Do you do business in the EU? If yes then here is some information relating to how the bloc is gearing up to ensure that there is a prevailing secure digital ecosystem for businesses operating in the common market.
Network and information systems directive (NIS2) is the new European cybersecurity directive that will replace the existing NIS Directive, effective October 18th, 2024.
It is literally a game changer in the realm of cybersecurity frameworks with potential to have a far reaching and global implication as its standards become adopted worldwide. Also, NIS2 is coming at time when the digital security landscape had never known any more turbulence historically with a recent succession of major cyber incidents and breaches with wide ranging consequences on business operations on a global scale.
NIS2 was formally passed as EU legislation on the16th of January 2023, and member states have up to 17th of October 2024 to transpose it into their respective national laws, after which it will become ordinarily enforceable.
It is defined by the EU as the directive on measures to bring about a high common level of cybersecurity across the European union. Thus, it seeks to establish a baseline of security measures in business processes within the specified sectors, to mitigate the risk of cyber-attacks and to improve their overall level of cybersecurity.
Here is from the horse’s mouth quoting verbatim the European Parliamentary Research Service (EPRS) on the objectives of NIS2.
“To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term.”
The EU legislators have classified businesses into two main groups for the purpose of NIS2, in sectors where they are deemed essential entities or high criticality, and in another where they are deemed important entities or critical, with relatively stricter conditions of supervision and ex-ante oversight for the essential entities as well as heavier penalties for non-compliance.
NIS2 In scope sectors-Essential Entities
- Energy,
- Health,
- Transport,
- Financial market infrastructures,
- Drinking water supply,
- Waste water
- Digital Infrastructure,
- ICT service management
- Public Administration, and
- Space
NIS2 In Scope sectors-Important Entities
- Digital Providers,
- Postal and Courier Services,
- Waste Management,
- Production, processing and distribution of Food,
- Manufacturing,
- Manufacture, production, and distribution of Chemicals, and
- Research.
Essentially, NIS2 will apply to all organisations in the above sectors accessing the common market and doing business in the EU, who furthermore fulfil the prescribed size cap criteria including having at least 50 employees, an annual turnover of more than 10 million euros, and having more than 43 million euros in their balance sheet.
However, the regulatory authority in a member state may choose to designate a critical sector company as liable to comply to NIS2 irrespective of the foregoing size cap criteria.
Importantly, if NIS2 applies to a certain business, then it more than likely will apply to their supply chain. If you are part of the supply chain of entities in scope, you are more likely than not to be in scope.
Key upgrades to NIS2 from NISD include the enlargement of the pool of affected sectors, severe sanctions with heavy corporate fines as well as personal criminal liability of top management, a requirement to remain continuously compliant, and a substantial consideration of supply chain risks. Also, the regulator may choose to carry out ex-ante or pre-emptive control of a given essential entity organisation, even in the absence of reported failures or breaches.
NIS2 mandates adopting a risk management approach to IT systems security that is ultimately rewarding to concerned businesses, apart from guaranteeing business continuity in critical services within the bloc. It offers a single, stringent baseline security standard, and compels organizations to re-evaluate their risk management processes, establish robust incident response plans including adhering to strict reporting obligations, enhance vulnerability management, and prioritize encryption and multi-factor authentication, as minimum standards.
Target minimum Cyber Security Risk Management Measures under NIS2
- Risk analysis & information system security
- Incident handling procedures
- Business continuity measures (back-ups, disaster recovery, crisis management)
- Supply Chain Security
- Security in system acquisition, development and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- Basic computer hygiene and trainings
- Policies on appropriate use of cryptography and encryption
- Human resources security, access control policies and asset management
- Use of multi-factor, secured voice/video/text communication, and secured emergency communication
It is predicted that NIS2’s impact will be both significant and far-reaching. The scope of organizations falling under its purview is expected to expand over time, making it imperative for all organizations, irrespective of their size and status, to ultimately plug into its standards.
But the obligation of an “all hazards” approach to risk management on individual businesses is just one of the three main pillars of the NIS2 directive. The other two are the strengthening within member states, of national authorities and institutions dedicated to cybersecurity, and the establishment of elaborate frameworks at the central EU instances, for the exchange of information and cooperation amongst member states in tackling cyber risks. For instance, in order to promote joint situational awareness, peer learning and information sharing, NIS2 creates, amongst others, a mechanism for coordinated vulnerability disclosure and a common European vulnerability registry, as well as the new EU Cyber Crisis Liaison Organisation Network (CyCLONe) charged with resolving specific cyber incidents including mounting a quick and coordinated response, across member states’ borders, to large scale crises.
The NIS2 Directive presents both challenges and opportunities for businesses and organisations. Whilst compliance will require significant investment in time and financial resources, it offers an opportunity for organisations, to reap the reward of an ensuing cyber resilience resulting from implementing the controls that it mandates.