To promote a high level of cyber-security throughout the European Union (EU), in December 2021 a consensus was reached for the ‘NIS2 Directive’ to replace previous legislation and include digital infrastructure within its remit. NIS2 will work hand-in-hand with other legislation to provide increased protection from malicious threats, such as the Digital Operational Resilience Act (DORA) for healthcare applications. Any organization already compliant with GDPR will no doubt be affected by the new directive and now must act quickly to be compliant before NIS2 comes into common law.
The new directive is designed to establish a ‘common level’ of cyber security across Europe, responding to the growing threats posed by the growth of digitalization and the increasing number of cyberattacks. NIS2 will address the shortcomings of the previous legislation, addressing the security of supply chains, streamlining reporting obligations, and introducing stringent supervisory measures and stricter enforcement requirements. This will include harmonized sanctions for businesses and organizations across the EU.
What’s the difference, and what will it do?
NIS2 differs from the original directive in two significant ways, expanding the number of critical sectors and extending the number of entities adhering to its security requirements. These are considered ‘Essential Entities (EE)’ and ‘Important Entities (IE).’ The EEs comprise organizations within the healthcare and transportation industries considered critical and requiring improved security. This also includes banking and financial entities, utility providers, and digital service providers. Eight more sectors are now covered under NIS2 as IEs, including the public sector: Digital services, Space, Critical product manufacturing (including pharmaceuticals), postal and courier services, food and beverages, and providers of any electronic communications, networks, or services.
Not only will NIS2 ensure a strong defense against cyber threats, but it will look to improve the overall quality of service (QoS), with a key focus on establishing ‘responsibility and accountability’ within organizations. Often criminals will attempt to find a weak point within the supply chain for financial gain. At the same time, attacks continue to be carried out by – or on behalf of – other countries looking to obtain sensitive data and create chaos within a nation’s strategic infrastructure. These attacks can be made possible through avoidable shortcomings, such as no organization having total control of the supply chain or having vulnerable processes regarding production, procurement, and implementation. The new directive has been designed to hold organizations and their leading individuals accountable for any shortcomings, either through conscious or unconscious mistakes or poorly developed services. Confidentiality, integrity, and availability are the goals, as systems need to be built and maintained to overcome these errors and ensure the protection of operations, no matter the industry.
To this end, more responsibility will be placed on the highest governing body of the business who must both approve and control the introduction of security measures and are responsible for any deviations. NIS2 will introduce a two-step reporting process: in the event of a security incident, companies will be required to submit an initial report within the first 24 hours, with a further month to submit a second final report. Anyone who fails to comply with or violates the regulations will suffer significant consequences – companies will have to comply with a state’s request and can be fined between 1.4-2% of their annual revenue if deemed uncooperative. These fines will place the responsibility on the directors for not adequately protecting their business.
Education in cyber security is crucial at all levels of an organization – from the boardroom to day-to-day operations. The requirement for risk assessment and control of cyber security in the form of policies is made clear, and in 2024 NIS2 will be incorporated into local laws in countries across the EU. Businesses, therefore, need to be aware of whether they fall under the directive and start their preparations to become compliant immediately.
What does this mean for businesses?
A list of seven key measures is detailed within NIS2 to ensure all essential entities adequately handle network and information security risks. Both EEs and IEs must carry out risk analysis and adopt system security policies while having a process for incident handling (including the prevention, detection, and response to incidents). Business continuity and crisis management will be essential under NIS2, alongside a critical focus on supply chain security, including security-related relationships between an entity and its suppliers and service providers. Other measures include security within network and information systems acquisition, development and maintenance, and policies and procedures that assess the effectiveness of an organization’s cyber security risk management measures. The use of cryptography and encryption is also a measure that must be considered.
Some companies may not be covered by the directive but could have customers that will be and must have corresponding security requirements for their suppliers. Any organizations external to the EU that provide services within the continent must also comply with the directives, adding a further layer of security. Any organizations with ownership from outside Europe but are established within the region will have to be increasingly transparent about their operations, producing a ‘transparency report’ of their involvement.
As more and more people adopt cloud-based technology to optimize their operations, adherence to the European Cybersecurity Scheme for Cloud Services (EUCS) will also be vital. The EU maintains a ‘cloud first’ approach, where cyber security certification should serve as a presumption of conformity. The NIS2 will be closely linked to this EU strategy, allowing countries to deploy relevant security structures within their own countries. EUCS will serve as the baseline for future EU regulations on the cyber security of cloud services.
When it comes to GDPR, organizations currently review the legal jurisdiction of a cloud service supplier, examining how it is built and the sub-services that will be leveraged, and concern themselves with how personal data is protected and secured. NIS2 instead looks at the whole stack – from implementation to service – and not just the data. This means that guarantees will be required from the supplier regarding the processes of development, building, and management, and the track record and references of all organizations involved will be scrutinized.
How can you prepare for NIS2?
At the time of writing, there is a maximum 20 months left for organizations to prepare for the directive. In order to follow this successfully, organizations should now be reviewing their established policies regarding GDPR against the new measures dictated in the legislation. Considering procurement and securing operational resilience should be at the top of the agenda for any applicable organization, as NIS2 will undoubtedly have a significant effect on businesses. Companies can also consider joining the EU Alliance and following the EU Cloud Rulebook to remain compliant with the stringent regulations.
Medium-sized businesses are likely to be most affected by the new directive, not only as individual entities but also as part of a larger supply chain. Larger organizations will have a greater capacity to shoulder any heavy sanctions and failing to prepare for NIS2 could lead to significant operational repercussions for those most at risk. Medium-sized businesses may no longer be able to rely on insurance companies to cover any damage due to a cyber-attack, with titans in the industry like Zurich deeming medium-sized businesses soon to be ‘uninsurable’ as the number of threats continues to grow. As a result, they may need external support to prepare for NIS2 fully.
Adopting a ‘vulnerability management’ approach can help organizations adhere successfully to the requirements of NIS2, giving them to the tools required to tailor their defenses according to their business needs and operational vulnerabilities. However, approaching the new directive from a one-time compliance perspective will in no way mitigate any risks associated with cybersecurity in general. Instead, adopting a cybersecurity program that considers a risk-based perspective can enable the prioritization of security gaps, and addresses risks and vulnerabilities continuously. Adopting a solution that incorporates ‘vulnerability management’ provides an organization with both incident and compliance-specific reports at the same time to uncover trends and patterns relating to an organization’s security makeup. This enables businesses to understand the potential risks that need addressing to ensure continued NIS2 compliance and help to avoid costly legal issues and heavy fines.
Claus Nielsen joined Holm Security as Chief Marketing Officer in December 2021 and leads the global go-to-market strategy, positioning, and value propositions development, as well as marketing activities in all markets. He has over 20 years of global executive experience across North America, Asia, and Europe. Claus’ previous roles include Chief Operating & Marketing Officer at KebNi and Global Vice President of Marketing at Neural Technologies Group, where he was responsible for the go-to-market strategy, positioning, and value propositions of all products and solutions. He was previously Director of Mobile Strategy for TATA Communications and spent over five years in various positions at Nokia. Claus graduated from the DTU Technical University of Denmark with a bachelor’s degree in electrical engineering.