes NIS2 is its reach – the directive doesn’t stop at the network edge. Supply chains, cloud services and software providers are now included in the security perimeter. For many industrial players, this will bring a radical shift from compliance to continuous vigilance.
The first Network and Information Security Directive was adopted in 2016 and laid the foundations for the new, more stringent directive.
NIS2 addresses gaps exposed by years of fragmented national rules and rising cross-border threats. The new directive forces operators of essential and important entities to build cybersecurity into every layer of their operations, from policy and procurement to their daily processes.
Organizations covered by NIS2 must now implement documented risk management frameworks, report incidents within tight timeframes and prove that technical and organizational measures are in place to prevent disruption. This includes continuous monitoring, identity and access management and business continuity planning such as backup management and disaster recovery.
The penalties for failure are steep. Non-compliance can mean fines of up to two per cent of annual global turnover for essential entities (critical sectors such as energy, digital infrastructure, banking and transport). Moreover, the consequences of a penalty can go beyond the financial, seriously impacting an organization’s credibility.
Industrial and energy companies form the backbone of Europe’s critical infrastructure, and their exposure to cyberattacks is growing. These companies face heightened obligations under NIS2. Production lines, grids and control rooms once isolated from the internet now depend on cloud systems, smart sensors and real-time data exchange. Each new connection expands the potential surface for attack.
Meanwhile, the convergence of IT and OT systems has created new vulnerabilities in automation and industrial control networks. In today’s connected operations, OT systems are no longer the ‘islands’ they once were and are susceptible to attack. The US Cybersecurity and Infrastructure Security Agency (CISA) highlights that attacks on industrial control systems (ICS) increasingly exploit remote access, weak segmentation and unpatched devices.
NIS2 makes cybersecurity more than just an IT problem – it’s an issue of overall operational control. Protecting uptime now depends on managing digital risk as thoroughly as physical safety. Grid stability, load management and even supply continuity hinge on the security of interconnected systems.
The Collins Aerospace ransomware attack showed that third parties can be a weak link in even the best defended systems. NIS2 directly targets this weakness. It makes organizations accountable not only for their own defences, but also for the cybersecurity measures of their suppliers, contractors and service providers.
According to the European Union Agency for Cybersecurity (ENISA), third-party risk is now one of the fastest-growing vectors for critical infrastructure attacks. Compromised software updates, insecure cloud configurations and unmonitored vendors can all become entry points for disruption.
Under NIS2, companies must treat their supply chain as part of their operational network. That means assessing partners’ risk exposure, enforcing contractual cybersecurity clauses and integrating monitoring into central Security Information and Event Management (SIEM) and Security Operations Centre (SOC) systems. Resilience now depends on visibility across every digital connection.
Complying with NIS2 involves designing security into the heart of industrial operations. Choosing smart software platforms created with security in mind, such as COPA-DATA’s zenon, is a crucial step. Built for automation and energy environments, its functionalities already support many of the directive’s technical and organizational requirements out of the box.
zenon’s security-by-design approach reinforces access control and communication integrity through role-based user management, encryption and certificate handling. It offers centralized monitoring, enabling continuous visibility across multiple distributed sites, while alarm management and event logging can detect anomalies early and feed security events into existing SIEM/SOC systems.
Business continuity and resilience is equally critical. zenon’s redundancy and disaster-recovery features safeguard availability during incidents, supporting continuity plans required under NIS2. Automated reporting closes the loop – providing transparent records for audits and regulatory notifications without manual intervention.
To further strengthen compliance, COPA-DATA’s development process for zenon is certified according to IEC 62443-4-1, ensuring alignment with NIS2’s expectations for documented and continuously improving security practices.
In addition, COPA-DATA offers structured upgrade paths and Service Level Agreements (SLAs) that keep systems up to date and fully maintainable. These agreements provide the verifiable documentation auditors require, helping organizations demonstrate that their software environment is consistently compliant with evolving NIS2 obligations. zenon also offers forward and backward compatibility – making it simpler to install new versions and thus keep security-relevant updates consistently applied.
In particular, its built-in backup handling supports the NIS2 mandate for defined backup- and recovery-processes: zenon projects can be backed up and restored at any time. The result is a practical framework for operational confidence, where cybersecurity becomes integrated into the system’s everyday intelligence.
NIS2 raises the bar for Europe’s critical infrastructure – and the directive’s implications are long-term. For industrial and energy operators, it places cybersecurity as part of operational excellence. The challenge now is both cultural and technical. As the global landscape changes, security must become a continuously evolving process, embedded in design, maintenance and strategic supply-chain decisions.
Fortunately, those who act early can turn compliance into competitive strength, using automation and real-time data to make resilience measurable and stay ahead of potential threats. Platforms like zenon show the shift is already happening and that cybersecurity isn’t just a box to tick. It’s a system that thinks ahead, in an era where foresight may be the most valuable security control of all.