The rise of cyber attacks has made cybersecurity a top priority for businesses across various industries. To safeguard essential infrastructure and companies from threats, the EU has introduced the Network and Information Security (NIS) Directive. The recently updated NIS 2 Directive applies to a broader range of industries, including energy, transportation, finance, waste management, digital infrastructure and more.
NIS 2 imposes specific and stringent cybersecurity requirements, along with steeper penalties for non-compliance. Even companies outside the EU doing business within the region should pay attention to NIS 2's impact and implications.
This article looks at the key NIS 2 changes that seek to create more cyber awareness and preparedness in the face of any adverse impact in a business’ system. Learn also the reasons behind why it is critical for businesses to comply with the Directive. In addition, we will tear down the most poignant questions regarding what organizations should do to be ready for the adoption of this new Directive:
What is NIS 2 and what is its current status?
Who does NIS 2 apply to and who will be impacted?
What are the changes that NIS 2 brought to the table?
What are the sanctions for the organizations that don’t follow the Directive?
What will all these changes mean for businesses?
When will the NIS 2 Directive be implemented?
Why isn’t the first Directive efficient anymore?
The EU’s original Directive on Security of Network and Information Systems (NIS) was designed to provide a legal framework to enhance the cybersecurity posture of businesses in key sectors. Although this became effective in August 2016, on December 27th, 2022, the Official Journal of the European Union published an updated NIS 2 Directive.
This second iteration of the Directive aims to improve Member States’ security capacities and lessen the internal market fragmentation at various levels. This new version entered into force on January 16th, 2022.
NIS 2 applies to all EU Member States. Both medium & large organizations and those small businesses crucial to the economy will fall under the requirements of the new Directive.
In the first NIS iteration, the national competent authority that oversees the implementation and enforcement of the Directive originally published a list of ESOs that needed to implement the mandatory security measures. Instead, the NIS 2 Directive extended the scope of addressability and the variety of digital services currently regulated under the NIS Regulations.
This means that the number of the regulated DSPs will also include providers of “managed services”. More precisely, NIS 2 will classify organizations into two categories: “Essential” or “Important” entities, depending on their size and sector.
Essential entities include businesses with 250 employees or more and a turnover of 50 million EUR or a balance sheet of 43 million EUR. Important entities are those with over 50 employees and an annual turnover or balance sheet of 10 million EUR.
Are you active in one of the following sectors and need help with the NIS 2 Directive?
Businesses with over 250 employees and a turnover of 50 million EUR / balance sheet of 43 million EUR, operating in Highly Critical Sectors:
Businesses with over 50 employees and a turnover / balance sheet of 10 million EUR, operating in Critical Sectors:
*Important entities also include all the Essential entities sectors, but with the important entities size threshold.
Still, all businesses must follow the same cybersecurity reporting and management requirements. The difference lies in the way these are supervised and penalized. Entities recognized as “Important” will be investigated only when evidence of non-compliance transpires.
Critical societal or economic "sole providers” that don't meet the specified requirements may still be considered as Essential or Important entities. Member States have until April 2025 to finalize and categorize their list of entities.
The first EU Directive on cybersecurity, NIS, was passed into the European national laws across all Member States. But, the security regulations addressed two categories of organization:
With NIS 2, Essential Service Operators (ESOs) will no longer be distinguished from Digital Service Providers (DSPs). In addition, selected providers of digital infrastructure or services that operate in the EU although they don’t have a physical footprint in Europe must comply as well.
Prior to the implementation of NIS 2, the initial Directive lacked clear directives outlining the cybersecurity responsibilities of the mentioned entities. However, NIS 2, through the introduction of Article 18(2), established specific obligations for these organizations.
These duties include conducting risk analyses, implementing IT security policies, defining policies and procedures, conducting tests and audits, and assessing the effectiveness of cybersecurity risk management measures. By clearly outlining these responsibilities, NIS 2 aims to ensure that entities are adequately equipped to address and mitigate cybersecurity threats.
Risk management: The requirements imposed by NIS 2 include:
Reporting: The obligations of the second Directive cover:
Vulnerability disclosure: “Coordinated vulnerability disclosure” is allowed under NIS 2:
Make sure you stay compliant with the NIS 2 Directive:
A study conducted by the European Commision stipulates that once the newly companies included under the umbrella of NIS 2 will apply the provisions, the IT spending will see a 22% increase. This percentage is significantly higher in comparison to the +12% growth brought by the companies that have already aligned with the first version of the NIS Directive. For this reason, NIS 2 specifies that any incident that might jeopardize the service provision must be reported to the CSIRT and the competent authorities.
Violation of the Directive:
Organizations must reveal any cyber attack as follows:
When organizations break the rules of the Directive, they can face the suspension of their activities or authorizations, as well as prohibitions or management sanctions. Authorities can impose a fine of 10 million EUR or 2% of their global annual turnover to those businesses classified as essential companies. Yet, the so-called important companies can risk penalties of up to 7 million EUR or 1.7% of the global turnover.
|
ESSENTIAL ENTITIES |
IMPORTANT ENTITIES |
|
10 million EUR or 2% of their global annual turnover |
7 million EUR or 1.7% of the global turnover |
Data breaches:
Via the joint liability amendment, the providers of those companies under NIS 2 are indirectly subject to security obligations. This means that when a data or system breach occurs, the suppliers are equally responsible.
Thus, companies’ duty is to implement additional cybersecurity measures and to carefully select their suppliers. To come into help, within 21 months after NIS 2 enters into force, the European Commission must define the technical and methodological requirements applicable to providers of cloud computing services, data centers, online marketplaces, search engines, social networks and others.
Businesses will need to register with the responsible entity in their country (e.g. the DNSC in Romania), and notify them in case of cybersecurity incidents. The proposal amendments suggest that the authorities will give advice and guidance or will interfere with regulatory actions if an incident is reported. Otherwise, organizations will take part in a dual supervisory regime:
At the moment, the criteria that differentiate the DSPs into these two supervisory regimes is unclear. Thus far, the authorities and regulators are responsible for developing such norms. In the meantime, businesses are advised to review their specific country’s threshold conditions to establish if their operations fall under the purview of the NIS Regulations.
At EU level, the NIS 2 Directive has already been enacted. Romania is expected to adopt the new legislation in the next 2 years. All that being said, the EU countries must transpose NIS into local legislation by October 17th, 2024.
Don't overpass the NIS 2 due date. Stay compliant!
Four years after its enforcement, in Q4 2020, the original Directive was subjected to revision. The European Commission concluded that NIS had “proven its limitations”:
By October 17th, 2024, the Member States have to adopt the Directive at their national level and companies should be prepared to comply with the cybersecurity obligations. Whereas the timeline and the implementation of the identified measures and controls depend on the outcome of the audit and the specifics of the company (e.g. size, complexity of processes and systems, etc.), businesses should start this process as early as possible.
We encourage organizations to have at least the overview, a plan on the implementation steps, a timeline and a cost estimation. Consequently, to maintain your company to the optimal cybersecurity level, you should invest in your NIS 2 Directive compliance.
Here are the 6 steps you can follow to ensure compliance with the NIS 2 Directive:
The NIS security auditor certification authorizes Zitec to conduct cybersecurity audits under the NIS law and evaluate the security of networks and IT systems of Essential Service Operators (ESOs) and Digital Service Providers (DSP). Providing guidance and security strategies to support your organization, identify and assess risks, formulate NIS 2 plans and defend your business against ransomware, software supply chain attacks and other threats is what we know best.
For us, business security is as equally important as your awareness of the risks you might be exposed to. Our audits assess everything from your current state of compliance and security governance to your resilience and protection walls. Contact us to find out more.