THE WHATS, WHENS, AND HOWS OF NIS2 (UPDATED)
Author Stash Kempinski - Security Consultant
This blog was initially written before the final version of NIS2 became public, it has now been adjusted to match the final version.
In December 2020, the European Parliament proposed a successor to the Network and Information Security (NIS) Directive, namely NIS2.
This successor is needed because the rise in cyber threats and exponential digitalization of the EU caused the original NIS to become inadequate. This new directive will come into effect in October 2024. In this blogpost we will tell you about what NIS2 is, and when and how it applies to your organization.
QUICK LINK TO:
WHAT IS NIS2?
The NIS2 Directive is an EU-wide legislation that aims to increase the level of cybersecurity within the European Union. It does so, among other things, by addressing a wider range of industry sectors, mandating cybersecurity measures to be implemented, and creating strict(er) incident reporting requirements.
Currently, there are vast differences in these subject’s maturity levels between the Member States, this is something that this legislation intends to streamline.
Note that NIS2 does not only require public and private organizations to improve their cybersecurity posture, but it also requires national governments to set up EU-wide collaboration and vulnerability sharing programs.
WHEN DOES NIS2 APPLY TO YOU?
The NIS2 directive is intended for organizations that are classified as medium or large by the EU, which means organizations that have over 50 employees and/or generate more than 10 million Euros revenue per year.
This so-called “size cap” does however not apply to organizations in certain sectors, such as ones that are deemed critical infrastructure.
Moreover, this size cap does not apply to organizations that provide public services (such as electronic communication networks) or are the sole provider of a service to a government.
This exclusion also does not apply to service providers where an incident could have an impact on public safety, security, health, or disruption could create systemic risks. In other words, NIS2 always applies to organizations that fall in these categories regardless of size.
TYPES OF ORGANIZATIONS
Furthermore, NIS2 differentiates between two types of organizations. They are either classified as important or essential depending on the sector they operate in. This classification greatly influences the responsibilities that organizations have when NIS2 comes into effect.
These responsibilities will be further explained in the next section, here we list what sectors fall within what classification.
ESSENTIAL |
|
IMPORTANT |
|
HOW DOES NIS2 APPLY TO YOU?
When implemented, NIS2 will increase the (minimal) effort that organizations should spend on cybersecurity. It does so by allowing governments to hold management personally accountable if gross negligence is proven after a cyber incident.
Depending on organization classification, NIS2 furthermore allows governments to (temporarily) stop a person from exercising managerial positions in case of repeated negligence.
This is however a worst-case scenario and NIS2 provides guidelines for preventing such negligence. For example, to ensure that management is sufficiently aware of cyber risks, NIS2 mandates that management bodies receive adequate cybersecurity training.
NIS2 advices that all employees receive such training, but this is not mandatory. Furthermore, it requires risk management and assessment activities to be performed to ensure that management is aware and has considered the cybersecurity risks within their organization.
INCIDENT OBLIGATIONS
These pro-active and preventive measures are not the only thing described in NIS2, it also describes mandatory post-incident activities. NIS2 defines an incident as an event that compromised or was capable of compromising “the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems”.
When an organization becomes aware of such an incident, they are required to provide an early warning to the applicable authorities within 24 hours of becoming aware of the incident, and perform an initial assessment within 72 hours.
This assessment must include the severity and impact of the incident, and possibly indicators of compromise on a best effort basis. Lastly, all incidents require a complete incident report within one month of the initial report.
IMPORTANT VS ESSENTIAL CLASSIFICATION
Next to these requirements that apply to all organizations, there are also category specific requirements. Essential organizations be subject to on-site inspections, off-site supervision, including random checks.
This includes annual and targeted audits, based on risk assessment outcomes or risk-related available information.
When requested, these organizations must hand-over any form of information needed to perform these supervisory tasks to the auditing entity. This information includes access data, documents, and proof of implemented cybersecurity measures.
When necessary, governments will have the ability to impose deadlines and binding instructions on these organizations to ensure compliance. On the other hand, important organizations are only subject to such audits when there is evidence or an indication that they do not adhere to the NIS2 obligations set for them.
Opposed to essential organizations, important organizations are not obliged to provide access to information for supervisory purposes. Note that how these requirements will be implemented or executed depends on each Member State their implementation of NIS2.
HOW THE GOVERNMENT WILL HELP YOU
NIS2 does not only lay down obligations for organizations however, but it also helps them. Among others, Member States must provide help in implementing the necessary cybersecurity measures, assist in incident response tasks, and set-up information sharing arrangements. Moreover, they must warn organizations of possible cyber threats that might be relevant to them.
NIS2 WEBINAR SERIES
We had two webinars related to NIS2 already.
NIS2 WEBINAR 1
1. In the first webinar we invited Bart Groothuis, the NIS2 Rapporteur for the European Parliament, to talk about this new directive. During this webinar we discussed the need for this new directive, the changes that it will bring, and how the Member States will help organizations comply with the obligations presented in NIS2. Watch the replay here: Webinar | The NIS2 Directive
NIS2 WEBINAR 2
2. In the second webinar we invited Jasper Nagtegaal, the head of the Dutch Authority for Digital Infrastructure (RDW), to talk about NIS2 from a regulator’s perspective. In this webinar Jasper provided insights into how the Dutch government handled the enforcement of the original NIS and how NIS2 will be enforced by the RDW. Watch the replay here: Webinar | NIS2 Perspectives from a Regulator.
These webinars are part of our NIS2 webinars series, if you want to be kept up to date with the webinars that Secura holds, subscribe to our newsletter at the bottom of this page.
DIFFERENCES BETWEEN NIS1 AND NIS2
The European Commission created a fact sheet of the differences between NIS1 and NIS2. Download the fact sheet here.
NIS1 compared to NIS2 (Source: European Commission)
Download Fact Sheet
More Information
Would you like to learn more about NIS2 for your organization? Please fill out the form and we will contact you within one business day.
ABOUT SECURA
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.