After the COVID-19 pandemic and increased attacks targeting European critical infrastructure, the original NIS Directive began to show its age and issues began surfacing with it. NIS2 was then created as an attempt at solving its shortcomings.
The new rules set more stringent compliance requirements and penalties for noncompliance, holding C-level executives more accountable than ever.
Definition
NIS2 is a new directive that strengthens EU-wide cybersecurity standards and institutes penalties against organizations who do not abide by them. Designed to safeguard business-critical systems against cyber attacks while creating stronger cooperation between EU countries and ensuring minimum security requirements are met for critical infrastructures.
The directive will have an impactful impact on all member states of the European Union, applying to essential service providers such as energy, water supply, transportation and banking services; cloud providers; ISPs and telecom companies as well as digital service providers that manage and monitor key infrastructure such as cloud storage services or ISPs and telecom companies. In essence, this new directive eliminates flexibility that allowed certain members to tailor their adherence to security requirements, leading to vulnerabilities and inconsistencies within regulatory enforcement enforcement practices.
An organization must conduct a business impact analysis in order to assess if its services are covered, starting by conducting a business impact analysis and identifying essential processes as well as their dependency on network and information systems. Once identified, assets providing these services must also be identified before performing risk analyses to establish level of risk associated with each asset – this risk analysis must then be documented for use when implementing NIS2 compliance measures.
This directive mandates that each EU member state establishes and implements a central point of contact and computer security incident response team (CSIRT), as well as an oversight body to oversee NIS2 compliance and enforce penalties.
NIS2 will require operators of essential services and digital service providers to report incidents within a specified timeframe and reduce reporting thresholds, marking an important shift from its predecessor, the NIS directive.
The NIS2 directive will impose stricter sanctions against organizations who fail to abide by its rules, penalizing noncompliant organisations with fines up to EUR10 million or 2% of annual turnover (whichever is greater), with fines being assessed up to 1.4% of global turnover for major entities and 7.4 million (for smaller ones).
Retailers are likely to be affected by this directive as they fall under the definition of an “important entity.” A recent report showed that 77% of retailers experienced ransomware attacks in 2022; to protect themselves against this threat, organizations should implement Zero Trust security to secure all internal and external connections to enable swift detection and response to threats quickly.
Scope
The NIS2 directive expands from seven to 18 critical industries, strengthens incident reporting requirements, and introduces accountability measures for top management. If your organisation falls within this scope, now is the time to assess if its challenges require them – be prepared, contact us!
This new directive seeks to establish a uniform level of protection across EU member states by implementing cybersecurity requirements and measures across affected industries, setting security requirements, unifying reporting obligations and providing compliance monitoring and enforcement measures such as sanctions or fines.
This policy also establishes a framework for informing appropriate national authorities and relevant customers of any cyber incident that has an adverse impact in terms of operational disruption, financial loss or physical harm. Covered entities are required to submit initial incident reports within 24 hours; followed by more comprehensive ones within 72 hours and finally within one month for completeness.
Furthermore, this directive requires covered entities to develop and execute an effective business continuity plan in order to mitigate cyberattacks and ensure uninterrupted operations following an incident. They should designate one central point of contact and establish an incident response team as part of this effort.
NIS2 is a more thorough and transparent directive than its predecessor, eliminating options to tailor compliance to its requirements, which had created too much flexibility under the previous NIS, leading to vulnerabilities. Furthermore, this version clarifies and harmonizes reporting obligations while offering more stringent enforcement mechanisms with penalties for noncompliance.
Note that NIS2 does not apply to public administration entities of central governments; thus if your entity falls into this category, NIS2 won’t apply. Nonetheless, this directive covers telecom providers and social media platforms as well as those providing essential infrastructure services such as energy companies or banks; it doesn’t, however, cover private companies or any entities not offering an essential service.
Implementation
The Network and Information Systems Security (NIS) Directive was implemented in 2016, requiring EU Member States to ensure operators of critical infrastructure sectors and key digital service providers have in place comprehensive cybersecurity measures and report any cyber incidents to authorities and affected parties immediately. The NIS2 directive serves as a continuation of this requirement.
The new NIS2 directive defines affected sectors, sets standardized security requirements, outlines reporting obligations and penalties for noncompliance, promotes increased cyber risk awareness, provides guidance to address them effectively, introduces an incident response timeline requiring all essential and important entities notify authorities within 24 hours of any significant impact and encourages Member States to create one entry point for all notifications of significant impacts.
NIS2 aims to strengthen EU cyber resilience and ensure citizens access essential services. It covers more sectors and services than its predecessor directive and even includes micro-enterprises not currently regulated, but that play an essential role. Furthermore, NIS2 expands the definition of digital service by mandating operators implement measures against threats while creating clear cybersecurity policies.
Noncompliance with the NIS2 Directive can result in administrative fines of up to EUR 10 million or at least 2% of annual worldwide turnover, whichever is greater, in addition to being required to consider cybersecurity in their supply chains, which will likely impact small and medium-sized businesses who now must add security provisions into procurement contracts with entities covered by NIS2.
NIS2 requires all entities subject to its jurisdiction to adopt a risk-based approach to their cybersecurity policies and procedures, conduct regular tests to detect vulnerabilities in their infrastructure, have robust detection and response capabilities that quickly detect malicious threats, as well as leverage next-generation AI-powered Virtual Security Analysts which analyze threats quickly to stop any potential damage before it occurs.
Enforcement
The NIS2 Directive affects not only critical national infrastructures, but also businesses across a variety of industries and fields. Therefore, it’s vital for organizations to understand how this directive will apply to them, and begin preparations as early as possible in order to meet its compliance deadline.
NIS2 is the successor of the NIS directive and seeks to enhance cybersecurity measures and incident response capabilities across EU member states’ essential services sectors and digital service providers. It expands the scope of regulated entities while increasing penalties for noncompliance.
NIS2 defines essential and important services more broadly and encompasses an array of sectors such as energy, transport, banking, financial market infrastructures, water supply and health. Furthermore, this definition encompasses entities providing digital health and education services as well as e-commerce platforms.
Organizations seeking to assess whether they’re subject to NIS2 must conduct a detailed review of their internal operations and business processes in order to identify essential services and infrastructure that support their operations, assess risk exposure and implement security measures in order to reduce vulnerability. Notified bodies must then periodically audit the effectiveness of such measures while reporting any significant incidents that arise as per NIS2.
Furthermore, the document mandates EU member states to establish the European Cyber Situational Awareness Network (EU-CyCLONe) to share threat intelligence and facilitate communications during cybersecurity incidents across borders. Furthermore, essential and important entities must take steps towards creating crisis management teams as well as adopting other incident response plans.
Finalize, this initiative encourages EU member states to create and enhance legislation regarding cyber incident response, with penalties for noncompliance and improved cooperation between EU states and international organizations for responding and cooperating on such incidents.
Noncompliance with the NIS2 directive may incur administrative fines of up to EUR10 Million or 2% of an entity’s annual turnover, or even more for certain violations. Furthermore, regulatory authorities may compel an organisation to create and publish a remediation plan or make its plan public; and in case of serious violations may order them to hire external experts to ensure full compliance.
If you require more details, assessments, solutions and support from experts, please contact us!
