The NIS2 Cyber Security Directive came to light on November 10th to enforce the former regulation (2016’s NIS) about the increased cyber security threats that Members of the European Union were facing – and continuing to – everyday. What do we expect from the evolution of this law enforcement?
NIS2 Directive: from 2016’s to nowadays
How the NIS Directive comes into being
Over the past decade, in parallel with the increasing digitalization of business models, interconnectedness and interdependence, a highly complex, diverse, and constantly evolving cyber threat landscape has emerged. Regulators around the world have been called upon to take action and mitigate cyber risk, especially on sectors and operators that deliver essential services to customers and businesses – such as energy, transportation, and digital infrastructure – that are put at risk by cyber threats.
The NIS Directive in brief
The NIS Directive (EU 2016/1148 – Network and Information Security Directive) was created in response to this need. It is the first piece of European Union legislation whose main goal is to raise the level of Cyber Security within the EU.
Firstly, the Directive has three main areas of focus:
- improving national Cyber Security capabilities;
- strengthen cooperation at the EU level;
- promoting a culture of risk management and incident reporting among key economic actors. In particular, for those operators providing services essential to the maintenance of economic, social activities and digital service providers.
More in details, according to the Directive, each Member State should adopt a national cybersecurity strategy, defining the objectives and appropriate policy and regulatory measures and identify key entities in various critical sectors as “Operators of Essential Services” (OES) and to ensure that they have taken adequate cybersecurity risk management measures. OES under NIS directive are also required to comply with binding reporting obligation in terms of cybersecurity incidents.
At EU level, the NIS Directive establishes a Cooperation Group as well, in order to support and ease strategic cooperation and the exchange of information among Member States. It also creates a network of the national CSIRTs to foster information sharing and cross border incident management capabilities.
The NIS2 Directive in UK
In UK the NIS Directive was implemented into legislation as The Network and Information Systems Regulations 2018, and remains applicable after Brexit, with some modifications related to cooperation with EU bodies. The UK NIS Regulation is derived from the EU NIS Directive and, as required by the norm, companies and organizations identified as either operators of essential services (OES) are primarily involved in terms of enhancement of their cybersecurity risk management and incident management practices.
Not differently from the other Member State, UK has set its own financial penalty policies for non-compliance with NIS Regulation. In particular, non-compliant organizations face fines of up to £17 million.
The application of the NIS in the EU since 2016 and the need to evolve the Directive
The European Union concluded in December 2020 an impact assessment on the functioning of the directive in EU member states. It highlighet several potential improvement aspects for the legislation. A cornerstone for cyber risk mitigation in the EU, which is also constantly increasing in relation to global events (pandemic and geopolitical instability).
Moreover, it was noted that:
- in the transposition of the Directive, the Member States (MS) have implemented different methodologies from each other, starting with the identification of Operators of Essential Services and security measures, contributing to inhomogeneity in approaches contrary to the goal of achieving a common level of Cyber Security in the MS.
- The sectors included in the Directive do not cover all production or service areas that are essential to the functioning of a state, which common practice has shown to be vulnerable and therefore would need greater protection (e.g., the medical device manufacturing sector, waste management, aerospace).
- In addition, it was noted that there was a need to increase the protection level over some significant cyber risks, such as those related to the Supply Chain, which in recent years have resulted in large-scale incidents (e.g. SolarWinds).
To address these issues, the European Union approved a new Cyber Security strategy in December 2020 that aims to further raise the level of Cybersecurity in the EU: the newly named NIS2 Directive.
NIS2 Directive: EU’s response to the increased cyber risk on strategic sectors
NIS and NIS2 compared: The main and the new features
The new proposal, while retaining the form of a Directive, and thus confirming the “minimum harmonization” approach provided by the NIS Directive, aims to achieve the following goals:
- a clearer and more extensive determination of the scope of application;
- a rationalization of minimum security requirements and incident reporting requirements;
- a greater definition of oversight and enforcement activities by the competent authorities. Plus a significant strengthening of the sanctions pressure more aligned with, for example, the GDPR;
- an increased focus on risk management and supply chain vulnerabilities;
- strengthening collaboration between member states and encouraging information sharing among the various stakeholders.
The main areas of the planned security measures
Compared to the NIS, which stipulates the obligation to take generically appropriate measures to manage risks and prevent cyber incidents, NIS2 introduces a set of specific measures that must necessarily be taken by the operators concerned.
These measures, listed in Article 21, include at least the following:
- risk analysis and security policies for information systems;
- incident management (prevention and detection of and response to incidents);
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security of acquisition, development and maintenance of computer and network systems. Nowadays, this include in particular critical services such as Cloud Infrastructures and Industrial Control System environments.
- definition of strategies and procedures for testing and auditing, to assess the effectiveness of Cyber Security risk management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Timeline and future developments of NIS2 Directive
The NIS2 Directive final text was voted and approved in European Parliament on Thursday, November 10th 2022. After formal approval of the Council and the publication in Official Journal, Member States will have 21 months to transpose its provisions into national law. Companies in the affected sectors will, therefore, be required to consider major changes in their Cyber Security management models to ensure compliance.
Ensure compliance in your business
Businesses playing in those fields must face major changes in their Cyber Security management models in the near future. CyberSec professionals can provide the services you need to cope with increasingly sophisticated cyber threats and comply to regulations.
Contact us to schedule a meeting with our experts.