The EU’s NIS2 Directive represents a significant step forward in strengthening cybersecurity across critical infrastructure and essential services. Global Head of Security Governance, Risk, Compliance Readiness, Customer Trust, Ashley Wyand outlines Ciena’s posture on NIS2 compliance, highlighting how strong cybersecurity programs and proactive risk management strategies ensure operations remain resilient in the face of evolving cyber threats.

Cybersecurity involves protecting network and information systems (NIS), their users, and other affected individuals from cyber incidents and threats. To respond to the increased exposure of Europe to cyber threats, the European Union issued Directive 2022/2555, also known as NIS2, to replace its predecessor, Directive 2016/1148 or NIS1. With many countries transposing their national NIS2 laws, 2026 marks a critical year for companies to assess scope, implement robust security, and prepare for stricter reporting.

Understanding NIS2 and its application to Ciena

The NIS2 Directive applies to both essential and important entities within the EU, imposing stricter oversight, incident reporting, and enforcement measures than ever before.  Penalties for non-compliance include fines reaching up to €10 million or 2% of the total worldwide annual turnover of the entity, making compliance critical to essential and important entities alike.

In certain jurisdictions, Ciena falls under the scope of NIS2 as an important entity given our position as a provider of communication equipment and a manufacturer of electronic components. While the supervision and penalty regimes for important entities are less stringent than those for essential entities, we recognize the importance of aligning with NIS2 requirements not only as a regulatory requirement but also to support customers who may face additional NIS2 obligations as essential entities.

Supporting our customers with NIS2 compliance

While NIS2’s direct application to Ciena is limited to specific member states, the Directive’s requirements on essential entities may flow down to us as a supplier. As such, we’re committed to supporting our customers in meeting their NIS2 obligations through the following:

  • Incident reporting: Coordinating with customers to support timely notifications and updates, consistent with applicable NIS2 timelines and contractual obligations.
  • Cybersecurity risk mitigation: Providing secure products and services that align with NIS2’s technical and organizational measures.
Ciena’s approach to NIS2 compliance

The risk management strategies outlined in NIS2 are not new for us here at Ciena. In fact, many of the established practices we have had in place already align with those guidelines set forth in the new Directive. Below, we detail how Ciena addresses key NIS2 requirements.

Cybersecurity risk management and governance

Ciena’s security risk management program proactively identifies, assesses, prioritizes, and mitigates risks to safeguard our information assets and comply with regulations. Overseen by our Chief Information Security Officer (CISO), this program is supported by reporting mechanisms, along with topics such as current events, new trends, and emerging issues, to the Security Advisory Council and Risk Management Steering Committee.

Our risk management process includes:

  • Risk intake and assessment: Using a matrix-based approach to evaluate risks.
  • Treatment plans: Developing and implementing strategies to mitigate risks.
  • Periodic reassessment: Adjusting risk management strategies based on changes in the threat landscape and control environment.
Cybersecurity training and awareness

Ciena’s Security awareness and training program fosters a culture of cybersecurity vigilance across the organization. We provide training and ongoing access to current information for employees at all levels to give them the knowledge and tools to identify and respond to threats. We strive to maintain a security-conscious workforce capable of mitigating risks. Key elements include:

  • New hire training: Introducing employees to security fundamentals.
  • Ongoing education: Annual training sessions supplemented by monthly phishing simulations.
  • Alignment with industry standards: Ensuring our program aligns with regulatory and industry standard requirements.
Incident handling and response

Ciena’s Security Incident Response (SIR) function follows the industry-recognized incident response strategies: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Supported by operational guidelines and tabletop exercises, our incident response capabilities include:

  • Coordination with stakeholders: Ensuring timely communication and collaboration during incidents.
  • Engagement with federal agencies: Maintaining relationships with global law enforcement agencies.
  • Continuous improvement: Conducting post-incident reviews to enhance our response strategies.
Business continuity and supply chain security

Ciena operates an ISO 22301-certified Business Continuity Management System, ensuring resilience during disruptions. Key components include:

  • Backup management and disaster recovery: Protecting critical data and systems.
  • Crisis management: Coordinating responses to major incidents.
  • Supply chain security: Evaluating supplier security and continuity practices through onboarding due diligence, contractual controls, and periodic reviews.  We continuously improve our program based on risk insights and regulatory developments.
Technical and organizational measures

Ciena employs a layered approach to cybersecurity, incorporating:

  • Network security: Progressing towards Zero Trust Architecture, secure protocols, and VPN connections protected by multi-factor authentication.
  • Asset management: Lifecycle tracking and governance of IT assets.
  • Encryption: Implementing encryption aligned with recognized industry standards.
  • Access control: Enforcing least privilege methodologies and conducting regular access reviews.
Information sharing and collaboration

Ciena actively participates in cybersecurity information-sharing initiatives, including:

  • National Security Information Exchange (NSIE): A working group comprised of telecom carriers, service providers, vendors, and government agencies.
  • Cloud Security Alliance and IT-ISAC: Memberships that enhance our ability to share and receive cybersecurity intelligence.
Partnering for secure, resilient networks

Ciena’s cybersecurity posture and commitment to compliance align closely with the NIS2 directive’s requirements. By maintaining strong risk management practices, fostering a culture of security awareness, and collaborating with customers and industry partners, we continue to protect our operations, support our customers, and contribute to the broader resilience of critical infrastructure across the EU.

As the cybersecurity landscape evolves, we remain steadfast in our dedication to safeguarding networks and information systems - aligned with regulatory expectations - while delivering innovative solutions to our customers.

If you have questions about how Ciena aligns with a specific country's transposition of NIS2, please reach out to SecurityTrust@ciena.com.