Navigating the NIS2 Directive: Impact on Critical Infrastructure Sectors and Compliance Solutions

Impact on Critical Infrastructure Sectors

The NIS2 Directive, an update to the EU’s original Network and Information Security (NIS) Directive, significantly expands cybersecurity obligations for critical infrastructure sectors (see below). It mandates stringent security measures and incident reporting requirements for sectors deemed essential to society, including energy, transportation, digital infrastructure, telecommunications, healthcare, and public administration. The directive aims to reduce cybersecurity risks by ensuring that companies within these sectors implement robust safeguards to protect their systems from tampering, unauthorised access, or disruptions.

Based on our review of NIS2 Directive and recommendations provided by the European Union Agency for Cybersecurity (ENISA) in their 5G Security Controls Matrix, ICT devices—including Global Navigation Satellite System (GNSS) receivers—must be safeguarded against tampering and unauthorised access, including the protection of their data sources. Therefore, as part of NIS2 Directive compliance, companies must verify the integrity of data sources, such as Position, Navigation, and Timing (PNT) data from GNSS devices, to mitigate vulnerabilities that could affect public safety and service continuity.

The NIS2 Directive enforces these standards across the EU and introduces strict penalties for essential entities (see below definition of essential entity), set at €10 million or 2% of global annual revenue, whichever is higher.

Fig. 1.: Sectors impacted by NIS2 Directive (table from https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_2_ENTITIES.pdf).

Compliance Solutions

To support compliance for GNSS dependent infrastructure, National Standard Authority of Ireland National Metrology Laboratory and Timing Solutions offer a Verified GNSS Data Service. This service is designed for a wide range of companies impacted by the NIS2 Directive. NSAI NML offers the GNSS data validation service available to companies across the EU and beyond.

Fig. 2.: High level architecture for generation and distribution of verified GNSS data stream.

By using a verified GNSS data stream from an autonomous EU state agency (NSAI NML), your company’s GNSS-dependent infrastructure will be in compliance with the NIS2 Directive.

If you want to know more, please send an email to the below email address.

Fig. 3.: NSAI NML’s Verified GNSS Data Service coverage area.