Strengthening Cybersecurity through the EU‘s NIS2 Directive
„There are only two types of companies: those that have been hacked and those that will be.“ Robert Mueller, former FBI director
What is the NIS2 Directive about?
The new EU Directive, NIS2, imposes stricter legal requirements for cybersecurity in Europe with the goal of:
Strengthening cyber-resilience of a comprehensive set of businesses operating in the EU across all relevant sectors,
- Achieving a managed security posture maturity,
- Addressing the security of supply chains,
- Streamlining reporting obligations,
- Introducing stricter supervisory security measures
- And achieving deep-rooted cyber resilience in Europe.
NIS2 Directive brings legal requirements for cybersecurity risk management measures and reporting obligations. It’ll help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work. It will also enable information sharing with the private sector and partners around the world.
How does the NIS2 Directive boost the overall level of cybersecurity in the EU?
NIS2 Directive provides legal measures to increase cybersecurity in the EU by ensuring and
Building on the NIS1 strategy on the security of network and information systems to ensure Member States are appropriately equipped and prepared,
Establishing corporation and information exchange among all the Member States by setting up The Network and Information Systems NIS Corporation Group,
Creating a culture of security across 7 sectors vital for the economy and society that also rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
What is different compared to the NIS Directive?
Compared to the previous regulatory framework, the scope has been extended, comprising both private and public organisations which employ 50 people, have an annual turnover or balance sheet of more than EUR 10 million or fall under one of the new “essential” sectors.
Additionally, cybersecurity governance takes on a stronger role for NIS2 than it did for NIS Directive, with approval and supervision duties imposed on the top-level management.
What is the deadline for the NIS2 Directive?
As this directive is not a regulation, European member states must transpose the new act into national law by 18 October 2024. Currently, roughly 160,000 in the EU and 20,000 organisations in Germany are directly affected by NIS2, whereas there are more than 1.2 million organisations across the EU and more than 200,000 in Germany affected indirectly.
What are the requirements of the NIS2 Directive?
NIS2 measures are based on “all-hazards approach” aiming to protect both network and information systems and the physical environment of those systems from incidents. The requirements include:
- Incident Management
- Business Continuity
- Supply Chain Security
- Asset Management
- Reporting Obligations
What are the NIS2 Directive fines?
Fines for non-compliance with the NIS2 Directive can be substantial. In some cases, fines may be as high as €10 million or 2% of the entity‘s global turnover, whichever is higher. In the most severe cases, fines can be as high as €20 million or 4% of the entity‘s global turnover, whichever is higher.
National authorities also have the power to impose other measures such as orders to suspend or restrict an entity‘s activities to protect the security of networks and information systems. It is, therefore, important for OES and DSPs to ensure that they comply with the requirements of the NIS2 Directive.
What are the key provisions of the NIS2 Directive?
The NIS2 Directive aims to adapt to the current needs and make it future-proof. It introduces several key provisions that aim to enhance organisations’ cybersecurity in the EU. These include:
1. Expansion of Scope
One of the most significant changes introduced by the NIS2 Directive is the expansion of scope. The directive applies to a broader range of organisations than the previous iteration, including online marketplaces, search engines, and cloud computing services. This expansion of scope aims to ensure that a more extensive range of organisations is held accountable for the security of their networks and information systems. The new scope will also include any businesses in sectors defined as “essential”. This includes the following sectors:
- Public administration
- Providers of public electronic communication networks or services, social networking service platforms, and data centre services
- Manufacturing of critical products, such as pharmaceuticals, medical devices, or chemicals
- Waste management, including wastewater treatment.
- Postal and courier services
- Space industry
2. Cybersecurity Incident Reporting
Under the NIS2 Directive, organisations that provide essential services must report any significant cybersecurity incidents to the relevant national authority within 24 hours of becoming aware of such incidents. This provision aims to improve the response time to cyber threats and ensure that member states have a comprehensive overview of cybersecurity incidents across the region. It is worth noting that some member states already have mandatory reporting requirements in place, and the NIS2 Directive builds upon these requirements.
3. Strengthening of Security Requirements
The NIS2 Directive also strengthens the security requirements for organisations that provide essential services. These requirements include implementing appropriate technical and organisational measures to ensure the security of their networks and information systems. They must also ensure effective incident response plans are in place to mitigate the impact of any cybersecurity incidents.
4. Certification Schemes
The NIS2 Directive introduces a framework for creating certification schemes for cybersecurity products and services. These schemes will help identify and select products and services that meet a high level of security requirements. They will also promote the development of cybersecurity products and services that meet the needs of the EU market.
Companies who wish to be compliant with NIS2 can create and maintain an Information Security Management System (ISMS) from frameworks such as ISO 27001 to be compliant with the NIS2 directive.
Will NIS2 impact businesses in the UK?
NIS was fully implemented in the UK for businesses due to it being part of the EU; however, as a result of other factors, NIS2 is not yet mandatory in the UK. On the flip side, the UK Government is currently reviewing the effectiveness of NIS2 to see if they wish to implement it anyway in some form. The recommendation should be that UK businesses need to prepare for the likely im- implementation of either the NIS2 requirement itself or a UK-modified version.
There is truly little information about NIS2 in the UK due to it being an EU legislation. However, a resource stated that “Following Brexit, the UK is no longer required to follow the NIS2 Directive”.