Network and information security systems have become a key concern in the digital age where society is increasingly dependent on a well-functioning and secure digital infrastructure. With the rapid digital evolution and increasing threat of cyberattacks, it is crucial to strengthen collective action in this area. It is with these goals in mind that the EU has adopted the NIS2 Directive.
NIS2 is an updated version of the original NIS Directive (also known as the Network and Information Security Directive), which was adopted in 2016 and came into force in 2018. The purpose of NIS2 is to strengthen cybersecurity and protect critical infrastructures and services in the EU.
What is the NIS2 directive?
The NIS2 Directive regulates companies and authorities in the areas of cyber security and information security. The legislation requires the implementation of technical, operational and organizational measures to manage the risks that threaten systems.
The new NIS2 Directive is an important milestone in the EU's efforts to protect critical infrastructure. This translates into national executive orders that organizations must comply with. Compared to the original directive, NIS2 introduces a number of improvements and updates, including:
Expanded scope: NIS2 covers a wider range of sectors and services, such as food production and waste management, as well as the entire supply chain of the covered sectors.
Improved monitoring and enforcement: NIS2 includes strengthened requirements for oversight and enforcement of cybersecurity rules, giving organizations greater responsibility for ensuring compliance.
Increased requirements for security measures: NIS2 places increased demands on risk management and the implementation of damage prevention and mitigation measures that reduce risks and potential damages.
By understanding the NIS2 directive and how it affects your organization, you can meet the increased requirements and avoid penalties, and most importantly, minimize the risk of cyberattacks.
Who is affected by the NIS2 directive?
The NIS2 directive distinguishes between "essential entities" and "important entities".
Essential entities
- Energy & Power
- Transportation
- Finance
- Health & Wellness
- Drinking water and waste water
- Digital infrastructure
- Public administration
- Space travel
Important entities
- Mail and parcel services
- Waste management
- Chemical products
- Food & Beverage
- Pharma, electronics, optical equipment, machinery and vehicles
- Providers of online marketplaces, search engines and social platforms
The NIS2 Directive also recognizes the importance of protecting the entire supply chain from cyber threats. Although the directive primarily targets essential and important entities, it also contains provisions that take into account cyber risks in the rest of the supply chain.
While the directive does not directly require all organizations in the supply chain to comply with the same requirements as the primary affected entities, it creates a cascading effect where larger organizations impose security requirements on their suppliers and partners. This results in many more than the above being affected by the NIS2 Directive.
ALSO READ: ISMS: What is it and why do you need it?
What does the NIS2 mean for your organization?
The NIS2 directive sets requirements for governance, risk management, security measures, business continuity and reporting to authorities. This is all done with the aim of improving cybersecurity and protecting your organization's network and information systems.
Among the key requirements of the directive are:
1) Management responsibilities
The organization's management must be familiar with the requirements of the directive and its risk management efforts. There is a direct management responsibility to identify and manage cyber risks and ensure compliance with the requirements of the NIS2 Directive.
2) Risk analysis and management
Organizations covered by the NIS2 directive must conduct a risk analysis and identify and assess all significant risks related to vulnerabilities and threats. Appropriate security measures must then be put in place.
3) Security measures
Affected organizations must implement appropriate technical and organizational security measures to protect their network and information systems against cyber risks. This may include updating software and hardware, using encryption, strengthening access controls and establishing regular security audits.
4) Business continuity
The organization must consider how to ensure business continuity in the event of a cybersecurity incident. Including emergency procedures and the establishment of a crisis organization.
5) Reporting
The NIS2 directive requires affected organizations to report cybersecurity incidents that have a significant impact on the continuity of the services they provide. This means that processes must be established on how to report in a timely manner and within the framework.
Among other things, the organization must provide information about:
- the number of users affected by the incident
- the cause and duration of the incident
- the geographical area affected, including other EU countries
- how the incident is being managed
6) The supply chain
Under the NIS2 directive, affected organizations must consider the security of their supply chains. This means assessing and managing the risks associated with your suppliers and other supply chain partners.
The NIS2 encourages organizations to implement appropriate security measures and monitor the supply chain to minimize the risk of cyberattacks. This can be done by requiring suppliers to comply with specific security standards, conducting regular security audits and requiring suppliers to report any cybersecurity incidents.
When does the NIS2 directive come into force?
On December 27, 2022, the final text of the NIS2 Directive was published, and thus the implementation countdown began.
The directive must be implemented throughout 2024, and while that might seem like a long time, meeting the requirements can require relatively large changes and allocation of resources. So, it's a good idea for all affected organizations to get started now.
There are a number of existing frameworks, certifications and the like that can help organizations along the way, including the ISO 27001 standard, and it may be a good idea to get external advice for the implementation process.
ALSO READ: What are the benefits of an ISO standard?