Set to come into effect on 17 October 2024, the Network and Information Systems Directive (NIS2) is the European Union’s latest cybersecurity legislation aimed at enhancing security capabilities across the union and creating a more cohesive, aligned approach to mitigating emerging threats.
The legislation has been long in the making, and while organizations have had ample time to prepare, some have encountered difficulties in ensuring they are compliant.
Research from SailPoint in October 2023 found that a majority of UK firms were yet to introduce changes to adhere to key requirements outlined in the legislation.
The study, which was based on a survey of 1,500 IT decision-makers in the UK, Germany, and France, noted that a concerning number hadn’t even begun preparations.
Around 80% of respondents said they were still to properly assess and secure supply chains, while over three-quarters (76%) were yet to assess the efficiency of existing cybersecurity practices.
Three-quarters of organizations had also neglected to add new risk management processes (74%) while a similar number (72%) revealed they had made no efforts to bolster cybersecurity training for staff.
Speaking at the time, Stephen Bradford, senior vice president for EMEA at SailPoint, warned that the sluggish efforts from organizations raised parallels with GDPR.
“The threat landscape has been growing in volume and sophistication over recent years meaning the stakes have never been higher. Operational downtime, reputational damage, customer loss, and system restoration that follow any breach can cause a real headache for businesses,” he said.
“Organizations must learn from GDPR and use the next twelve months wisely to make sure cyber resilience is at the core of their business models.”
What is NIS2?
The directive is an updated version of the previous Network and Information Systems Directive (NIS) introduced by EU lawmakers in 2016, with new rules and requirements to enable organizations to contend with emerging security threats.
As part of this sweeping update, NIS2 will expand the number of protected critical sectors to 15 compared to its previous iteration, which saw just seven sectors identified as critical.
A key factor in this expansion lies in the potential material impact of a cyber attack on broader society if an organization in one of these industries was compromised.
Under NIS2, organizations will be graded as ‘essential’ or ‘important’ entities depending on the area they operate in.
Essential entities include:
- Energy providers
- Transport companies
- Banking and financial institutions
- Healthcare organizations
- Pharmaceutical manufacturers
- Water companies
- Public services
- Digital infrastructure organizations
- ICT services
Meanwhile, ‘important entities’ include:
- Postal and courier services
- Waste management firms
- Chemical manufacturers
- Food production and processing companies
- Electronics, machinery, and vehicle manufacturers
- Online marketplaces
- Higher education and research institutions
With this in mind, NIS2 not only expands the scope of the legislation to a broader array of industries, but also means stricter requirements for organizations, placing greater emphasis on proactive cybersecurity capabilities and operational resilience, as well as tightened supply chain security.
Under the legislation, organizations will be required to adhere to strict risk assessment and management rules, as well as new rules on incident reporting.
The latter of these is a particular key focus of the new legislation. Unlike its predecessor, NIS2 will require that every cybersecurity incident be reported regardless of whether it affected operations.
The goal of this is to help EU-based security authorities improve broader monitoring and response capabilities and create an aligned approach to cybersecurity across the union. As part of this approach, every EU member state will designate a Computer Security Incident Response Team (CSIRT) for incident reporting.
Reporting requirements in the event of an incident come in three key stages, starting with an initial disclosure - or ‘early warning’ - within 24 hours.
A second, more detailed report must be submitted within 72 hours containing an assessment of the incident, including its potential severity, impact, and indicators of compromise. A third, final, and comprehensive report must then be submitted within one month under the legislation.
Harsher penalties for those found in breach of the directive will also come into effect, raising the stakes for non-compliant organizations. Fines can reach up to €10 million for non-compliant organizations or 2% of global annual revenue, or whichever is higher.
Notably, under Article 31 of the legislation, senior management figures can be held accountable in the event of a breach that authorities deem to have been due to a lack of oversight or appropriate safeguards.
According to EU lawmakers, the addition of liabilities for senior management is aimed at emphasizing the importance of the legislation while relieving the burden placed on IT teams.
“In an attempt to lower the pressure put on IT departments to single-handedly ensure the security of the organization and to change the sentiment of whose responsibility cybersecurity is, NIS2 includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident,” according to official NIS2 learning materials..
“Specifically, NIS2 allows Member State authorities to hold organization managers personally liable if gross negligence is proven after a cyber incident.”
This raises the stakes for the C-suite and security leaders and means senior management must take steps to ensure compliance. But what steps can organizations take to comply?
How can organizations prepare for NIS2?
First and foremost, it’s critical for organizations to realize that NIS2 does not apply specifically to European entities, but also to any that operate within the union, even if they are headquartered outside the EU. This widens the scope of the legislation significantly and underlines the wider implications of the new rules for enterprises.
Organizations that fall under the scope of the regulation can start by assessing their risk profile to establish any potential weak points within their internal cybersecurity processes.
Risk assessments can be carried out by in-house staff. However, in some circumstances, organizations may not have the capabilities or financial resources to conduct such an extensive audit. In these scenarios, employing the services of a third-party provider to conduct this on your behalf could be an option.
Audits of external risk are also advised given the strong emphasis NIS2 places on supply chain security. According to research from Gartner, almost half (45%) of organizations are expected to have experienced a software supply chain attack by 2025.
With NIS2 set to be in effect by then, organizations must ensure they assess any risks posed by managed services providers and third-party vendors.
In preparation for NIS2, organizations must also assess how they intend to ensure business continuity in the event of a serious cybersecurity incident. Best practice tips from the EU include formulating plans on emergency procedures and system recovery in the event of an incident.
