A Deep Dive into the NIS2 Directive

In a world where digital transformation is rapidly reshaping industries and economies, cybersecurity has become a paramount concern. The European Union (EU), recognizing the urgency to strengthen its cybersecurity defenses, introduced the NIS2 directive, a significant evolution from the 2016 EU cybersecurity rules. This new directive is a robust response to the ever-evolving threats in our digital landscape, particularly in light of the digital acceleration during the COVID-19 crisis.

Background and Evolution of NIS2

Originally, the NIS Directive was the EU’s first horizontal internal market instrument aimed at improving resilience against cybersecurity risks. However, the rapid digital transformation, intensified by the COVID-19 pandemic, exposed its limitations. The need for a more adaptive, resilient framework led to the comprehensive revision of the NIS Directive, culminating in the NIS2 Directive.

NIS2’s Building Blocks

The NIS2 Directive builds on the 3 pillars of the NIS1 Directive:

1. Mandate national governments to prioritize cybersecurity attentively;
2. Enhance collaborative efforts among European cybersecurity authorities;
3. Obligate principal entities in crucial societal sectors to implement security protocols and disclose incidents.

"NIS 2 is NIS 1 on steroids".

Under NIS 2, national governments, including their respective Computer Security Incident Response Teams (CSIRTs), are expected to exhibit greater authority and enhance cooperation. National cybersecurity strategies are now required to encompass a wider range of elements and specific policies tailored for Small and Medium Enterprises (SMEs). Additionally, each Member State is tasked with establishing a framework for coordinated vulnerability disclosure and creating robust frameworks and authorities for cybersecurity crisis management.

European collaboration is also intensifying on multiple fronts: policy-making (via the NIS Cooperation Group), technical aspects (within the EU CSIRTs network), and crisis management (through the establishment of the Cyber Crisis Liaison Organisation Network, or CyCLONe). Regular Peer Reviews will be conducted among Member States; the European agency ENISA will release a biennial Cybersecurity State of the Union report; and a European vulnerability database will be established (see Articles 12 and 14-19 for more information).

The most significant change concerns the third goal: there is a substantial increase in the range and number of sectors and entities covered; more detailed specifications for security measures; expanded regulations for incident reporting; more precise and substantial sanction rules; and the assignment of responsibility to senior management within each entity, positioning cybersecurity as a critical boardroom issue.

Read more in the excellent article by the Centre Of Cybersecurity Belgium.

Expanded Scope and Enhanced Requirements

NIS2 significantly broadens its reach, incorporating sectors vital to the EU’s economy and society and heavily reliant on ICT. These include energy, transport, banking, healthcare, and digital infrastructure. Notably, the directive eliminates the distinction between operators of essential services and digital service providers, classifying entities as 'essential' or 'important' and subjecting them to different supervisory regimes. The directive emphasizes a risk management approach, incorporating key elements like incident handling and supply chain security. It introduces a multi-stage approach to incident reporting, requiring affected entities to submit initial notifications within 24 hours, followed by detailed reports. A notable change is the imposition of liability on management bodies of in-scope entities, including board members and senior C-Suite executives, who are now required to undergo cybersecurity training, assess, approve, and supervise the implementation of cybersecurity risk management measures, and bear accountability for any non-compliance.

Streamlining Entity Classification

A key feature of NIS2 is its simplified classification process for entities. It outlines specific sectors, automatically including large (with a headcount exceeding 250 or revenue over 50 million euros) and medium-sized (over 50 employees or more than 10 million in revenue) enterprises within its scope. Notably, smaller entities are not excluded if they play a critical role in society or the economy.

Entities must identify whether they fall under the NIS2 scope and register in every Member State where they operate by April 17, 2025. This registration process, soon to be detailed in national laws, mandates entities to provide comprehensive information, including their operational details and IP addresses.

10 fundamentals

NIS2 outlines specific cybersecurity risk management measures that entities must implement to secure their network and information systems. It also emphasizes due diligence within supply chains, requiring entities to evaluate the cybersecurity practices of their suppliers and service providers. The directive modifies incident response requirements, mandating phased notifications including an initial alert within 24 hours of identifying incidents or cyber threats, followed by intermediate and final reports.

The measures span ten key areas:

1. Risk Management and Policy Development: Conducting thorough risk assessments and establishing comprehensive security policies for information systems.
2. Effectiveness Evaluation Protocols: Implementing policies and procedures to regularly assess the effectiveness of implemented security measures.
3. Cryptography and Encryption Practices: Developing policies and procedures for the application of cryptography and, where necessary, the use of encryption.
4. Incident Response Planning: Creating a robust plan for responding to security incidents.
5. Secure System Procurement and Management: This involves establishing policies for the procurement, development, and operation of systems, including vulnerability management and reporting.
6. Cybersecurity Training and Basic Hygiene Practices: Instituting cybersecurity training programs and practices for fundamental computer security hygiene.
7. Human resources security, access control policies and asset management: Establishing stringent security measures for employees handling sensitive or vital data, along with extensive policies governing data access, is essential. Organizations are required to keep an in-depth record of all pertinent assets to guarantee their appropriate use and administration.
8. Business Continuity Management: Developing strategies for maintaining business operations during and after a security incident, including up-to-date backup systems and plans for continuous access to IT systems and their functions.
9. Advanced Authentication and Encryption: Employing multi-factor authentication, continuous authentication solutions, and encryption for voice, video, and text communications, along with secure internal emergency communication systems, as deemed appropriate.
10. Supply Chain Security Management: Establishing security measures tailored to the vulnerabilities of each direct supplier, and conducting comprehensive assessments of the overall security posture of all suppliers.

International Jurisdiction and Cooperation

Jurisdiction under NIS2 primarily lies with the Member State where the entity is established. The directive fosters EU cooperation, allowing for joint supervision, sharing of cybersecurity risk assessments, and coordinated responses to incidents. Use the NIS directive tool to find out the national authority responsible in each EU country.

NIS2 escalates the penalties for non-compliance, with essential entities facing fines up to €10 million or 2% of their annual global turnover, and important entities up to €7 million or 1.4% of their turnover, depending on which is higher.

NIS2 is closely linked with other initiatives like the Critical Entities Resilience (CER) Directive and the Digital Operational Resilience Act (DORA), ensuring a comprehensive approach to both physical and cyber resilience.

Conclusion and Future Steps

The NIS2 directive stands as a testament to the EU’s commitment to a more resilient digital future. With Member States required to transpose the Directive by 17 October 2024, the EU is set to have a robust framework that not only protects but also prepares for the digital challenges ahead. The first review of the Directive’s functioning is scheduled for 17 October 2027, ensuring that it remains responsive to the evolving digital landscape.