NIS – The EU-Wide Cybersecurity Initiative
In July 2016, The current Network and Information Security Directive (NIS Directive) became the first piece of EU-wide cyber security legislation. The NIS directive aimed at securing networks and information systems belonging to critical and sensitive infrastructures in all EU member states. Six years later, in November 2022, the European Parliament updated EU legislation to promote investment in strong cyber security for essential services. The European Commission initiated the revision amidst increased threats against critical infrastructure due to the growing threats posed by digitalization and the surge in cyberattacks.
"Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments and society more resilient to hostile cyber operations,"
- Dutch Member of European Parliament Bart Groothuis
What Is New in NIS2?
The NIS2 Directive introduces new requirements to promote a high level of cyber security throughout the EU -strengthening the cyber security requirements for medium and large organizations operating and providing services in key sectors.
NIS2 differs from the original directive in two significant ways: it expands the number of critical sectors and extends the number of entities that must adhere to its security requirements.
For its scope, the NIS2 directive distinguishes two types of entities:
- Essential Entities (EE), detailed in Annex I of the NIS2 text
- Important Entities (IE), detailed in Annex II of the NIS2 text
The original directive identified the following sectors as critical and in need of strengthening security:
- Banking and financial market infrastructure
- Digital infrastructure
- Water supply
- Digital service providers
The NIS2 now covers eight more sectors integral to our daily lives, including the public sector:
- Providers of electronic communications, networks, or services.
- Digital services such as social media platforms or data centers
- Wastewater and waste management
- Critical product manufacturing (pharmaceuticals, medical, chemical…)
- Postal and courier services
- Food and beverages
- Public administration
In summary, NIS2 covers 15 sectors that are crucial not only for the development of the economy but also for daily life in Europe.
As part of the NIS2 Directive, new security obligations are based on a systematic, analytical and risk-based approach. This approach is in line with other regulations, such as GDPR. Risk management and incident response are key in ensuring compliance with NIS2 and should be used to implement the directive's security measures.
A list of seven key measures is provided in NIS2 to help all essential entities manage network and information security risks. According to the legislation (Article 18), EEs and IEs must take at least the following 7 measures:
- Risk analysis and information system security policies.
- Incident handling (prevention, detection, and response to incidents).
- Business continuity and crisis management.
- Supply chain security – including security-related aspects of relationships between each entity and (i) its suppliers or (ii) service providers (such as data storage providers and processing services or managed security services providers).
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosures.
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures.
- The use of cryptography and encryption.
“1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”
The new NIS2 also focuses more on secure supply chains. Despite not being covered by the NIS2 directive themselves, many companies have customers that do. Since these customers are now required to have corresponding security requirements vis-à-vis suppliers, these requirements can also significantly increase for businesses not covered by NIS2. NIS2 does affect not only organizations within the EU but also outside organizations that provide services in EU countries. Therefore, these organizations must also comply with the NIS2 directives.
NIS2 will introduce a two-step incident reporting process to relevant regulatory authorities. This means that in the event of a security incident, organizations are required to submit an initial report within 24 hours and then have one month to submit a second final report. The NIS2 Directive has also introduced revised sanctions for companies that fail to comply with or violate the regulations.
The NIS2 provides states with the right to injunction when there is a security incident and the company refuses to cooperate with authorities. Consequently, companies will have to comply with the State's request and may be fined between 1.4% and 2% of their annual revenue. NIS2 is an enhanced version of NIS with fines similar to GDPR.
How Will The NIS2 Directive Impact You?
To summarize, the main objectives of NIS2 are to achieve a high common cyber security level for operators of essential services, to improve resilience through stricter security requirements and tougher penalties, and to improve the EU's collective capacity to prepare for and respond to cyber threats and cyber-attacks. In short, with the introduction of NIS2 you will have new adopt new ways of mitigating cyber security risks proactively but not to worry, we can help.
Improve The EU's Collective Capacity to Respond to Cyber Threats: Main Takeaways
- More responsibility is placed on the highest governing body of the business – they must both approve and control the introduction of security measures and are responsible for deviations.
- Education in cyber security is required at all levels – from the boardroom to day-to-day operations.
- The requirement for risk assessment and control of cyber security in the form of policies is made clear.
- It is clear how security measures should be chosen, and a list of mandatory measures that everyone must implement is available.
NIS2: When Is It Expected to Come into Force?
The directive will be published in the Official Journal of the European Union in the coming days after which member states have 21 months to implement it. Therefore NIS2 is expected to be implemented by 2023 at the earliest and, more likely, in 2024. However, before this becomes law, it is crucial that you understand what exactly this means to your business, both regarding compliance but also related to change in the current process, etc.
How We Can Help You Tackle The Demands of NIS2
Systematic, analytical, risk-based information security approach
With our Next-Gen Vulnerability Management Platform, businesses can tailor their cyber security program to specific organizational needs and operational vulnerabilities. When you approach your cybersecurity program from a risk-based perspective instead of a compliance-first approach, you'll be able to prioritize security gaps and strengthen the cycle for addressing new risks and vulnerabilities continuously.
Incident reporting, even for vulnerabilities without incidents
By analyzing incident reports, you can discover trends and patterns regarding your cyber security health. Vulnerability reporting isn't a one-off action. Your entire IT environment needs to be evaluated regularly for maximum effectiveness. Our reports give you an understanding of the risks you face. In addition to helping you comply with security regulations, they will help you determine which specific issues need fixing.
We provide continuous monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Create compliance-specific report templates to provide an immediate understanding of the compliance risk of your IT environment.
Administrative sanctions; lost permits, certifications and similar
We'll help you to comply with laws and regulations to avoid legal issues.
Meet Laws & Recommendations with Holm Security
Holm Security has helped hundreds of organizations meet the NIS requirements by providing a foundation for a systematic analytical and risk-based approach to cyber risks through continuous and automated vulnerability management. For our customers, our Next-Gen Vulnerability Management Platform is a major step towards a more systematic approach towards cyber threats in general and creates a foundation for a stronger cyber defense.
Together with our Success Program, we provide the tools you need and the training, service, and support needed to make your NIS compliance a part of your daily work.