The NIS2 Directive, also known as the new version of the Network and Information Security Directive, is a European directive aimed at strengthening cybersecurity in the European Union (EU). Now that the directive has finally been officially published, member states have 21 months - that is, until Oct. 17, 2024 - to integrate the requirements of this new cybersecurity directive into local legislation.
Want to learn more about the NIS2 guideline and what it means for your organization? Contact a specialist without obligation.
Table of contents
What is the Network and Information Security Directive (NIS) and why has it been updated?
The EU launched the NIS Directive in 2016 in response to increased concerns about cyber attacks. The directive not only strengthened member states' cybersecurity capabilities, but also hoped to increase cybersecurity cooperation among member states. The directive also encouraged countries to monitor cybersecurity in their critical infrastructure, such as energy, transportation and healthcare.
Seven years after its launch, the cyber threat landscape has changed significantly and the directive does not fully meet the needs of the changing outlook for cybersecurity risks in 2023. Cyber attacks and data breaches have increased exponentially, especially as people become increasingly dependent on digital technology. In addition, increased attacks on CNI, such as the SolarWinds attack, gaps in the original NIS legislation and inconsistencies in how member states have implemented NIS, see the limitations of the previous model and the need for a more comprehensive replacement.
"This European directive is going to help some 160,000 entities strengthen their grip on security and make Europe a safe place to live and work. The law should also enable information sharing with the private sector and partners around the world. If we are attacked on an industrial scale, we must respond on an industrial scale.", said Bart Groothuis of the European Parliament.
When and to whom does the NIS2 guideline apply?
The NIS2 applies to all organizations operating or carrying out activities within the EU that provide an essential service to consumers (i.e. they meet the description of an 'essential' or 'important' organization in a particular list of sectors). Examples include Internet service providers, energy suppliers, drinking water companies, waste processors, banks, transporters, healthcare facilities and factories that produce food or major household items. Notable exceptions include smaller companies that may be considered essential but do not meet a size limit (expected to have annual turnover of 10 million euros and/or fewer than 50 employees) and other entities explicitly excluded by member states.
The NIS2 can help organizations like essential or important labeled - to which the same cybersecurity management requirements and incident reporting obligations apply under NIS2. What is the biggest difference between essential and key organizations? Compliance monitoring. For essential providers, primarily parties in vital sectors, monitoring must be strictly proactive and clearly reflected in their processes. This means that regulators will check that these organizations are correctly implementing and complying with the rules. For organizations in key sectors, monitoring will be reactive, when there is evidence of a cyber incident.
The updated directive has a broader scope (more sectors and more organizations) than the NIS1 directive and aims to equalize and increase digital resilience in all EU member states. NIS2 is expected to come into force no later than October 2024. "For many SMEs, NIS2 will have no impact unless you are essential. Then you have to be certified and you will get more frequent visits from a regulator," explains Bart Groothuis.
What are the main requirements of the NIS2 guideline?
NIS2 will address the problems with the previous NIS legislation and tighten the rules. The main one concerns the inconsistent way the original NIS directive was implemented, as it made cooperation between countries difficult and undermined the overall goal of ensuring the effectiveness of cybersecurity in the EU.
With NIS2, organizations must take the following measures to manage cybersecurity risks:
Information Security Policy
A critical component of cybersecurity is assessing the level of risk. NIS2 requires companies to evaluate the potential impact of an attack on their most vital assets and be alert to potential vulnerabilities in networks or news of attacks on other members of the industry. They should also approach risk management proactively rather than reactively by implementing strong information security policies to ensure systematic and thorough risk analysis.
Incident prevention, detection and response
NIS2 requires organizations to have plans and backup plans, conduct exercises and train all relevant parties. Once an organization has identified its key vulnerabilities, the updated guideline requires them to implement clear procedures to prevent attacks and agree on methods to detect potential incidents. This should result in an incident response plan with a transparent command structure for implementation.
Continuity and crisis management
Global supply chain security has been under a magnifying glass for some time. NIS2 compounds this, requiring organizations to consider the vulnerabilities of all their suppliers and service providers and their cybersecurity practices, including data storage providers. It ensures that organizations clearly understand the risks, maintain a close relationship with vendors and continually update security to ensure the highest possible protection.
Supply chain security
The updated NIS2 should ensure that an organizations can continue operations in the event of a cyber attack. An organization must have a demonstrable plan for how it will respond to an attack and how it can recover from it as quickly as possible, with minimal disruption. As a result, NIS2 includes a focus on Cloud-based backup solutions.
Disclosure of vulnerabilities
NIS2 requires more transparent disclosure and management of vulnerabilities. Organizations must provide ways for the public to report vulnerabilities and ensure that the relevant department takes action on this information. If an organization discovers a vulnerability in their network, the updated directive requires them to disclose it. Disclosure of such vulnerabilities supports the fight against cybercrime and ensures that they are not exploited elsewhere.
Disclosure of vulnerabilities
NIS2 requires more transparent disclosure and management of vulnerabilities. Organizations must provide ways for the public to report vulnerabilities and ensure that the relevant department takes action on this information. If an organization discovers a vulnerability in their network, the updated directive requires them to disclose it. Disclosure of such vulnerabilities supports the fight against cybercrime and ensures that they are not exploited elsewhere.
NIS2 will also impose an updated approach for:
Incident reporting
Under the updated directive, companies must submit an initial report within 24 hours of becoming aware of a "significant" incident, a full report of the incident within 72 hours and a final report to the relevant competent authority, the Computer Security Incident Response Team (CSIRT) and sometimes to their customers within a month.
A "significant" incident is one that has caused or may cause serious operational interruption of service or financial losses, or if the incident has caused or may cause significant losses to others.
Collaboration
One of the gaps in the first NIS guideline was a lack of consideration versus the different ways individual countries were proceeding. Therefore, NIS2:
- Encourage more data sharing between authorities
- Require authorities to participate in incident response at EU level rather than national level
- Establish an EU Cyber Crisis Liaison Organization Network (EU CyCLONe), a central body to coordinate and manage responses to cyber incidents across the EU
By centralizing cybersecurity controls at the EU level and requiring everyone to adhere to the same cybersecurity standards, NIS2 aims to simplify a previously insufficiently coordinated system. This should make it easier to share data collectively and find more efficient solutions to cyber incidents.
What are the consequences of non-compliance with NIS2?
NIS2 includes much stricter enforcement requirements than its predecessor. Penalties for noncompliance range from a security audit and the order to follow established recommendations to fines of €10 million or 2% of the organization's total worldwide sales, depending on which number is higher.
These fines are the same as those for AVG violations, so the NIS2 directive should be understood in a similar way. In this sense, NIS2 represents a major leap in cybersecurity which means it should be taken as seriously as the huge change brought about by the AVG in the area of data protection.
Preparing for NIS2 with ISO 27001
For organizations seeking to comply with the NIS2 guideline, can certification according to ISO 27001 for information security are a powerful first step.
The NIS regulations themselves state that "compliance with international standards" must be considered in all steps taken by companies to comply with the regulations, while the European Cybersecurity Agency's (ENISA) technical guidance links each security objective to various best practice standards, including ISO 27001.
An information management system (ISMS) that complies with ISO 27001 enables organizations to reduce their risks and exposure to security threats by identifying the relevant policies they need to document, the technologies to protect themselves and training staff to prevent mistakes. They also require organizations to conduct annual risk assessments, helping them stay ahead of the ever-changing risk landscape.
ISO 27001 helps organizations meet NIS2 requirements while achieving independently audited certification. This provides proof to vendors, stakeholders and regulators that you have the necessary technical and organizational measures in place to responsibly handle sensitive data.
Want to learn more about how ISO 27001 can help you with the new NIS2 directive? Don't hesitate to schedule a consultation with us.