INCD Directive 2.0 — Cybersecurity Protection of Critical Infrastructure

Israel's National Cyber Directorate (INCD) Directive 2.0 on Cybersecurity Protection of Critical Infrastructure establishes the cybersecurity framework for critical infrastructure operators in Israel. The Directive applies to operators in 19 critical infrastructure sectors including energy, water, transportation, communications, finance, health, defense industries, and government. The Directive is structured around five tiers of security requirements based on the criticality and risk profile of the operator. Key requirements include: appointment of a cybersecurity officer; implementation of security controls across 8 domains; annual risk assessments; incident reporting to INCD within 4 hours; and participation in national cybersecurity exercises. Israel's cybersecurity regulatory framework is notable for its strong integration between civilian and military/intelligence cybersecurity capabilities, with INCD coordinating closely with Unit 8200 and the Shin Bet for threat intelligence sharing. The Directive is complemented by sector-specific directives issued by sector regulators.