The cybersecurity landscape is constantly evolving, and with it, regulatory frameworks are adapting to address the challenges posed by new digital threats. One such development is the Network and Information Security Directive 2 (NIS2 Directive), a significant update to the original NIS Directive. The NIS2 Directive aims to enhance the overall cybersecurity posture of critical infrastructure operators and digital service providers across the European Union.
The NIS2 Directive on measures for a high common level of cybersecurity across the Union, adopted in January 2023, represents a robust framework designed to ensure the security of network and information systems, ultimately safeguarding vital services and digital infrastructure.
The NIS2 Directive builds upon the foundation of its predecessor (NIS), introducing updates such as broader coverage of new sectors, increased focus on incident reporting and response, and the establishment of a Cybersecurity Competence Center.
As EU member states will need to transpose the directive into their national legislation by October 2024, it is important to understand what to expect with this updated directive.
Scope:
As per the scope, NIS2 represents an extension in which it passes from seven sectors to sixteen-eighteen. The new Directive focuses on giving guidance to guarantee uniform transposition across EU member states and expands the areas that are covered. “NIS2 defines two categories for entities in scope: important and essential. Entities in both categories will have to meet the same requirements. However, the distinction will be in the supervisory measures and penalties.”[1]
With the aforementioned, essential entities will be subject to supervisory obligations, while important entities will be under ex-post supervision, which means that if authorities find proof of non-compliance, they will take appropriate action.
To better understand, “The NIS2 has simplified the scoping exercise the competent authorities have to make. A list of sectors was defined and a base rule of any large (headcount over 250 or more than 50 million revenue) or medium (headcount over 50 or more than 10 million revenue) enterprise from those sectors will be directly included in the scope. However, small or micro-organizations are not necessarily excluded; Member States can extend these requirements if an enterprise fulfills specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.”[2]
The Member States are required to list all essential and important organizations covered by the NIS2 Directive by April 17, 2025. Member States may allow organizations to register independently. Entities will therefore need to decide whether their services are covered by NIS2, make a list of the Member States where they offer “in-scope” services, and register before the deadline in each Member State. It’s important to mention that although NIS2 sets a number of ‘minimum requirements’ that must be met, Member States may choose to set greater standards.
Key points:
The new Directive’s goal of enhancing EU Member States’ cooperation with relation to cyber incidents and threats is another crucial component. To encourage knowledge exchange among the Member States, the European Union Agency for Cybersecurity (ENISA) will be tasked with creating a European Vulnerability Disclosure Database.
“In that regard, the Directive encourages Member States to simplify the incident reporting process by implementing a single entry point for incidents to reduce the administrative burden, including for cross-Member State incidents.”[3]
The NIS2 has included a key element regarding the focus on key supply chains in which individual businesses will be in charge of handling cybersecurity risks inside supplier partnerships as well as in their own supply chains. In that way, suppliers who are not within the scope of NIS2 might be impacted as although not being supervised by the national authorities regarding NIS2, they will be by their customer.
“It will be obligatory for management to take responsibility regarding their cybersecurity maturity. This will include having risk assessments conducted and approving risk treatment plans to be implemented, among other tasks”.[4] Having said that, NIS2 provides for an enhanced accountability that is assigned to the management of the organizations within the scope of the directive. In order to achieve that, management of the organisations must follow cybersecurity training. Furthermore, it is recommended to provide cybersecurity awareness training to employees at all levels to promote a culture of security, as for example, encouraging the adoption of good cybersecurity practices among employees, emphasizing password management, software updates, and safe browsing habits, among others.
Jurisdiction & penalties:
According to the NIS2 Directive, vital and significant entities are thought to fall under the authority of the Member State in which they carry out their functions.
If the entity offers services in more than one Member State, each of these Member States should have authority over it. Furthermore, “For entities where the service is provided or is dependent on operations outside the EU, they should ensure the continuity of their EU services in case of disruption of their non-EU operations.”[5]
Greater sanctions for non-compliance are introduced by NIS2, including fines of up to 10% of an entity’s yearly sales. Those sanctions vary depending on whether it’s an essential entity or an important one. “Fines of up to €10,000,000 or 2% of total international turnover can be imposed on companies in the first category. For the second category, fines can be up to €7,000,000 or 1.4% of total international turnover.”[6]
Preparation:
Knowing all the abovementioned, member states and entities themselves should start preparing to transpose the NIS2 directive into their systems. For that, it’s important to start identifying the “organization’s critical services, processes, and assets that provide the essential service as defined in NIS2. A method to achieve the above is an organization-wide Business Impact Assessment to highlight the organization’s critical processes and their reliance on network and information systems.”[7]
Moreover, entities should start having a control over their information security risks in order to implement a management system regarding the information and their risks. In the same way, an analysis of the entity’s supply chain it’s important to Initiate the supply chain security management process.
As the NIS2 Directive brings about a new era of cybersecurity regulation in the European Union, organizations must proactively prepare to meet its requirements. By understanding the directive’s scope, implementing robust security measures, fostering a cybersecurity-conscious culture, and collaborating with competent authorities, organizations can effectively enhance their cybersecurity posture and contribute to a more secure digital landscape. Embracing these steps will not only ensure compliance but also strengthen an organization’s resilience against evolving cyber threats.
________________
[1] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[2] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[3] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[4] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[5] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[6]https://www.nnit.com/our-solutions/cybersecurity/compliance-privacy/cybersecurity-how-to-prepare-for-the-nis2-directive/
[7] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
