Multinational oil and gas sector company achieves OT cybersecurity beyond compliance: An EU NIS Directive success journey

  • A major multinational oil and gas company operating across sites and countries achieved EU NIS compliance and long-term OT cybersecurity.
  • DNV Cyber developed a roadmap and framework to support audit preparations and drive effective OT security improvements. 
  • EU NIS Directive requirements were integrated within the customer’s day-to-day processes and governance model. 
  • Insights from the project help reduce the risk of unexpected downtime and loss of production.

This project was delivered by Applied Risk, a DNV company. DNV, Nixu and Applied Risk joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cybersecurity services businesses.

A major multinational oil and gas company needed to achieve compliance with national laws that enact the EU’s Directive on Security of Network and Information Systems (NIS Directive). While the directive is the first EU-wide set of rules on cybersecurity, member states have applied it with local nuances. The project included multiple sites over three countries. 

DNV Cyber was contracted as the trusted partner to advise on mandatory OT security practices and define a ‘toolkit’ describing minimum requirements and creating an implementation roadmap to prepare for external audits. 

Initial discussions made it clear that three major challenges were involved: 

  • Multiple international sites needed assessing, and integration with existing cybersecurity management processes was required. 
  • Several of the customer’s internal business units would be involved, and the scope would include third parties like system integrators, vendors, and suppliers. 
  • Unique local requirements included country-specific laws, regulators, standards, definitions, and varying national NIS thresholds for incident reporting.

Compliance requirements were integrated into the customer’s day-to-day processes and governance model.

The customer became well prepared to demonstrate compliance.

The customer successfully passed external audits for the compliance process.

Converting complex requirements into clear achievable actions 

DNV Cyber’s team of experienced consultants provided end-to-end guidance following the methodology ‘Assess, Remediate, Manage’ (ARM). 

 

Fig 1: Assess, Remediate and Manage (ARM) methodology used during the project (Source: Applied Risk, a DNV company)
Fig 1: Assess, Remediate and Manage (ARM) methodology used during the project (Source: Applied Risk, a DNV company)


Once business units were identified as Operators of Essential Services (OES) as designated by national laws, DNV Cyber conducted scoping to define critical business processes, systems, and third parties. DNV Cyber then performed multiple Health Check Assessments to measure effectiveness of the implemented barriers/controls at every OES location against the regulatory requirements. 

Based on this gap analysis, a clear remediation roadmap was designed, and concrete activities were implemented for different sites. 

Pragmatic improvements were created to help the customer’s teams be well prepared for external audits. A tailored set of recommendations allowed the business to make informed decisions to address its unique requirements. 

Special emphasis was placed on implementing the NIS Incident Notification process to assigned regulators. This process involved stakeholders and business units across the globe (e.g. legal, crisis management, Cyber Security Incident Response Team, IT Operations, etc.). 

Improvements have been implemented into the existing incident management plan and simulations conducted, to ensure key stakeholders were equipped to play their role within the process. 

The team remarkably addressed our business needs. Due to their experience within operational environments, allied to their knowledge of cybersecurity frameworks across IT and OT, as well as risk assessments and implementation, they were quickly up to speed. The programme and roadmap supported us in closing the project within time and exceeded quality.

  • OT Security Manager at oil and gas company

Preparing for compliance delivers wider cyber resilience benefits

As a result of the programme with DNV Cyber, the customer was well prepared to demonstrate compliance in the external audits, all of which have been successfully passed.  

The compliance journey also served as a tool to create more effective OT security within the organization, reducing the risk for unexpected downtime and loss of production. 

The EU NIS Directive requirements were integrated into the customer’s day-to-day processes and governance model. Focal points were assigned, and the stakeholders have been trained to fulfil their role in the process. 

Insights gained into the organization’s OT security maturity will also contribute towards improving the ability to sustainably manage cyber risk at the different locations. 

Hence, DNV Cyber’s unique and tailored approach ensured that achieving compliance was not just a box-checking exercise but will be further utilized to drive effective security improvements across the entire business. 

Woman in a subway

We take a practical approach to keeping you compliant. We share our regulatory knowledge so you stay ahead of developments in your industry and geography.

Put security controls in place to protect your data and assets and strengthen your cybersecurity posture.

Strengthen the resilience of infrastructure, enable digital transformation, and secure your energy transition