The NIS2 (Network and Information System revision 2) came into force on 16 January 2023 and must be implemented by all EU Member States by 17 October 2024 at the latest. What is NIS2 and should I be concerned?
The EU's NIS2 Directive scope is significantly wider than NIS1. NIS2 scraps the categories of "operators of essential services" and "digital service providers", replacing them with two categories, "essential entities" and "important entities", to include medium and large organisations (NIS2 introduces a size-cap rule, but with some exceptions for certain entities that are within scope irrespective of their size) operating in the following sectors:
"Essential Entities" These include:- energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure (such as cloud service providers, data centre service providers, trust service providers, content delivery networks, and public electronic communications networks and services); ICT service management; public administration; space;
"Important Entities" Which are subject to lesser oversight than essential entities, and include:- postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers (such as providers of online marketplaces, online search engines and social networking services platforms) and research.
NOTE: Managed service providers are to be caught by the "ICT service management" category.
NIS2 has three general objectives:
- Increase the cyber resilience of a broad range of European Union-based enterprises operating in all relevant industries and performing essential activities.
- Reduce inconsistencies in internal market resilience in industries currently covered by the directive by unifying cybersecurity capabilities.
- Enhance joint situational awareness and the collective capacity to plan and respond by boosting information sharing and establishing norms and procedures in the case of a large-scale incident or crisis.
What are the changes in NIS2 Directive?
NIS2 encompasses three changes when compared to NIS:
- Expanded applicability
Under the current Directive, operators of essential services (such as banks, healthcare providers, and providers of drinking water and energy) and digital service providers (to include cloud service providers and online marketplaces) are already required to improve their digital security and report cyber incidents.
NIS2 broadens the scope of NIS by adding new industries, such as telecommunications, postal services, social media platforms, and public administration, which includes state and provincial government agencies.
Entities under the purview of NIS2 will be divided into two categories: essential entities and important entities, with distinctions made based on the importance of the connected sectors. Important entities are primarily medium- to large-sized entities, for which a hypothetical disruption of services would not have severe societal or economic repercussions.
NIS2 will also apply to subcontractors and service providers with access to vital infrastructure, who were left out of the original version of the regulation, because vulnerabilities in a provider's infrastructure could compromise the security of the critical organization for which it operates. In the energy sector, for instance, security precautions will no longer be limited to electricity producers, transporters, and distributors. All subcontractors for essential infrastructure will be affected.
- Strengthened security requirements
NIS2 includes a list of seven elements that all companies must address or implement as part of the security measures they take:
- Risk analysis and information system security policies.
- Incident handling (prevention, detection, and response to incidents).
- Business continuity and crisis management (such as backup management and disaster recovery, and crisis management).
- Supply chain security (including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers).
- Security in network and information systems (including basic computer hygiene practices and cybersecurity training).
- Policies and procedures for cybersecurity risk management measures (human resources security, access control policies and asset management).
- The use of cryptography and encryption (including policies and procedures regarding the use of cryptography and, where appropriate, encryption).
The proposal suggests a two-step process for incident reporting. Affected businesses are required to file an initial report within 24 hours of discovering an event, followed by a final report within one month.
In the supervision and implementation of these measures, management bodies will play a key and active role. Regarding enforcement, NIS2 specifies a minimum list of administrative sanctions that may be imposed on businesses that violate the regulations governing cybersecurity risk management or their reporting duties under the Directive. These sanctions include:
- Fines up to 10 million EUR or 2% of the total global annual turnover.
- Management liability
- Temporary bans against managers
- Designation of a monitoring officer
- Improved cooperation
NIS2 comprises provisions for measures to strengthen the level of confidence between responsible authorities, information sharing between competent authorities, and crisis response protocols.
In addition, the EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe) was developed to facilitate the coordinated management of cyber crises across the EU. In addition, the amended Directive would establish an EU crisis management framework, requiring Member States to prepare a plan and designate national competent entities accountable for reacting to cyber events and crises at the EU level.
While your organisation may currently be exempt from implementing NIS2, you should be cognisant of the implications of the change and, if not already done so, be seriously considering implementing the seven NIS2 elements (mentioned above) as part of the security measures you are taking.
If you’re concerned about NIS2, why not engage with SureSkills to assist you with meeting the required timelines, or ask us to about our end user cybersecurity training courses.