The aim of NIS 2 is to make sure that so called “essential” and “important” entities are resilient against cyber threats. If your business falls under the sectors outlined by this directive, understanding and complying with its requirements is crucial.
Technically, NIS-2 is an update to the original NIS Directive. But considering the broadened scope and much stricter requirements, it is, in fact, a wholly new framework. Many businesses that had no reason to investigate the original NIS Directive will have to comply with NIS-2 – or rather, the national laws that will transform the directive into the national body of law.
Who is affected by NIS-2?
The NIS-2 Directive very significantly expands the range of sectors and services that must comply with its requirements. Businesses classified under two main groups – so called Essential Entities and Important Entities - are subject to this regulation.
NIS-2, however, is not only aimed at businesses and organizations, but also towards their management, making them personally liable for lack of compliance.
Annex 1 to the directive gives a comprehensive list of the targeted sectors, and there are quite a few:
Essential Entities include:
- Energy (electricity, oil, gas and hydrogen; all including distribution and storage)
- Transport (air, rail, water, road)
- Banking and Financial Market Infrastructures
- Health (including hospitals and clinics)
- Drinking Water Supply and Distribution
- Wastewater Management
- Digital Infrastructure (data centers, DNS services, cloud computing providers and communication networks)
- ICT Service Management (managed service providers)
- Public Administration (central and regional government bodies)
- Space.
Important Entities include:
- Postal and Courier Services
- Waste Management
- Chemicals Manufacturing and Distribution
- Food (large-scale production and distribution)
- Manufacturing (medical devices, computer products, electrical equipment, and more)
- Digital Providers (social media platforms, online marketplaces)
- Research.
Key Provisions and obligation of NIS-2
To strengthen cybersecurity, the NIS-2 Directive mandates several critical actions. Many of the requirements may be familiar to organizations that are already ISO 27001 certified or went through a similar process, others have some precedence in the GDPR. But taken together and combined with enhanced reporting duties and personal responsibility of executives and management, they form a whole new cybersecurity framework for the EU.
Here is an overview of the main requirements:
- Risk Management and Incident Reporting: Entities must perform regular risk assessments and implement measures to manage identified risks. Significant cybersecurity incidents must be reported to national authorities within 24 hours of detection – much faster than the 72 hours most businesses are used to as mandated under the GDPR. All that requires the implementation of the respective processes and protocols in time.
- Governance: Senior management are held personally accountable for cybersecurity, integrating it into the organization's governance framework. Regular training and awareness programs for all employees are required.
- Supply Chain Security: Cybersecurity risks in supply chains and service relationships must be addressed. Suppliers and service providers must follow strong cybersecurity practices is essential.
- Supervision and Enforcement: Conduct Regular Risk Assessments: Continuously assess risks to your network and information systems. Prioritize critical assets and functions.
- Robust Security Measures: Organizations need to adopt technical and organizational measures (TOMs) tailored to the identified risks. They need to utilize encryption, access controls, and secure software development practices.
- Governance and Accountability: Make cybersecurity a board-level responsibility. Embed it into the overall governance and decision-making processes.
- Training and Awareness: Organizations need to regularly train employees on cybersecurity best practices and establish a culture of cybersecurity awareness throughout the organization.
- Maintain Documentation and Records: Organizations need to keep detailed records of risk assessments, security measures, and incident reports.
- Identity and Access Management (IAM) Solutions: Organizations should implement IAM solutions to enforce strict access control and identity verification. Advanced features like Multi-Factor Authentication (MFA), Single Sign-on (SSO) to enhance security should be considered.
Enforcement
The enforcement of the NIS-2 Directive is robust and comprehensive, empowering national authorities across the EU to ensure compliance. These authorities have the mandate to supervise entities falling under the directive's scope, conducting regular audits and inspections to verify adherence to cybersecurity requirements. They are equipped to impose substantial administrative fines on entities that fail to comply, ensuring that the directive's provisions are taken seriously. Non-compliance may result in sanctions of up to EUR 10 million and 2% of total annual turnover for essential entities or EUR 7 million and 1.4% of total annual turnover for important entities.
Additionally, national authorities are tasked with offering guidance and support to entities, helping them understand and meet their obligations under the directive. This dual approach of supervision and support aims to foster a proactive cybersecurity culture while maintaining strict adherence to the regulations.
To facilitate effective enforcement, the NIS-2 Directive also establishes mechanisms for cooperation and information sharing among member states. This includes the formation of the European Cyber Crises Liaison Organization Network (EU-CyCLONe), which enhances cross-border collaboration in managing and responding to significant cybersecurity incidents. By promoting a coordinated response at the EU level, the directive ensures that enforcement actions are harmonized and that best practices are shared across borders.
This cooperative framework not only strengthens the overall cybersecurity posture of the EU but also ensures that entities are held to consistent standards regardless of their location within the Union.
Conclusion and recommendation
The NIS-2 Directive represents a significant step towards enhancing cybersecurity across the EU. For businesses in the affected sectors, understanding and complying with these new regulations is not just a legal obligation but a crucial element of your cybersecurity strategy. By taking the necessary steps to comply, your organization can improve its resilience against cyber threats and contribute to a safer, more secure digital landscape in Europe.
To achieve compliance with the NIS-2 Directive, businesses should start by conducting comprehensive risk assessments of their network and information systems. This involves identifying critical assets, evaluating potential threats, and prioritizing risks based on their potential impact. Implementing robust technical and organizational measures is crucial, such as employing advanced encryption, multi-factor authentication, and secure software development practices. Establishing a thorough incident detection and reporting protocol is also essential. Ensure your organization can quickly identify and report significant cybersecurity incidents to national authorities within the 24-hour requirement and maintain detailed documentation of these incidents and the responses enacted.
Another critical aspect of NIS-2 compliance is strengthening governance and accountability within your organization. Cybersecurity should be a board-level priority, with senior management responsible for integrating it into the overall governance framework. Regular training and awareness programs for all employees are vital to foster a culture of cybersecurity throughout the organization. Moreover, businesses must address cybersecurity risks within their supply chains, ensuring that suppliers and service providers adhere to strong cybersecurity practices. Maintaining open lines of communication and cooperation with national authorities and other entities in your sector will help in staying informed about threats and best practices, thereby enhancing your organization's resilience against cyber threats.
As an Identity and Access Management (IAM) provider, Engity can support businesses achieve NIS-2 compliance by ensuring robust access control and identity verification mechanisms. By implementing advanced IAM solutions, businesses can enforce strict access policies, ensuring that only authorized personnel have access to critical systems and data. IAM providers offer capabilities such as Multi-Factor Authentication (MFA), Single Sign-on (SSO), and other technologies essential for mitigating unauthorized access risks. Additionally, IAM solutions help in maintaining detailed logs of access activities, supporting audit and compliance efforts by providing clear records for regulatory inspections.
With an IAM provider's expertise, businesses can streamline their identity management processes, reduce the risk of security breaches, and ensure adherence to the stringent requirements of the NIS-2 Directive.
Call To Action:
Is your business ready for NIS-2? Stay informed, stay prepared, and ensure your cybersecurity measures meet the new standards. For more information on how to comply with the NIS-2 Directive, or for assistance in bolstering your cybersecurity posture, contact Engity today.