In today’s interconnected world, a robust cybersecurity posture is not just a regulatory requirement but a critical component of business strategy. With our reliance on digital platforms, the broadening of the attack surface and the ever-increasing sophistication of threat actors, regulators will continue to pay particular attention to cybersecurity compliance.
The Network and Information Systems (NIS) 2 Directive aims to enhance the level of cybersecurity across EU essential and important entities. NIS2 works in tandem with other EU cybersecurity regulations, including the Digital Operational Resilience Act (DORA), discussed further below, the Critical Entities Resilience (CER) Directive, the Cyber Resilience Act (CRA) and GDPR.
Background NIS2
NIS2 builds capabilities across the EU to mitigate threats to network and information systems used to provide essential services in critical sectors in the face of security incidents, to ultimately contribute to the effective functioning of the EU single market. After entering into force on January 16, 2023, NIS2 is due to be transposed into national law across all 27 EU member states by October 2024. It builds upon (and replaces) the original NIS Directive (implemented in May 2018) by expanding the scope of companies who are subject to the legislation and introducing stricter requirements for incident reporting and cyber risk management.
Who does NIS2 apply to?
NIS2 covers a broader range of sectors, including:
- financial services,
- energy,
- transport and aerospace,
- healthcare and the pharmaceutical industry,
- water supply and distribution,
- digital infrastructure and ICT managed services,
- and public administrators (central and local).
Annex II sweeps in “other critical sectors” which include postal and courier services, waste management, wholesale or industrial-scale food processing and distribution, some manufacturing activities and certain digital service providers.
However, in order to fall within the remit of NIS2, the entities must provide their services in the EU, fall within one (or more) of the categories set out in the Annexures and meet the thresholds determined by the Directive (in basic terms have 50 employees or more, or annual turnover of €10m and an annual balance sheet of €10m.
There are some exceptions to the threshold rules – for example where the entity in question is the sole provider (in that member state) of a critical service, or where it is specifically designated as an “essential entity” by the competent authorities, and finally some entities which are automatically designated regardless of size (such as qualified trust service providers and top-level domain name registries).
Reporting security incidents
Organizations in scope must provide early warning of significant incidents as soon as possible, but no later than 24 hours after becoming aware of the event. The principle here is that local competent authorities (and the national CSIRTs established under NIS2) are able to share intelligence on material cyber security events which may have cross border impact – a little like putting up a flare or making a smoke signal. The affected entities must then provide a more detailed notification within 72-hours.
This notification should include an initial assessment of the incident, its severity, its impact on critical services as well as (if possible) any indicators of compromise – again this information can be used by local agencies and CSIRTs to (hopefully) share intelligence and enable other entities, organisations and public sector bodies to shore up their defences and mitigate against the risk of contagion.
Cybersecurity measures
NIS2 mandates that essential and important entities implement and maintain comprehensive risk management measures (including regular cybersecurity assessments) and implement “appropriate and proportionate” technical and organisational measures.
It is important to note that the Directive is “outcomes” focused and does not prescribe the specific measures to be taken, but it does provide some guidance (see Article 21). The onus will be on essential and important entities to demonstrate that the steps they have taken to safeguard their networks and IT (and OT) infrastructure are commensurate with the risks posed to their operations and provision of services, to prevent incidents (or minimise the impacts of those incidents on the recipients of their services (whether those services are received directly from the entity or indirectly – for example, through an intermediary or another service provider).
The recitals of the Directive refer to EU and international standards (such as ISO/IEC 27001) and whilst they can be used as a benchmark for good practice, they are not mandated (and indeed having an ISO/IEC certification will not serve as a total absolution of responsibility).
Managing supply chain risk
When considering cybersecurity controls, essential and important entities should not limit themselves to their own enterprise but must carefully consider their exposure to threats and vulnerabilities which might be introduced by their supply chain partners, vendors, and affiliates. Some of the most crippling incidents and outages affecting financial services, the energy sector, transport and aviation, and healthcare have resulted from security lapses in the supply chain.
To mitigate such risks, companies should regularly assess (and test) the cybersecurity practices, processes and procedures of their supply chain partners to identify (and address) vulnerabilities that might have an impact on the provision of essential services. It is vital that contracts with suppliers and vendors contain robust cybersecurity requirements and that those requirements are regularly stress tested against a range of severe but plausible scenarios).
Conclusions
Cybersecurity compliance under EU legislation (and in an increasingly interconnected world) is a complex but essential aspect of business strategy for multinational businesses.
By understanding the requirements of NIS2 (and other applicable laws and regulations) and aligning their practices accordingly, in-scope entities can enhance their cybersecurity posture, help protect critical infrastructure, and maintain the trust of their clients, customer and partners.
