In July 2016, The current Network and Information Security Directive (NIS Directive) became the first piece of EU-wide cyber security legislation. The NIS directive aimed at securing networks and information systems belonging to critical and sensitive infrastructures in all EU member states. Six years later, in November 2022, the European Parliament updated EU legislation to promote investment in strong cyber security for essential services. The European Commission initiated the revision amidst increased threats against critical infrastructure due to the growing threats posed by digitalization and the surge in cyberattacks.
"Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments and society more resilient to hostile cyber operations,"
- Dutch Member of European Parliament Bart Groothuis
The NIS2 Directive introduces new requirements to promote a high level of cyber security throughout the EU -strengthening the cyber security requirements for medium and large organizations operating and providing services in key sectors.
NIS2 differs from the original directive in two significant ways: it expands the number of critical sectors and extends the number of entities that must adhere to its security requirements.
For its scope, the NIS2 directive distinguishes two types of entities:
The original directive identified the following sectors as critical and in need of strengthening security:
The NIS2 now covers eight more sectors integral to our daily lives, including the public sector:
In summary, NIS2 covers 15 sectors that are crucial not only for the development of the economy but also for daily life in Europe.
As part of the NIS2 Directive, new security obligations are based on a systematic, analytical and risk-based approach. This approach is in line with other regulations, such as GDPR. Risk management and incident response are key in ensuring compliance with NIS2 and should be used to implement the directive's security measures.
A list of seven key measures is provided in NIS2 to help all essential entities manage network and information security risks. According to the legislation (Article 18), EEs and IEs must take at least the following 7 measures:
“1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”
The new NIS2 also focuses more on secure supply chains. Despite not being covered by the NIS2 directive themselves, many companies have customers that do. Since these customers are now required to have corresponding security requirements vis-à-vis suppliers, these requirements can also significantly increase for businesses not covered by NIS2. NIS2 does affect not only organizations within the EU but also outside organizations that provide services in EU countries. Therefore, these organizations must also comply with the NIS2 directives.
NIS2 will introduce a two-step incident reporting process to relevant regulatory authorities. This means that in the event of a security incident, organizations are required to submit an initial report within 24 hours and then have one month to submit a second final report. The NIS2 Directive has also introduced revised sanctions for companies that fail to comply with or violate the regulations.
The NIS2 provides states with the right to injunction when there is a security incident and the company refuses to cooperate with authorities. Consequently, companies will have to comply with the State's request and may be fined between 1.4% and 2% of their annual revenue. NIS2 is an enhanced version of NIS with fines similar to GDPR.
To summarize, the main objectives of NIS2 are to achieve a high common cyber security level for operators of essential services, to improve resilience through stricter security requirements and tougher penalties, and to improve the EU's collective capacity to prepare for and respond to cyber threats and cyberattacks. In short, with the introduction of NIS2 you will have new adopt new ways of mitigating cyber security risks proactively but not to worry, we can help.
The directive will be published in the Official Journal of the European Union in the coming days after which member states have 21 months to implement it. Therefore NIS2 is expected to be implemented by 2023 at the earliest and, more likely, in 2024. However, before this becomes law, it is crucial that you understand what exactly this means to your business, both regarding compliance but also related to change in the current process, etc.
With our Next-Gen Vulnerability Management Platform (VMP), businesses can tailor their cyber security program to specific organizational needs and operational vulnerabilities. When you approach your cyber security program from a risk-based perspective instead of a compliance-first approach, you'll be able to prioritize security gaps and strengthen the cycle for addressing new risks and vulnerabilities continuously.
By analyzing incident reports, you can discover trends and patterns regarding your cyber security health. Vulnerability reporting isn't a one-off action. Your entire IT environment needs to be evaluated regularly for maximum effectiveness. Our reports give you an understanding of the risks you face. In addition to helping you comply with security regulations, they will help you determine which specific issues need fixing.
We provide continuous monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Create compliance-specific report templates to provide an immediate understanding of the compliance risk of your IT environment.
We'll help you to comply with laws and regulations to avoid legal issues.
Holm Security has helped hundreds of organizations meet the NIS requirements by providing a foundation for a systematic analytical and risk-based approach to cyber risks through continuous and automated vulnerability management. For our customers, our Next-Gen Vulnerability Management Platform is a major step towards a more systematic approach towards cyber threats in general and creates a foundation for a stronger cyber defense.
Together with our Success Program, we provide the tools you need and the training, service, and support needed to make your NIS compliance a part of your daily work.