This is the second blog in IDC’s series focusing on the implications of the EU’s updated Security of Network and Information Systems directive, NIS2. The directive comes into force in January 2023, after which Member States have 21 months to transpose it into their national law – by October 2024.
The broad aim of NIS2 is to engender a high common level of cybersecurity in the EU, across all Member States, in the long term.
The first blog looked at the regional and national entities that are tasked with transposing and implementing the new directive, as well as some of the mechanisms that are being put into place to effect improved cybersecurity across the bloc.
This second instalment looks at which organizations NIS2 will apply to and what will be required of them.
Expanding the Reach
The first NIS directive introduced a clear focus on improving cybersecurity and risk management at critical infrastructure in Europe: energy (electricity, oil, and gas), transportation, drinking water supply and distribution, healthcare, banking and finance, and digital infrastructure (Internet Exchange Points, DNS service providers, and Top-Level Domain (TLD) name registries). These were defined as operators of essential services (OES’s).
The volume and frequency of cyberattacks since the first directive came into force has driven home the message that cybersecurity safeguards and improvements need to be more far-reaching. Industry sectors that may not be viewed as critical may supply components or services to critical infrastructure, from electrical equipment to medical devices. Disruption of food production and distribution or waste management can have a major impact on the function of society. Digital providers such as search engines and online marketplaces are recognized for their universal value.
Consequently, the NIS2 directive extends coverage into all these segments and more. A full list of sectors defined as high criticality or critical is below:
High Criticality Sectors
- Energy.
- Transport.
- Banking.
- Financial market infrastructures.
- Health.
- Drinking water.
- Waste water.
- Digital infrastructure.
- ICT service management (B2B).
- Public administration.
- Space.
Other Critical Sectors
- Postal and courier services.
- Waste management.
- Manufacture, production and distribution of chemicals.
- Food production, processing and distribution.
- Manufacturing (medical devices, computer, electronic and optical products, electrical equipment, motor vehicles, transport equipment).
- Digital providers (online marketplaces, search engines and social networks).
- Research organisations.
Furthermore, it is recognized that it is not only large enterprises that represent a target for cybercriminals or are fundamental to critical services. Consequently, the NIS2 directive also extends the scope to cover midmarket organizations with 250 or more employees and turnover of €10 million or more.
The To-Do List
So, if your organization falls within the sectors covered by NIS2, what requirements are coming your way in the next two years? There are two major aspects to this, detailed in Chapter 4 of the directive, Cybersecurity risk management measures and reporting obligations.
Article 21 of the directive covers the cybersecurity risk management measures and lists the following 10 areas as the minimum recommendation:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems acquisition, development and maintenance
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- HR security, access control policies and asset management
- MFA, continuous authentication, and secure communications where appropriate
It is likely that most entities within critical infrastructure sectors will already have many of these technologies and measures in place, to some degree. The question will be in the level of detail or prescriptiveness that member states go to when transposing this article into their national legislation.
The directive emphasizes that the implementation of these measures should take into account the state-of-the-art, relevant European and international standards, the cost of implementation, the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact. These considerations should be used to determine appropriate or proportional measures.
Article 23 of the directive covers reporting obligations and requires that in the case of any incident that has a significant impact on the provision of their services, essential and important entities notify their CSIRT or competent authority. An early warning should be submitted within 24 hours of the organizations becoming aware of a significant incident, and a more comprehensive incident notification should be submitted within 72 hours.
Further reporting obligations are detailed within the directive and it will be necessary for all organizations covered by NIS2 to familiarize themselves with these obligations once they have been transposed into their national law.
Conclusion
It is early days still for NIS2 and much will depend on the work done over the next 21 months. Nevertheless, the cyberthreats driving this directive will not wait and the benefits from improved cybersecurity measures will outweigh the risks.
Regardless of the final wording of the local versions of the directive, organizations can benefit from getting up to speed with NIS2 and engaging with the existing cybersecurity authorities within their countries to develop their strategies.