Securing the future. What is the NIS 2 Directive?
Every day, there are 2,200 cyberattacks globally, with an attack happening roughly every 39 seconds. The cybersecurity scenario in Europe is marked by attacks on virtually every company or institution across the EU. It’s noteworthy that many incidents are managed internally by European businesses, aiming to safeguard their reputation by avoiding public reporting of breaches.
In an era dominated by technological advancements, the European Union has taken a proactive stance with the introduction of Directive (EU) 2022/2555, or the Network and Information Systems 2 (NIS 2) Directive. This Directive will come into force as part of EU law on 17 October 2024 and replace the unsuccessfully adopted original NIS Directive. Introduced in 2016, NIS failed to provide a standard to which all EU Member States could adhere and failed to enforce a patchwork of regulations, having unclear financial penalties for noncompliance.
In 2023, Europe faced the majority of hacktivist attacks, with a whopping 85%, followed by North America at 7% and the Middle East at 3%
The NIS 2 Directive is aimed at enhancing cybersecurity across an expanded number of critical industry sectors, marking a crucial step in fortifying the digital infrastructure that underpins our daily lives. As our dependence on interconnected systems grows, so does the need for robust cybersecurity measures to protect against evolving threats.
Rather than having individual EU countries formulate their own regulations, NIS 2 sets baseline requirements for all Member States. This approach enables the EU to function as a cohesive unit in safeguarding against cyber threats, contributing to the enhanced safety of everyone’s digital experience.
It should be noted that as a result of exiting the EU, the UK will not be bound by the NIS 2 Directive but will look to use the essence of the Directive in making changes to existing UK cybersecurity laws and the scope of current NIS regulations. This will likely include more rigorous regulations surrounding managed service providers, more security-related policies, and increased obligations for incident reporting when considering the evolving threat landscape for risk management of third parties and supply chains.
The good, the bad, and the optimistic. NIS 2 Directive highlights
The key objective of the NIS 2 Directive is to build, expand, and improve upon its predecessor by extending its scope to cover a broader range of essential service providers and digital service platforms. The Directive recognizes the reliance on interconnectivity within critical sectors such as energy, healthcare, finance, and transportation, emphasizing the need for a harmonized approach to cybersecurity. By establishing a common set of cybersecurity requirements, NIS 2 aims to create a resilient and secure digital environment for both businesses and residents of EU countries through:
Establishing a harmonized cyber fitness program that integrates people, processes, and technology sounds like a perfect solution for building readiness against cyber threats. However, the NIS 2 Directive comes with a range of stringent requirements.
With impending enforcement in October 2024, there is limited time left to implement all cyber strategies for NIS 2 compliance. Successful implementation will require wide-ranging efforts across the organization to ensure smooth adoption, from conducting security awareness training and IT audits to implementing governance systems and strategically selecting technologies to deliver secure authentication and encryption. To make it more interesting, covered entities face fines for failing to meet NIS 2 security standards. The Directive imposes fines up to €10 million or 2% of total worldwide turnover, whichever is higher, for noncompliance with risk management measures or reporting obligations.
In the worst-case scenario, NIS 2 noncompliance might lead to a hefty combination of breach notification costs and GDPR fines on top of NIS 2 fines, which essentially would have a negative impact on brand perception and threaten potential loss of service availability, leading to potentially devastating consequences for the organization, its services, and its clients.
Time to upgrade. Differences between NIS and NIS 2
In retrospect, the attempt to regulate the new digital reality with NIS was a huge step, possibly comparable to the newly introduced EU AI Act. Though flawed, the Directive on Security of Network and Information Systems (NIS) was a trailblazing cybersecurity law in the EU, building a foundation for future safety and cyber resilience. The second refined and improved version, NIS 2, includes more specific guidelines and measures for its uniform implementation across EU Member States.
NIS 2 revises the previous NIS industry classifications, opting for an essential or important categorization based on sector, type of service, and, in most cases, the entity’s size instead of the previous operators of essential services (OES) or relevant digital service providers (RDSPs) — a distinction that did not adequately reflect an organization’s societal and economic importance.
The new Directive has expanded its coverage to reach more types of companies, increasing the number of sectors required to safeguard digital assets. These now include essential services in health, energy, transport, and finance, as well as additional sectors like social media, public administration, manufacturing (e.g., of medical devices), postal and courier services, and waste management.
While the original NIS outlined security and incident reporting requirements for essential service operators and digital service providers, NIS 2 enhances these by introducing 10 core cybersecurity measures, covering areas such as incident response, vulnerability handling, risk management effectiveness, computer hygiene, cryptography use, human resources security, access control policies, and asset management.
While NIS established a baseline for EU Member States, but saw varying degrees of implementation, the NIS 2 Directive enhances enforcement with stronger mechanisms and measures. It introduces higher fines and stricter regulatory oversight to ensure compliance, establishing a list of administrative sanctions, including fines for breaches in cybersecurity risk management and reporting obligations. It also strengthens national authorities’ supervision of companies, especially those in critical sectors, and reinforces sanctions for noncompliance.
In recognizing the significance of the supply chain, NIS 2 marks a shift from NIS1, which had limited focus on supply chain and service provider security. NIS 2 underscores the significance of supply chain security, recognizing its pivotal role in bolstering overall NIS 2 security. This is evident in its specific provisions addressing the security of ICT supply chains and supplier relationships.
60% of C-Suite executives consider supply chain attacks as the most probable type of cyber threat that could impact their business.
NIS aimed to boost collaboration among EU Member States in tackling cyber threats, while NIS 2 takes this further by enhancing cooperation and information sharing. The European Cyber Crisis Liaison Network (EU-CyCLONe) will coordinate the handling of large cybersecurity incidents, improve information sharing and cooperation among Member State authorities with the Cooperation Group’s increased role, and introduce coordinated disclosure of vulnerabilities found across the EU.
Impact of the NIS 2 Directive on the EU digital market
Transparency and cooperation
One notable feature of the NIS 2 Directive is its emphasis on transparency and cooperation among Member States and relevant stakeholders. The Directive aims to promote sharing of information regarding cybersecurity incidents, with the aim of ensuring a more collective response to emerging threats across Member States. This collaborative approach will look to enhance the overall cybersecurity posture of EU countries, enabling a faster and more effective response to evolving cyberattacks that could potentially have serious cross-border implications.
Risk management and incident reporting
NIS 2 introduces a risk-based approach to cybersecurity, requiring operators of essential services and digital service providers to assess and manage risks to their network and information systems. By adopting risk management practices, organizations can tailor their cybersecurity measures to address specific threats and vulnerabilities, which it is hoped will foster a proactive rather than reactive cybersecurity culture. Additionally, the Directive identifies incident reporting obligations, mandating that any significant cybersecurity incident is promptly communicated to relevant authorities to aid the facilitation of a coordinated response.
Business continuity and crisis management
One of the goals of NIS 2 is to ensure that a business can continue its operations in the event of a cyberattack. This means organizations must have a solid plan for how they will react and recover as soon as possible, minimizing any disruption.
Risk analysis and information security policies
To ensure NIS 2 compliance, organizations must perform a thorough analysis of potential risks to their infrastructure and data. This analysis should also include an assessment of the company’s existing security measures and their alignment with industry standards. Such an assessment helps to identify any gaps and deficiencies in the company’s security policies and procedures, suggesting possible improvement measures.
Incident handling
The NIS 2 Directive necessitates that organizations establish transparent incident handling procedures covering prevention, detection, response, and recovery measures. It requires companies to swiftly contain incidents, mitigate their impact, and adhere to reporting protocols without undermining incident management. Initial notification must occur within 24 hours, with a comprehensive report due within a month. The directive underscores the importance of reporting in supporting incident management while ensuring it remains the primary focus.
Use of cryptography and encryption
As a proactive security measure, the NIS 2 Directive mandates the use of cryptography and encryption, specifically multi-factor authentication and end-to-end encryption, to protect data and ensure the security of communications. Under NIS2, encryption technologies applied by the organization must ensure data protection both in transit and at rest, preventing unauthorized access along the entire communication channel.
Supply chain security
Under NIS 2, organizations need to evaluate and manage not only their direct security risks and vulnerabilities but also those of their suppliers, providers, and business partners. When multiple entities are connected in a supply chain, any weak link may become a potential breach point, threatening the security of all participants.
To ensure NIS 2 compliance, businesses must apply security measures capable of addressing vulnerabilities within each member of the supply chain. For this purpose, it may be necessary to review existing toolsets and technology stacks and choose solutions that can ensure the required level of protection.
Protecting digital service providers
Recognizing the increasing volume and importance of digital service providers in today’s interconnected landscape, NIS 2 extends its scope to cover a wider range of online platforms and marketplaces. This acknowledges the critical role these entities play in the digital economy and emphasizes the need to safeguard their systems against evolving cyber threats. By imposing cybersecurity obligations (both procedural and timebound) on digital service providers, the Directive aims to create a more secure online environment, bolstering consumer confidence in digital services.
Unleashing cyber strength. How to prepare your organization for NIS 2
Increasing reliance on digital services has led to a dramatic increase in the number of global ransomware attacks, further intensified by the complex and interconnected nature of modern systems. To address this evolving threat landscape, organizations need to integrate cyber resilience into their business models and risk management strategies. NIS 2 applies to all public and private entities critical to the EU’s economy and society. This includes those in vital sectors such as healthcare, energy, transportation, digital infrastructure, financial market infrastructure, food, social networking, cloud computing, data centers, and more. It is imperative for organizations to adopt a proactive stance towards cyber resilience to effectively navigate the challenges of this interconnected and digitally reliant era, especially in anticipation of enforcement of the NIS 2 Directive.
Cybercrime is predicted to cost the world $10.5 trillion annually by 2025
Understanding NIS 2 requirements
To adequately prepare for and meet the NIS 2 requirements, it’s crucial to start with understanding its mandates and their impact on existing business practices. Assess your organization’s readiness to comply with NIS 2 requirements and identify any potential compliance gaps, paying particular attention to areas like risk management, incident reporting, and supply chain security. Given that delays are often unavoidable and deadlines are tight, initiating this process early is vital to ensure smooth compliance.
Revamping cybersecurity frameworks
Aligning with NIS 2 involves implementing robust risk and information security management systems. This includes incorporating new security technologies, upgrading policies, and enhancing internal controls. Organizations must synchronize systems with defined responsibilities, encompassing key processes such as incident handling, business continuity, third-party risk management, vulnerability management, and employee security awareness. Actively identifying, remediating, and monitoring security risks, including implementing mandatory multi-factor authentication (MFA) for all accounts, is crucial. This ensures a resilient cybersecurity framework in harmony with NIS 2 standards.
Fostering a security-oriented culture
Regular training sessions for employees are crucial in minimizing risks associated with human error and ensuring that employees are well-versed in cybersecurity best practices. Establishing a cybersecurity-centric environment begins among company leadership. A security-oriented culture then permeates the organization by ensuring a baseline of security awareness among employees. Customized security training is essential for both employees and stakeholders, helping them understand how their roles and responsibilities impact security and contribute to the promotion of cyber-fit resilience.
Incorporating partners and suppliers in NIS 2 compliance
Recognizing that the NIS 2 Directive is intricate, seeking advice from cybersecurity experts or legal advisors specializing in EU regulations is a worthwhile investment. Collaborate with suppliers, technology partners, and service providers to ensure alignment with NIS 2 requirements. Their nuanced insights can significantly impact outcomes, making them valuable allies in navigating the complexities of compliance.
Conclusion. Challenges and future considerations
Cybersecurity has undergone substantial evolution, transcending its conventional role as a routine IT task to become an integral element of strategic business initiatives, particularly in safeguarding vital infrastructure and ensuring the well-being of individuals, businesses, and communities.
The NIS 2 Directive is emerging as a pivotal instrument in fortifying the European Union’s overall cyber resilience and posture. By promoting transparency, cooperation, and risk management, NIS 2 looks to provide a comprehensive framework for safeguarding critical infrastructure and digital services. As the digital landscape evolves, NIS 2 serves to guide the EU towards a more secure and resilient future in the face of emerging cyber threats.
While the NIS 2 cybersecurity Directive represents a significant step towards a more secure digital future, considerable challenges remain. The dynamic nature and increased complexity and sophistication of cyber threats require continuous reassessment and adaptation of an organization’s security measures. In parallel, the Directive’s success relies heavily on broad universal adoption across EU Member States. However, ensuring uniform implementation poses a logistical challenge that will demand ongoing collaboration and information sharing.
At Intellias, cybersecurity is a mindset: a commitment to use digital innovation to make the world a better, safer place for future generations.
Our technology experts and security consultants keep up with the changing industry and regulatory landscape, staying abreast of the latest legislation and leveraging modern tools in our established cybersecurity practices. Catering to global clients across various industries, we proactively address security gaps through technology, streamlined operations, legal measures, and robust policy enforcement. Our end-to-end approach involves assessing security posture, prioritizing critical assets, implementing protective measures, developing recovery plans, and consistently training staff. Intellias secures your operations, applications, and platforms, letting you focus on your business with enhanced cyber confidence.
