The NIS2 Directive, also known as the Network and Information Systems Directive 2, constitutes a European Union policy aimed at improving the cybersecurity and resilience of critical infrastructure sectors. In this article, we outline how organizations and companies can effectively prepare for NIS2 compliance.
What is the NIS2 Directive?
In July 2016, the Directive on the security of Network and Information Systems (NIS) was established. The primary objective of this Directive was to elevate cyber resilience throughout the European Union by means of regulatory measures. It placed significant emphasis on reinforcing cybersecurity capacities at a national level, fostering cooperation among Member States, and ingraining cybersecurity as an integral aspect of organizational operations.
Why was NIS revised?
Shortly after its adoption, it became evident that the implementation of the Directive revealed significant variations among Member States. These inconsistencies resulted in a disjointed framework where certain organizations and companies were considered essential in certain countries, yet not in others. These inconsistencies were:
- Insufficient level of cyber resilience of businesses operating in the EU,
- Inconsistent resilience across Member States and sectors,
- An insufficient common understanding of the main threats and challenges among Member States,
- Lack of joint crisis response.
On November 10, 2022, the European Parliament made a decision to adopt the revised Network and Information Systems Directive (EU) 2022/0383, commonly known as NIS2. This revision aims to extend, reinforce, and standardize the implementation of the European Union's existing cybersecurity structure.
The directive's applicability encompassed two distinct groups: operators of essential services and digital service providers.
NIS2 plays a pivotal role in the EU's Cybersecurity Strategy and aligns with the European Commission's primary objective of preparing Europe for the challenges of the digital era.
The deadline for Member States to transpose the NIS2 Directive into applicable, national law is 18th October 2024. It is essential that companies are fully prepared and compliant before the deadline date.
Who will be affected by NIS2?
So, who does the NIS2 apply to? NIS2 applies to all entities that:
- provide services or carry out activities in the EU,
- match the description of an "essential" or "important" entity in a defined list of sectors.
Notable exceptions include:
- a size cap, which means small and micro businesses (less than 10 employees, revenue of Euro 2 million or less) are excluded in some instances;
- Member States may grant exemptions for specific entities that carry out activities related to national security, public security, defense, or law enforcement.
The sectors of significance, from which specific businesses may qualify as essential or important entities, encompass a wide range of industries and include, banking, financial market infrastructures, digital service providers such as online marketplaces, online search engines, and social networking platforms.
Furthermore, these entities extend to digital infrastructure, encompassing providers of public electronic communication networks and services, cloud service providers, and data centers. Additionally, sectors of note include business-to-business ICT service management, energy, transportation, healthcare, space, and specific categories of manufacturing such as machinery, computers, electronics, automotive, and other transport-related equipment. Production and distribution areas such as food and certain utilities are also included within this scope.
How to prepare for the NIS2 Directive
Member States are required to ensure that essential and important entities adopt appropriate and proportionate technical, operational, and organizational measures. These measures are aimed at effectively handling the threats that could jeopardize the security of the network and information systems utilized by these entities for their operations or provision of services. The aim is to prevent or mitigate the repercussions of incidents, both on the recipients of their services and on other interconnected services.
The measures that need to be taken, as detailed in NIS2, Article 21 are based on an all-hazards approach with the objective to protect network and information systems as well as their physical environments from incidents, and must comprise at least the following:
- policies on risk management and information systems security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies, and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.
|Risk Management||Corporate Accountability|
|In adherence to the updated Directive, organizations must take measures to mitigate cyber risks. These measures include incident management, supply chain security, network security, improved access control, and encryption||Corporate management is mandated to oversee, approve, and receive training on the entity’s cybersecurity measures. This includes addressing cyber risks effectively. In the event of breaches, management could face penalties, which might involve liability and a temporary ban from managerial positions|
|Reporting Obligations||Business Continuity|
|Entities classified as essential and important are required to establish processes for efficient reporting of security incidents that have a substantial impact on their services or recipients. NIS2 stipulates precise timeframes for notifications, including an "early warning" requirement within 24 hours||Organizations need to strategize on ensuring business continuity in the event of cyber incidents. This needs to include considerations around system recovery, emergency protocols, and the establishment of a crisis response team|
Whilst the specific national implementation of the NIS2 Directive into national laws is still in progress, organizations have already recognized the significance and importance of cybersecurity. Their primary areas of focus should be:
- Strengthening their internal cybersecurity infrastructure and incident response management,
- Ensuring the security of processes involving third-party providers.
Utimaco welcomes the planned strengthening of cybersecurity in the EU and provides solutions to enable organizations to establish a reliable cybersecurity infrastructure aligned with the requirements of NIS2.