• A major multinational oil and gas company operating across sites and countries achieved EU NIS compliance and long-term OT cybersecurity.
• DNV Cyber developed a roadmap and framework to support audit preparations and drive effective OT security improvements. 
• EU NIS Directive requirements were integrated within the customer’s day-to-day processes and governance model. 
• Insights from the project help reduce the risk of unexpected downtime and loss of production.

A major multinational oil and gas company needed to achieve compliance with national laws that enact the EU’s Directive on Security of Network and Information Systems (NIS Directive). While the directive is the first EU-wide set of rules on cybersecurity, member states have applied it with local nuances. The project included multiple sites over three countries. 

DNV Cyber was contracted as the trusted partner to advise on mandatory OT security practices and define a ‘toolkit’ describing minimum requirements and creating an implementation roadmap to prepare for external audits. 

Initial discussions made it clear that three major challenges were involved: 

• Multiple international sites needed assessing, and integration with existing cybersecurity management processes was required. 
• Several of the customer’s internal business units would be involved, and the scope would include third parties like system integrators, vendors, and suppliers. 
• Unique local requirements included country-specific laws, regulators, standards, definitions, and varying national NIS thresholds for incident reporting.

Converting complex requirements into clear achievable actions 

DNV Cyber’s team of experienced consultants provided end-to-end guidance following the methodology ‘Assess, Remediate, Manage’ (ARM). 

Once business units were identified as Operators of Essential Services (OES) as designated by national laws, DNV Cyber conducted scoping to define critical business processes, systems, and third parties. DNV Cyber then performed multiple Health Check Assessments to measure effectiveness of the implemented barriers/controls at every OES location against the regulatory requirements. 

Based on this gap analysis, a clear remediation roadmap was designed, and concrete activities were implemented for different sites. 

Pragmatic improvements were created to help the customer’s teams be well prepared for external audits. A tailored set of recommendations allowed the business to make informed decisions to address its unique requirements. 

Special emphasis was placed on implementing the NIS Incident Notification process to assigned regulators. This process involved stakeholders and business units across the globe (e.g. legal, crisis management, Cyber Security Incident Response Team, IT Operations, etc.). 

Improvements have been implemented into the existing incident management plan and simulations conducted, to ensure key stakeholders were equipped to play their role within the process. 

Preparing for compliance delivers wider cyber resilience benefits

As a result of the programme with DNV Cyber, the customer was well prepared to demonstrate compliance in the external audits, all of which have been successfully passed.  

The compliance journey also served as a tool to create more effective OT security within the organization, reducing the risk for unexpected downtime and loss of production. 

The EU NIS Directive requirements were integrated into the customer’s day-to-day processes and governance model. Focal points were assigned, and the stakeholders have been trained to fulfil their role in the process. 

Insights gained into the organization’s OT security maturity will also contribute towards improving the ability to sustainably manage cyber risk at the different locations. 

Hence, DNV Cyber’s unique and tailored approach ensured that achieving compliance was not just a box-checking exercise but will be further utilized to drive effective security improvements across the entire business.