The Whats, Whens, and Hows of NIS2

Date: 
20 October 2022    |    
Author:
Stash Kempinski - Security Consultant

Note: the details of NIS2 are not finalized yet, this blog post will be updated in accordance with any changes published in the future.

In December 2020, the European Parliament proposed a successor to the Network and Information Security (NIS) Directive, namely the NIS2 Directive. This successor is needed because the rise in cyber threats and exponential digitalization of the EU caused the original NIS to become inadequate. The new directive is now nearing its adoption, and although it is not finalized yet, the broad outlines are largely known already. In this blogpost we will tell you about what NIS2 is, and when and how it applies to your organization.


Quick link to:

  1. What is NIS2?
  2. When does NIS2 apply to you?
  3. How does NIS2 apply to you?
  4. NIS2 Webinar Series
  5. Difference between NIS1 & NIS2

What is NIS2?

Adobe Stock 477049006 1

The NIS2 Directive is an EU-wide legislation that aims to increase the level of cybersecurity within the European Union. It does so, among other things, by addressing a wider range of industry sectors, mandating cybersecurity measures to be implemented, and creating strict(er) incident reporting requirements. Currently, there are vast differences in these subject’s maturity levels between the Member States, this is something that this legislation intends to streamline. Note that NIS2 does not only require public and private organizations to improve their cybersecurity posture, but it also requires national governments to set up EU-wide collaboration and vulnerability sharing programs.

When the details of NIS2 are finalized and agreed upon by the parliament, the Member States have two years to write them into national laws. Hence, it is expected that the obligations as laid down by NIS2 become effective in Q4 2024.

When Does NIS2 Apply to You?

Industrial OT road

The NIS2 directive is intended for organizations that are classified as medium or large by the EU, which means organizations that have over 50 employees and/or generate more than 10 million Euros revenue per year. This so-called “size cap” does however not apply to organizations in certain sectors, such as ones that are deemed critical infrastructure. Moreover, this size cap does not apply to organizations that provide public services (such as electronic communication networks) or are the sole provider of a service to a government. This exclusion also does not apply to service providers where an incident could have an impact on public safety, security, health, or disruption could create systemic risks. In other words, NIS2 always applies to organizations that fall in these categories regardless of size.

Furthermore, NIS2 differentiates between two types of organizations. They are either classified as important or essential depending on the sector they operate in. This classification greatly influences the responsibilities that organizations have when NIS2 comes into effect. These responsibilities will be further explained in the next section, here we list what sectors fall within what classification.

Essential

Important

EnergyPostal and Courier Services

Transport

Waste Management

BankingManufacture, Production and distribution of Chemical

Financial Market Infrastructures

Food production, Processing and Distribution

HealthManufacturing
Drinking WaterDigital Providers
Waste water
Digital Infrastructure
Public Administration
Space

How Does NIS2 Apply to You?

VAPT Industrial

When implemented, NIS2 will increase the (minimal) effort that organizations should spend on cybersecurity. It does so by allowing governments to hold management personally accountable if gross negligence is proven after a cyber incident. Moreover, NIS2 allows governments to (temporarily) ban a person from exercising managerial positions in case of repeated negligence. This is however a worst-case scenario and NIS2 provides guidelines for preventing such negligence. For example, to ensure that management is sufficiently aware of cyber risks, NIS2 mandates that management bodies receive adequate cybersecurity training. NIS2 advices that all employees receive such training, however this is not mandatory. Furthermore, it requires risk management and assessment activities to be performed to ensure that management is aware and has considered the cybersecurity risks within their organization.

These pro-active and preventive measures are not the only thing described in NIS2. It also describes mandatory post-incident activities. An incident is defined as an event that compromised “the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems”. When an organization becomes aware of such incident, it is required to provide an initial report to the applicable authorities within 24 hours if the incident disrupted the availability of the services they provide, and 72 hours in any of the other mentioned cases. These initial reports should contain relevant information on a best effort basis. Moreover, all incidents require a complete incident report within one month of the initial report.

Industrial - Electricity - OT Cybersecurity

Next to these requirements that apply to all organizations, there are also category specific requirements. Essential organizations be subject to on-site inspections, off-site supervision, including random checks. This includes annual and targeted audits, based on risk assessment outcomes or risk-related available information. When requested, these organizations must hand-over any form of information needed to perform these supervisory tasks to the auditing entity. This information includes access data, documents, and proof of implemented cybersecurity measures. When necessary, governments will have the ability to impose deadlines and binding instructions on these organizations to ensure compliance. On the other hand, important organizations are only subject to such audits when there is evidence or an indication that they do not adhere to the NIS2 obligations set for them. Opposed to essential organizations, important organizations are not obliged to provide access to information for supervisory purposes. Note that how these requirements will be implemented or executed depends on each Member State their implementation of NIS2.

NIS2 does not only lay down obligations for organizations however, but it also helps them. Among others, Member States must provide help in implementing the necessary cybersecurity measures, assist in incident response tasks, and set-up information sharing arrangements. Moreover, they must warn organizations of possible cyber threats.

NIS2 Webinar Series

We recently presented a webinar where we invited Bart Groothuis, the NIS2 Rapporteur for the European Parliament, to talk about this new directive. During this webinar we discussed the need for this new directive, the changes that it will bring, and how the Member States will help organizations comply with the obligations presented in NIS2. Watch the recording of the webinar here.

This webinar is the first in what will be a series of webinars about NIS2, if you want to be kept up to date with Secura's webinars, please subscribe to our newsletter..

Differences between NIS1 and NIS2

The European Commission created a fact sheet of the differences between NIS1 and NIS2. Download the fact sheet here.

NIS1 vs NIS2

Source: European Commission

Do you have questions about the NIS2 Directive? Feel free to contact us at info@secura.com or at +31 (0) 88 888 31 00.