Zitec Blog

The cybersecurity due date is coming: EU Member States to adopt the NIS 2 Directive at their national level by October 2024

Written by Simona Negru | Apr 13, 2023 9:47:58 AM

The rise of cyber attacks has made cybersecurity a top priority for businesses across various industries. To safeguard essential infrastructure and companies from threats, the EU has introduced the Network and Information Security (NIS) Directive. The recently updated NIS 2 Directive applies to a broader range of industries, including energy, transportation, finance, waste management, digital infrastructure and more.

NIS 2 imposes specific and stringent cybersecurity requirements, along with steeper penalties for non-compliance. Even companies outside the EU doing business within the region should pay attention to NIS 2's impact and implications.

This article looks at the key NIS 2 changes that seek to create more cyber awareness and preparedness in the face of any adverse impact in a business’ system. Learn also the reasons behind why it is critical for businesses to comply with the Directive. In addition, we will tear down the most poignant questions regarding what organizations should do to be ready for the adoption of this new Directive:

What is NIS 2 and what is its current status?
Who does NIS 2 apply to and who will be impacted?
What are the changes that NIS 2 brought to the table?
What are the sanctions for the organizations that don’t follow the Directive?
What will all these changes mean for businesses?
When will the NIS 2 Directive be implemented?
Why isn’t the first Directive efficient anymore?

What is NIS 2 and what is its current status?

The EU’s original Directive on Security of Network and Information Systems (NIS) was designed to provide a legal framework to enhance the cybersecurity posture of businesses in key sectors. Although this became effective in August 2016, on December 27th, 2022, the Official Journal of the European Union published an updated NIS 2 Directive. 

This second iteration of the Directive aims to improve Member States’ security capacities and lessen the internal market fragmentation at various levels. This new version entered into force on January 16th, 2022.

Who does NIS 2 apply to and what sectors will be impacted?

NIS 2 applies to all EU Member States. Both medium & large organizations and those small businesses crucial to the economy will fall under the requirements of the new Directive. 

In the first NIS iteration, the national competent authority that oversees the implementation and enforcement of the Directive originally published a list of ESOs that needed to implement the mandatory security measures. Instead, the NIS 2 Directive extended the scope of addressability and the variety of digital services currently regulated under the NIS Regulations.

This means that the number of the regulated DSPs will also include providers of “managed services”. More precisely, NIS 2 will classify organizations into two categories: “Essential” or “Important” entities, depending on their size and sector. 

Essential entities include businesses with 250 employees or more and a turnover of 50 million EUR or a balance sheet of 43 million EUR. Important entities are those with over 50 employees and an annual turnover or balance sheet of 10 million EUR.

Are you active in one of the following sectors and need help with the NIS 2 Directive?

Essential Entities

Businesses with over 250 employees and a turnover of 50 million EUR / balance sheet of 43 million EUR, operating in Highly Critical Sectors: 

  • Energy (electricity, oil, gas, hydrogen, district heating and cooling)
  • Transport (air, rail, water, road)
  • Banking and financial markets (banks, insurance companies, investment firms)
  • Drinking water and waste 
  • Digital infrastructure and ICT service management (IXP services for internet traffic, DNS services, .ro domain name registry management, cloud computing, data center service providers, content delivery networks, managed service providers, managed security service providers)
  • Public Administration
  • Space

Important Entities

Businesses with over 50 employees and a turnover / balance sheet of 10 million EUR, operating in Critical Sectors: 

  • Postal and courier services
  • Waste management
  • Chemical manufacturing, productions and distribution
  • Manufacturing (computers and electronics, machinery and equipment, motor vehicles and other transport equipment)
  • Digital providers (online marketplaces, search engines, social networking service providers)
  • Research organizations
  • Food production, processing and distribution (industrial production and processing)

*Important entities also include all the Essential entities sectors, but with the important entities size threshold.

Still, all businesses must follow the same cybersecurity reporting and management requirements. The difference lies in the way these are supervised and penalized. Entities recognized as “Important” will be investigated only when evidence of non-compliance transpires.

Critical societal or economic "sole providers” that don't meet the specified requirements may still be considered as Essential or Important entities. Member States have until April 2025 to finalize and categorize their list of entities.

What are the changes that NIS 2 brought to the table?

The scope of addressability and more variety of digital services and sectors

The first EU Directive on cybersecurity, NIS, was passed into the European national laws across all Member States. But, the security regulations addressed two categories of organization:

  • Providers of essential services (ESO) -  transport, water, energy companies
  • Digital Service Providers (DSPs) - online marketplaces, online search engines or cloud computing services (SaaS, PaaS, IaaS offerings)

With NIS 2, Essential Service Operators (ESOs) will no longer be distinguished from Digital Service Providers (DSPs). In addition, selected providers of digital infrastructure or services that operate in the EU although they don’t have a physical footprint in Europe must comply as well. 

Risk management, reporting and vulnerability disclosure obligations

Prior to the implementation of NIS 2, the initial Directive lacked clear directives outlining the cybersecurity responsibilities of the mentioned entities. However, NIS 2, through the introduction of Article 18(2), established specific obligations for these organizations. 

These duties include conducting risk analyses, implementing IT security policies, defining policies and procedures, conducting tests and audits, and assessing the effectiveness of cybersecurity risk management measures. By clearly outlining these responsibilities, NIS 2 aims to ensure that entities are adequately equipped to address and mitigate cybersecurity threats.

Risk management: The requirements imposed by NIS 2 include:

  • risk analysis
  • information system security policies
  • incident handling procedures
  • business continuity and crisis management preparation
  • supply chain security
  • cryptography and encryption
  • assessment of the risk management effectiveness 
  • third-party risks management throughout their supply chains

Reporting: The obligations of the second Directive cover:

  • potential incidents that might cause substantial operational or financial damage
  • precise provisions on the process for incident reporting (the timing and content of reports)
  • a Computer Security Incident Response Team (CSIRT) that facilitates the interactions between reporting entities, IT manufacturers and IT service providers

Vulnerability disclosure: “Coordinated vulnerability disclosure” is allowed under NIS 2:

  • ethical hackers can report vulnerabilities
  • remediation of the reported vulnerabilities
  • the European Union Agency for Cybersecurity (ENISA) keeps a database of known vulnerabilities

Make sure you stay compliant with the NIS 2 Directive:

The fines or sanctions for the organizations that don’t follow the Directive

A study conducted by the European Commision stipulates that once the newly companies included under the umbrella of NIS 2 will apply the provisions, the IT spending will see a 22% increase. This percentage is significantly higher in comparison to the +12% growth brought by the companies that have already aligned with the first version of the NIS Directive. For this reason, NIS 2 specifies that any incident that might jeopardize the service provision must be reported to the CSIRT and the competent authorities.

Violation of the Directive:

Organizations must reveal any cyber attack as follows:

  • entities should notify competent authorities within 24 hours since they become aware of the incident
  • a detailed analysis of the incident within 72 hours
  • a notification in line with the GDPR provisions to the data subject if directly impacted by the attack

When organizations break the rules of the Directive, they can face the suspension of their activities or authorizations, as well as prohibitions or management sanctions. Authorities can impose a fine of 10 million EUR or 2% of their global annual turnover to those businesses classified as essential companies. Yet, the so-called important companies can risk penalties of up to 7 million EUR or 1.7% of the global turnover

 

  ESSENTIAL ENTITIES

  IMPORTANT ENTITIES

 10 million EUR or 2% of their global annual turnover

 7 million EUR or 1.7% of the global turnover

 

Data breaches:

Via the joint liability amendment, the providers of those companies under NIS 2 are indirectly subject to security obligations. This means that when a data or system breach occurs, the suppliers are equally responsible. 

Thus, companies’ duty is to implement additional cybersecurity measures and to carefully select their suppliers. To come into help, within 21 months after NIS 2 enters into force, the European Commission must define the technical and methodological requirements applicable to providers of cloud computing services, data centers, online marketplaces, search engines, social networks and others.

What will all these changes mean for businesses?

Businesses will need to register with the responsible entity in their country (e.g. the DNSC in Romania), and notify them in case of cybersecurity incidents. The proposal amendments suggest that the authorities will give advice and guidance or will interfere with regulatory actions if an incident is reported. Otherwise, organizations will take part in a dual supervisory regime: 

  • reactive supervision - as per the current NIS Regulations
  • proactive supervision - the country’s specific regulatory entity will proactively monitor and investigate the DSPs that present critical risks

At the moment, the criteria that differentiate the DSPs into these two supervisory regimes is unclear. Thus far, the authorities and regulators are responsible for developing such norms. In the meantime, businesses are advised to review their specific country’s threshold conditions to establish if their operations fall under the purview of the NIS Regulations.

When will the NIS 2 Directive be implemented?

At EU level, the NIS 2 Directive has already been enacted. Romania is expected to adopt the new legislation in the next 2 years. All that being said, the EU countries must transpose NIS into local legislation by October 17th, 2024.

Don't overpass the NIS 2 due date. Stay compliant!

Going back to the basics: the first NIS Directive

Why isn’t the first Directive efficient anymore?

Four years after its enforcement, in Q4 2020, the original Directive was subjected to revision. The European Commission concluded that NIS had “proven its limitations”: 

  • The Directive covered an insufficient number of sectors.
  • The Directive was too ambiguous.
  • Due to the different security and incident reporting requirements imposed by the Member States, the Directive proved too complex for companies operating across multiple jurisdictions.
  • The supervision and enforcement regimes were deemed ineffective.
  • The global pandemic and adoption of remote working and cloud technologies accelerated the need for an update.

The steps businesses should make in adhering to NIS 2 

By October 17th, 2024, the Member States have to adopt the Directive at their national level and companies should be prepared to comply with the cybersecurity obligations. Whereas the timeline and the implementation of the identified measures and controls depend on the outcome of the audit and the specifics of the company (e.g. size, complexity of processes and systems, etc.), businesses should start this process as early as possible. 

We encourage organizations to have at least the overview, a plan on the implementation steps, a timeline and a cost estimation. Consequently, to maintain your company to the optimal cybersecurity level, you should invest in your NIS 2 Directive compliance. 

Here are the 6 steps you can follow to ensure compliance with the NIS 2 Directive:

  1. Determine which business units, departments and subsidiaries are covered by the NIS 2 Directive.
  2. Evaluate your organization's existing risk management and cybersecurity posture to identify any gaps that must be addressed to achieve compliance. Leave this in the hands of certified auditors. 
  3. Considering the outcome of the gap analysis, consult with the necessary teams and departments to develop a timeline and plan for complying with NIS 2. Benefit from specialists’ consultancy to implement the necessary remediation steps.
  4. Inform your supply chain and critical third-party partners about the NIS 2 Directive and work together to address new supply chain and third-party risk management requirements.
  5. Collaborate with department heads and key stakeholders to ensure they understand the strategy and can prepare their departments, systems and resources in a timely manner.
  6. It is crucial to prioritize cybersecurity and cyber hygiene training as core components of NIS 2. Enhance your efforts to improve cyber awareness and cultivate a culture that prioritizes security.

The NIS security auditor certification authorizes Zitec to conduct cybersecurity audits under the NIS law and evaluate the security of networks and IT systems of Essential Service Operators (ESOs) and Digital Service Providers (DSP). Providing guidance and security strategies to support your organization, identify and assess risks, formulate NIS 2 plans and defend your business against ransomware, software supply chain attacks and other threats is what we know best.

For us, business security is as equally important as your awareness of the risks you might be exposed to. Our audits assess everything from your current state of compliance and security governance to your resilience and protection walls. Contact us to find out more.