By Andrea Monteleone, Segment Development Manager, EMEA, Critical Infrastructure, Axis Communications
NIS2 and the Critical Entities Resilience Directive[1] (CER) go hand-in-hand. They will both change the way the public and private sectors think about security, and alter the course of business continuity strategies. Both cover the same list of sectors and industries defined as ‘critical entities’, and both place the same people in a position of responsibility should they be breached.
But while NIS2 defines vital boundaries surrounding cybersecurity, CER is, basically, ‘everything else’. Its core principles state, to put it simply, that every business within its scope must be able to continue operating whatever happens. That could mean a natural disaster, a physical attack, human error or even a cyber attack.
Moreover, one props up the other. Without the kind of secure IT infrastructure that NIS2 leads, there is no foundation for resilience; without the resilience of critical infrastructure – defined very broadly by CER as ‘an asset, a facility, equipment, a network or a system[2]’ – the aims of NIS2 cannot be met.
Working against a tight time limit
Every business within scope must now audit its risk assessment process and ensure the way it approaches its business matches up – and it must do so immediately. The European Commission’s July 2026 deadline for member states to identify their own list of critical entities may seem to imply that there is a lot of time to work with, but any measures must be in place before that date.
Just as every new device introduced into a ‘critical entities’ business has to be aligned with NIS2, all projects, refreshes, and infrastructure changes must now place business continuity at the top of the spec sheet. New risk assessments will be required for every critical process, even that which forms part of existing infrastructure. A new way of thinking about and monitoring risks is essential.
CER: A new level of diligence
CER and NIS2 draw new sectors into regulatory oversight, and force industries such as water treatment, transportation, healthcare, food and waste management to provide a level of proof as to their business continuity plans. EU member states will use on-site audits and inspections to ensure such entities display the appropriate level of technical, security and organisational resilience.
Reporting, too, becomes more stringent. CER states that events which have the potential to cause business disruption must be reported, whether they actually impact business continuity or not. But adjusting to these new standards may not demand a full equipment redesign.
So we return to the idea of new thinking. In many cases, the equipment required to detect novel incidents, observe critical machinery or systems, and even prevent dangerous human activity is already installed. It simply needs to be thought of in a different way.
Rethinking the camera as a sensor
Today’s surveillance cameras are, in many cases, the most powerful sensor operating on an entity’s premises. The strong processors, analytics engines and AI technology of modern cameras offer an opportunity to use them for more than security. To allow a device so capable to do just one job feels like a waste.
Point a thermal camera at an array of machinery, for example, and it can offer an operator visual feedback on that equipment’s temperature. Simple enough. Harness its data collection abilities, though, and you could define 100 points within its image, collect precise numbers from each, output them via an industrial protocol like Modbus or MQTT, and fully integrate that data into an operational interface.
Doing more with sensor data
Critical entities will be forced to improve the continuity of remote locations. A camera at, for example, an electricity substation could detect the status of equipment, watch for weather conditions, generate an alert if a human gets too close to dangerous devices, or even anonymously inspect on-site workers for proper PPE, as well monitor the perimeter for intrusion.
None of this demands that a camera operator be watching constantly. Algorithmic techniques or an AI engine running directly in-camera can monitor its entire field of vision. A camera could predict a landslide or a flood, listen to the sound of a turbine and detect tiny pitch changes which indicate a failure, or sound an alarm as part of an access control system. It is a truly flexible platform.
A united path forward
Of course, every use case is unique. Drop-in applications will suit some situations, for others a bespoke solution must be created. A lot can be done with AI, but AI models must be trained extensively before they can be effective. And the camera’s place in monitoring is still solidifying, particularly in the eyes of executives: they must learn the importance of CER, and the potential for cameras to accelerate the process of alignment with CER’s aims.
The key is that it must be the right hardware. Cameras with open platforms allow for the kind of innovation that CER and its ilk require, and facilitate cross-collaboration between critical industries. The goal is stability, security, and resilience for everyone, with devices which meet the demands of NIS2 and CER in equal measure, supported by vendors and suppliers that know that equipment inside out. That knowledge and unity is the path to a smarter, safer world.
[1] https://www.critical-entities-resilience-directive.com/
[2] https://eur-lex.europa.eu/eli/dir/2022/2557/oj