Topics

A Comprehensive Guide to NIS2 Directive Compliance

Written by ForeNova | May 31, 2023 1:02:56 PM

The European Union (EU) is well-known as a region that takes cybersecurity and data privacy very seriously, thanks to the General Data Protection Regulation (GDPR). Five years after the GDPR came into force, the EU continues to lead the way with cybersecurity regulations, this time with the Network and Information Security 2 (NIS2) Directive. 

The NIS was the first-ever EU-wide cybersecurity legislation. Its chief goal was to help EU Member States develop advanced standard cybersecurity capabilities that would enable them to withstand cyber threats, avoid cyberattacks, and secure their information systems. 

The NIS2 expands the scope of the original NIS and obliges more entities and sectors in the EU to implement its required cybersecurity measures. It also addresses the security of supply chains, includes stricter enforcement requirements, and streamlines reporting obligations across the EU. Through these updates, the NIS2 aims to increase long-term cybersecurity in EU. 

The Need for NIS2 

 

Over the past decade, cyberattacks have affected numerous European countries, businesses, and critical sectors. These issues prompted the EU to develop and implement an EU-wide cybersecurity ecosystem. The NIS legislation on cybersecurity represented one of the first steps toward creating this ecosystem. Adopted by Member States in 2016, the NIS aimed to ensure a high common level of cybersecurity across EU Member States. It included numerous legal measures to boost the EU’s overall cybersecurity posture. 

All in all, the ideas proposed by the NIS were sound. However, its implementation proved very difficult, mainly because Member States implemented its requirements differently. These differences increased the compliance burden on companies operating in more than one Member State. Ineffective enforcement also limited the cyber-resilience achievable – and achieved – by Member States. 

The NIS also failed to prepare the EU for the changing threat landscape or improve situational awareness at a bloc-wide level. Further, it couldn’t help Member States implement effective measures to minimize cyber threats, prepare for future cyber challenges, or improve their overall cyber resilience. 

These challenges highlighted the need to enlarge the scope of NIS, clarify its applicability, and unify the rules on cybersecurity risk management and incident reporting. These needs, combined with an open public consultation (OPC) of the original NIS directive, resulted in the development of the NIS2 directive. 

Main Aims of NIS2 

 

In a nutshell, the aim chief of the NIS2 directive is to increase the cybersecurity of critical infrastructure and digital services in the EU and ensure their resilience against known and emerging cyber threats. 

The NIS2 strengthened the security requirements stated in the original NIS. It also tackled the NIS’ limitations that created the issues highlighted in the previous section. By expanding the scope of the NIS and by setting the below objectives for the EU, the NIS2 aims to strengthen the EU’s long-term cybersecurity capabilities: 

  • Ensure that all public and private entities take appropriate cybersecurity measures to improve cyber-resilience 
  • These measures cover many important areas of cybersecurity, including risk management, corporate accountability, incident response, reporting, and business continuity 
  • Increase cybersecurity of the ICT supply chain 
  • Implement consistent security and incident reporting requirements in all Member States 
  • Enforce consistent administrative sanctions when an entity breaches the rules regarding cybersecurity risk management 
  • Encourage national authorities to share information to improve joint situational awareness across the EU 
  • Assign clear responsibilities to improve the way the EU prevents, handles, and responds to cybersecurity incidents and crises 

Cooperation between Member States is a particularly important aim of the NIS2. Through such cooperation, the directive is expected to eliminate the problems related to inconsistent implementation that plagued the NIS. To ensure cooperation, the NIS2 proposes the establishment of EU-CyCLONe (EU-Cyber Crises Liaison Organisation Network) that would enable the coordinated management of EU-wide cybersecurity incidents. In addition, the directive will give more decision-making powers to the NIS Cooperation Group and help increase information exchange between EU Member States. 

NIS2 Requirements and Obligations 

 

The NIS2 directive introduces new requirements and obligations for EU organizations to collectively help protect the EU’s critical infrastructure and bolster its cybersecurity strength and resilience. These requirements and obligations are clearly stated to eliminate differing interpretations (which is what led to implementation problems and increased cybersecurity risk under the NIS). They fall under four overarching areas: 

Risk Management

The NIS2 requires EU entities to implement measures to minimize cyber risks and protect their assets, such as incident management processes, stronger network security controls, robust access controls, and data encryption.

Corporate accountability

Under the NIS2, corporate managers oversee and approve the entity’s cybersecurity measures. They must also be trained on effectively using these measures to minimize the organization’s cyber risks. If, despite these measures, the entity is still breached, management may be penalized. They may be held financially liable for the incident and temporarily banned from their role.

Reporting

The NIS2 harmonizes the rules on cybersecurity incident reporting. It also aims to balance fast reporting (to avoid the spread of an incident) and in-depth reporting (to draw valuable lessons from the incident). 

The directive adopts a multiple-stage reporting approach. Thus, entities that suffer an incident must submit an initial “early warning” report within 24 hours of becoming aware of that incident to a competent national authority or Computer Security Incident Response Teams (CSIRT). They must also submit an incident report within 72 hours of incident awareness and a final report within one month.

Business continuity and crisis management

All organizations must have a plan to ensure business continuity in the event of a cyber incident or crisis. This plan should clearly state how the entity will manage the crisis, particularly regarding system and information recovery, systems access, data backup, emergency procedures, incident handling, and crisis response. It should also mention how the entity will manage its operations during and after the incident. 

Other requirements of NIS2 

In addition to these four overarching areas, the NIS2 directive specifies certain baseline security measures that the EU’s essential entities must implement. These measures, meant to reduce risk and minimize the possibility of cyberattacks, include: 

  • Implement security policies for information systems 
  • Implement controls and policies to boost security around system procurement 
  • Implement policies and procedures to discover, handle, and report vulnerabilities 
  • Implement policies and procedures for the use of cryptography and encryption 
  • Implement access policies for sensitive data 
  • Create an asset inventory and ensure that all assets are safely handled and utilized 
  • Implement multi-factor authentication (MFA) whenever appropriate and wherever possible 
  • Deliver cybersecurity training programs to improve users’ cybersecurity awareness and hygiene 
  • Boost supply chain security and manage the security-related relationships between the entity and its third parties (suppliers, service providers, etc.) 

Applicability of NIS2 

Generally, all entities (medium-sized and large) operating in the sectors covered by the NIS2 directive or providing services covered by the directive fall under its scope and will be affected by its rules and requirements. The directive introduces a “size-cap rule” to determine which entities will be affected by its requirements. The rule also determines which entities qualify as operators of “essential” services and which entities will be deemed “important.” 

Essential sectors/entities 

Important sectors/entities 

Energy 

Postal and courier services 

Transportation 

Waste management 

Banking 

Chemicals 

Financial services and markets 

Food 

Healthcare 

Medical device manufacturers 

Drinking water and waste water 

Computers 

Digital infrastructure 

Electronics 

Public administration 

Machinery 

Space 

Vehicles 

Pharmaceuticals (including vaccines) 

Digital providers 

 

From the NIS2 perspective, all these entities fall under the jurisdiction of the Member State in which they are established, not of the Member State in which they provide their services. If an essential entity provides services in more than one Member State, it falls under the jurisdiction of each of these Member States. 

The NIS2 directive also applies to public administration entities at the central and regional levels. In addition, it may also apply at a local level if Member States so choose. 

Certain EU entities are excluded from the scope of the NIS2. These are: 

  • Entities carrying out activities related to defense and national security 
  • Entities involved in public security or law enforcement 
  • National judiciaries 
  • Parliaments 
  • Central banks 

NIS2 Implementation Timelines 

As a political agreement, the NIS2 was adopted by the European Council and European Parliament in November 2022. Both legislators signed the text in December 2022, and came into force in January 2023. The 27 EU Member States have until October 17th, 2024, to transpose the directive into national law. 

All EU entities with at least some digital operations and face some cybersecurity risk must be aware of this deadline and implement NIS2 directives before then, particularly if they are deemed essential or necessary per the NIS2’s definition. The compliance process takes around 12 months. As of May 2023, EU entities that will fall under the purview of NIS2 have 17 months to complete the process. 

This process will require them to complete several activities related to: 

  • Cybersecurity risk assessments 
  • Auditing 
  • Policy-setting for information systems security 
  • Procedure-setting for incident handling 
  • Business continuity and crisis management 
  • Supply chain security 
  • Vulnerability assessments, handling, and disclosures 
  • Cryptography 
  • Data encryption 

NIS2 Non-compliance Penalties 

The requirements of the NIS2 are legally binding on the entities that fall under its purview. Member States have the discretion to penalize non-compliant entities with dissuasive penalties as well as administrative fines. In general, essential entities that fail to comply with its directives may be fined up to €10 million or 2% of their total turnover worldwide – whichever is higher. Important entities that fail to comply with the NIS2 may be fined up to €7 million or 1.7% of global turnover. In addition, non-compliant companies may be forced to suspend their business activities until they meet the NIS2 requirements and achieve 100% compliance. 

The directive places additional responsibility on enterprise management bodies to meet its requirements and comply with its obligations and provisions. Here, “bodies” means managers at all levels, including senior and C-Suite levels. Managers who fail to comply with the NIS2 may be fined and face criminal sanctions. If gross negligence is proven after a cyber incident, they may be held personally liable. In case of repeated violations at an essential entity, its managers may be temporarily banned from holding management positions. 

Apart from administrative fines and non-monetary remedies, the NIS2 also allows criminal sanctions on non-compliant organizations and their management. In addition, national supervisory bodies are authorized to designate a monitoring officer. They may also order the entity’s managers to conduct security audits, send threat notifications to entities’ customers, and make compliance violations public (while also identifying the legal persons/managers responsible for the occurrence of the violation). 

The goal of all these strict measures is twofold: i) to increase accountability for implementing the directive’s required cybersecurity measures at the organizational level and ii) to prevent gross negligence in enterprise cyber risk management. 

 

The Easiest Way to Implement NIS2 

 

Implementing the various requirements of the NIS2 and maintaining compliance with the directive can be time-consuming and even overwhelming. Working with an external cybersecurity team, compliance, and NIS2 experts like ForeNova can help reduce the overwhelm. 

ForeNova’s NIS2 specialists can assist you with every aspect of NIS2 compliance, from determining if you fall under the directive’s scope to preparing a compliance plan, evaluating your security measures, and amending your security policies. We will also prepare your asset inventory, assess your network, and implement controls to reduce your attack surface and prevent data breaches. We can provide that if you require 24/7 threat detection and response. 

We can review all regulations and map our capabilities and NIS2 requirements with you. With our experience in helping customers like hospitals to fulfill NIS2 we can offer a transparent process and the most efficient way on the road to NIS2 compliance.  

Contact us at support@forenova.com to get started with NIS2 implementation – before it’s too late.