Recently, many Chief Information Security Officers have been asking about NIS2 – What it is, what they and their organisation need to do to prepare and comply, and what security providers can do to ensure they meet the requirements of this new regulation.
Part I of this series will focus on the NIS2 Directive, what it is, and what led up to the new and expanded updates that go into effect October 17, 2024. Part II of this series entitled, “Part II: NIS2 Directive – Everything EU Member States and Organisations Need to Know to Prepare and Comply” will focus on the regulated sectors, how NIS2 requirements will affect these organisations, and what security providers can do to help them prepare and comply.
What is the NIS2 Directive and How Did It Evolve?
The revised Network and Information Security Directive (NIS2) Directive (Directive (EU) 2022/2555) is the EU-wide legislation on cybersecurity. NIS2 updates complement the original NIS Directive, adopted in 2016, and creates a legal framework to enhance the overall level of cybersecurity across the European Union (EU). NIS2 will further enhance the work started in the NIS Directive, as set forth by the National Cyber Security Centre (NCSC) to build an advanced but common level of cyber security across the EU. It places obligations on Member States and individual companies in critical sectors.
The NIS2 Directive went into force on January 15, 2023, and unlike some regulations such as the General Data Protection Regulation (GDPR), NIS2 is a directive and not a regulation of the EU and requires Member States to legally amend their national legislation by October 17, 2024. In general, NIS2 aims to improve the cyber-resilience of critical infrastructure and entities designated “Essential” or “Important” depending on factors such as size, sector, and criticality. It requires security practitioners in key industries to implement more stringent security measures and reporting of cyber incidents.
The updated NIS2 Directive focuses on three main areas:
- Expanding the scope of application: The 7 sectors covered by the original NIS Directive are supplemented by new sectors.
- New mechanisms for incident reporting and information sharing: NIS2 mandates the timely reporting of significant incidents.
- Tighter enforcement of compliance: The updated NIS2 introduces specific sanctions for non-compliance, including fines of up to 2% of global annual turnover.
According to Article 21(1) of the Directive, Member Sates shall ensure that Essential and Important entities take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems which those entities use for the operations or for the provision of their services, and to prevent or minimise the impact of incidents for those using their services.
Based on this, there are three main pillars of NIS2 including Pillar 1: Member State Responsibilities; Pillar 2: Company Responsibilities; and Pillar 3: Co-operation and Information Exchange. Company responsibilities focus on risk management will be outlined in further detail in Part II of this series.
What is the NIS2 Cybersecurity Requirements?
According to Article 21 (1) of the Directive, Member States shall ensure that Essential and Important entities take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on users of their services.
These measures shall be based on an all-hazards approach to protect network and information systems, and the physical environment of those systems from incidents, and shall include at least the following:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, such as backup management and disaster recovery, and crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practises and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies and asset management; the use of MFA or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
Incident notification and risk management are two of the highest priorities of which NIS2 imposes strict adherence to these measures.
Incident Notification
The NIS2 Directive introduces a phased approach to reporting obligations for incidents that have a ‘significant impact’ on service delivery. These reports are required to be submitted to the appropriate competent authority or the CSIRT (Computer Security Incident Response Team). Requirements include:
- 24-hour Early Warning: Is it a suspected malicious act with potential cross-border impacts?
- Official Incident Notification: Assessment of the incident, severity and impact, plus indicators of compromise.
- Intermediate Status Report: At the request of CSIRT or relevant competent authority.
- Final Report: Or if incident is ongoing at time of final report, a progress report and final report one month after the incident has been remediated
NIS2 also states that entities shall notify users of their services of significant incidents, where appropriate. When in the public interest, the CSIRT or relevant competent authority may inform the public about the significant incident or may require the entity to do so.
Cyber Security Risk Management
Essential and Important entities are required to implement suitable and proportionate technical, operational, and organisational measures to address the risks to the systems supporting their services to prevent or reduce the impact of incidents on their services and others. These measures should follow an all-hazards strategy designed to safeguard both the network and information systems, as well as their physical environments from incidents. These measures must include:
- Risk analysis and information system security
- Incident handling
- Business continuity measures (back-ups, disaster recovery, crisis management)
- Supply chain security
- Security in system acquisition, development and maintenance, including vulnerability management, penetration testing services and vulnerability disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- Basic computer hygiene and trainings
- Policies on appropriate use of cryptography and encryption
- Human resources security, access control policies, and asset management
- Use of multi-factor, secured voice/video/text communications and secure emergency communications
| All measures must be: | The EU can: |
|
|
NIS2 Timeline and How It Evolved
The NIS2 Directive, which replaced the original NIS Directive of 2016, was introduced to address new cybersecurity challenges in the EU. Several factors led to its creation including, but not limited to, the growing cyber threat landscape, technological advancement, increase in emerging risks, insufficient implementation of the original NIS Directive, increased dependency on digital and supply chain risks, evolving European cybersecurity policy, and the need to strengthen the GDPR.
Below is a useful timeline of key events leading to the adoption of NIS2 Directive.
|
July 6, 2016
|
November 10, 2022
|
|
2017 – 2018
|
December 14, 2022
|
|
May 9, 2018
|
January 16, 2023
|
|
2020
|
October 17, 2024
|
|
July 7, 2020
|
April 17, 2025
|
|
December 16, 2020
|
October 17, 2027
|
|
May 13, 2022
|
Conclusion: What to Expect Next
The NIS2 Directive will take effect on October 17, 2024 and will have several ramifications on cybersecurity in the EU with full implementation in 2025. As industries adapt to compliance requirements, the EU is likely to offer more detail guidance for key sectors, enhancing both implementation and integration processes.
To learn more about what CISOs and their organisations need to do prepare and comply with NIS2, and what security providers can do to help, read Part II in this series, entitled, “Part II: NIS2 Directive – Everything EU Member States and Organisations Need to Know to Prepare and Comply.”
