What is NIS2?
NIS2, the newest draft of the Network and Information Security Directive, is a European directive that aims to ensure a high common level of cybersecurity in the EU. The directive entered into force on Monday, January 16, 2023. However, each EU member state has until October 18, 2024 to integrate it into their own national laws. Consequently, businesses and organizations still have some time to become familiar with the directive and plan for compliance.
To start with, let’s talk about what is new in NIS2. Then, we’ll discuss who must comply. Finally, we’ll consider why it is so important to prepare for NIS2, and how to do so.
Background for NIS2
The original NIS was adopted in 2016. It was the first cross-sector cybersecurity law in the EU. Both NIS and NIS2 have the goal of contributing to the Union’s security and to the effective functioning of its economy and society.
However, the first NIS was limited in its scope and rather conservative with its penalties. It also allowed member states great freedom to set their own requirements. This led to inconsistencies from one country to another as far as who had to comply, the requirements themselves, their level of detail, and the country’s method of supervision.
These discrepancies between countries’ cyber security standards make it more complicated and expensive to offer goods or services across borders. Even if one country has a high level of security, when they do business with a more vulnerable country, it can create a spill-over effect and greater risk for the entire EU. Ultimately, NIS was not enforced in most countries. For this reason, NIS2 was created.
Principles of NIS2
The text of NIS2 acknowledges the shortcomings of the original NIS. Further, it points to the intensification and increased sophistication of cyber threats as a reason for updating the regulation.
Compared to NIS, NIS2 will:
- Apply to a greater number of sectors and industries.
- Have larger fines for non-compliance with requirements.
- Be more specific when outlining cybersecurity and risk management measures.
- Include stricter incident reporting rules.
- Encourage more cybersecurity collaboration between EU member states.
Overall, the improvements and changes in NIS2 make it more consistent across the EU and better address the challenges of the present day.
Who has to comply with NIS2?
NIS2 applies to all organisations and companies within the European Union (EU) member states. The directive divides the specific categories of organisations that must comply with into ‘essential entities’ and ‘important entities’. If your business (whether public or private) belongs to one of these 11 sectors, you may be an essential entity:
- Drinking water
- Digital infrastructure
- ICT service management
- Public administration
On the other hand, important entities are public or private organisations in these 9 sectors:
- Postal and shipping services
- Waste management
- Production and distribution of chemical products
- Production, processing and distribution of foodstuff
- Manufacture (manufacture of medical devices
- IT, electronic and optical products, electrical equipment, machines and equipment, automotive vehicles and other transport equipment), digital suppliers and research.
Essential entities can be investigated at any time through audits and inspections, whereas important entities will only be investigated after an incident. All medium and large companies in the selected sectors must comply with NIS2. Additionally, member states can require smaller organisations that have a high-security risk profile to comply, and ensure that even entities that are excluded from the scope achieve a high level of cybersecurity.
How to comply with NIS2
Compared to, for example, the GDPR, NIS2 is much more specific when discussing the technical, operational and organisational measures companies should take to reduce security risks. NIS2 prescribes a risk-based approach to cyber and information security. The approach involves performing thorough risk assessments and GAP analysis to identify vulnerabilities, security threats and the potential impact of a data breach. It is also crucial that you also carry out a risk assessment of your supply chain and suppliers.
As part of risk management, preventive measures must be implemented. As a minimum, companies must have the following in place:
- Policies for risk analysis and information system security
- Incident handling and reporting policies
- A business continuity plan (backup management, disaster recovery, and crisis management)
- Supply chain security (include security in your contracts with suppliers and service providers)
- Security in network and information systems acquisition, development and maintenance
- Policies and procedures to assess the effectiveness of your risk-management measures
- Training for your employees in basic cyber hygiene practices and cybersecurity
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies and asset management
- Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems internally, where appropriate.
Of course, all of these measures are meant to reduce risk and to prevent or minimise the impact security incidents have on the recipients of your services. Since these are minimum requirements, individual countries may add to them when they enact the regulation. All companies that will fall under NIS2’s scope should at least begin putting these minimum security measures in place.
How to report a breach of NIS2
You should report all incidents to your country’s CSIRT (computer security incident response team), or to another competent authority in your country. There are at least 3 stages to proper reporting:
- Send an early warning within 24 hours
- Complete an initial assessment within 72 hours
- Prepare a final, detailed report, not later than one month after your initial assessment.
Your final report should include the following:
- A detailed description of the incident, including its severity and impact.
- The type of threat or root cause that is likely to have triggered the incident.
- Applied and ongoing mitigation measures.
- Any cross-border impact of the incident.
If the incident has still not been resolved at the time of this final report, you may need to provide a progress report and another final report within one month of resolving the incident.
Each member state will set their own maximum fine based on a baseline percentage of your global annual turnover outlined in NIS2.
- Essential entities: A maximum fine of at least 2% of global annual turnover
- Important entities: A maximum fine of at least 1.4% of global annual turnover
In the case of essential entities, the CEO or legal representatives may also be temporarily suspended from exercising their managerial functions after an incident, and authorities may appoint a monitoring officer to supervise the company’s compliance going forward.
The smart way to prepare for NIS2
Preparing for the NIS2 directive manually is a time-consuming task. Many companies feel that adding proper risk management is too overwhelming and that they do not have the resources for it. Unfortunately, if you think compliance is expensive, try non-compliance. Security incidents can interrupt your business, cost you money and undermine customer confidence.
If you are looking for an easy way to prepare for NIS2, check out our Data Discovery tool. With DataMapper you can support a risk-based approach to your information security. DataMapper enables you to prepare thorough risk assessments and GAP analysis in order to identify gaps in your data security. DataMapper can give you the answer to which sensitive information you store. You can see what type of information it is, who has it, which systems and folders the information is stored in and much more. This will help create the groundwork for you to reduce your risks and ultimately meet requirements set by the NIS2 directive.