Cybersecurity in the maritime sector is of critical importance as sea routes accounted for about three-fourths of the EU’s imports and exports in 2022. The new Network and Information Systems Security Directive (“NIS2 Directive”) aiming to strengthen cybersecurity is expected to enter into force from October 2024 and will impact maritime companies with more than 50 employees or an annual revenue of over €10 million. The NIS2 directive, which will replace and repeal the NIS directive, expands the scope to cover a larger number of companies in the sector as it includes both medium and large-size companies.
Companies may feel burdened by strict NIS2 requirements
To comply with the new requirements, the companies would need to make cyber risk management a focal point for every business strategy and make cybersecurity measures a part of day-to-day operations. NIS2 adoption will not only demand additional investment but also change the way the business is done.
- Increase in cybersecurity investments
A total of 156 entities in the water transport sector were subject to the NIS directive in July 2016, as it focused mainly on large enterprises. Under NIS2, this number is likely to increase to 380. In particular, the number of port and terminal operators covered in NIS2 will increase significantly. A senior IT executive from Port of Rotterdam indicated that while NIS covered only a few port stakeholders (~5 companies), more than a hundred companies would need to comply with NIS2.
European Commission indicated that the companies already covered under the NIS directive would need to increase their IT security spending by 12%, while for the companies that were not covered previously but would be covered under the NIS2 framework, the IT security spending would need to be increased by up to 22%.
Frontier Economics, a consultancy firm based in Europe, estimated that the costs of implementing the NIS2 regulation in medium and large enterprises across the water transport sector would be about 0.5% of the total annual revenue across the medium and large water transport companies, which amounts to more than €225 million per year.
- Enhancement of OT security
The advent of digitization has resulted in rapid convergence of operational technology (OT) with IT systems, leaving critical OT infrastructure vulnerable to cyberattacks. OT helps monitor and control mechanical processes, making them particularly important for the safe operation of ports and other aspects of the maritime sector.
ENISA, the European Union Agency for Cybersecurity, indicated that from January 2021 to October 2022, ransomware attacks on IT systems were the most prominent cyber threat facing the transport sector and warned that ransomware groups are likely to target OT systems in the near future. NIS2 imposes stringent requirements for critical infrastructure entities, including maritime companies, to beef up cybersecurity from the perspective of both IT and OT.
Traditionally, maritime companies have considered cyber security primarily in the context of IT systems, but now there is a higher focus on OT cybersecurity, and the NIS2 is going to ensure investment momentum in this space. For instance, the Maritime Cyber Priority 2023 report indicated that over three-fourths of the respondents suggested that OT cyber security is a significantly higher priority compared to two years ago.
While NIS2 adoption may seem taxing, benefits are likely to follow
Like any new regulation, the adoption of NIS2 comes with additional costs and implementation hurdles, however, the consequent benefits are likely to outweigh the challenges.
- Harmonization of cybersecurity requirements
In August 2023, a senior executive from Mission Secure, an OT cyber security solutions provider, indicated that maritime operators would welcome stringent cybersecurity standards. The maritime industry operates on thin profit margins, making it difficult for companies to invest more in cybersecurity than competitors. Implementation of NIS2 would set cybersecurity standards harmonized across the EU and thus level the playing field in terms of spending on cybersecurity while reducing the risks and losses associated with cyberattacks.
- Improved competitiveness
A 2020 study by ENISA suggested that the EU organizations’ cybersecurity spending is, on average, 41% lower than of their US counterparts. NIS2 is expected to drive the necessary investments in cybersecurity.
Moreover, given the international nature of the maritime industry, the adoption of the NIS2 directive will help the operators keep up with similar cybersecurity regulations around the world. For instance, Australia reformed the Critical Infrastructure Protection Act in 2022 to address the evolving cyber threat landscape. The UK, while no longer part of the EU, is in the process of revising the cybersecurity regulation for critical infrastructure operators in line with NIS2.
Upon implementation of NIS2, maritime operators will need to invest in more effective cybersecurity requirements, potentially increasing costs in the short term. Despite this, the increased investment will result in a more secure and resilient industry in the long run, and companies that are able to invest heavily in security are going to gain a competitive advantage over those that are not able to do so.
Digitization and connected technology in the maritime sector are evolving faster than its ability to regulate it. Hence, the maritime sector should view NIS2 as just another measure to elevate the cybersecurity framework. Companies need to be agile and flexible to adapt to the evolving cyber threat landscape.