NIS2: Who's in the scope and what security measures are required? (part 2/3)
You've made it to the second part of our three-part blog series regarding The NIS2 Directive. Check out the first part handling the background and reasons behind the NIS2 Directive
As mentioned in the previous part, NIS2 brings some big changes:
What kind of security requirements NIS2 lists?
Even though the NIS2 is mostly based on the original NIS Directive, some big changes will come with the new Directive. The NIS2 Directive introduces a set of enhanced security requirements. The flexibility to customise compliance with these requirements was removed, since the original NIS allowed vulnerabilities due to the excessive flexibility. NIS2 ensures that there is no room for such vulnerabilities, as it clearly outlines the rules that everyone must follow.
NIS2 lists 13 main information security themes that organizations must consider and implement in their own information security plans. Listed here, you will find some most relevant selections. You can find the full-scale NIS2 report in Cyberday, which also contains prioritized recommendations for measures corresponding to different requirements.
Risk assessment and management (21.2.a)
The organization should have clearly defined procedures for managing information security risks, which are used to assess the adequacy of the information security measures implemented by the organization and to identify the most important areas for development.
Incident detection, handling and reporting (21.2.b & 23)
When essential or important entities become aware of a significant incident, they must promptly submit an early warning within 24 hours. This should be followed by an incident notification, which must be submitted without delay and within 72 hours of becoming aware of the incident. The incident notification should include an updated assessment of the incident, including severity, impact, and indicators of compromise if available. A final report must be submitted within one month after the incident notification.
Cyber hygiene and training for personnel (21.2.g)
Essential and important operators must take care of the personnel's information security awareness through guidance and training. Here, the process should cover topics important to personnel, such as secure use of devices, software updates, secure remote work, and identity and access management.
Supply chain security (21.2.d & 21.3)
Supply chain security includes examining the relationships between organization and suppliers from the perspective of information security. From the point of view of delivering your own services, which are the critical partners? What kind of information security requirements have been set for them and what evidence is there that these have been met?
In NIS2, organizations are obliged to invest more clearly than before in this kind of supply chain analysis and in rolling forward information security requirements to important partners.
Data encryption (21.2.h)
To ensure secure public electronic communications, promoting end-to-end encryption and data-centric security concepts is crucial. Providers may be required to implement end-to-end encryption while considering security interests, public safety, and law enforcement responsibilities. Preserving strong encryption is crucial for protecting data, privacy, and communication security.
Having a cyber security plan
In general, organisations need a plan to have all of the above topics covered and monitored. NIS2 also states that the management bodies of organizations need to approve e.g. the risk management measures and oversee the implementation of organizations cyber security in general. This requires more systematic planning and tools for cyber security.
Every Member State must appoint or create one or more competent authorities that will be responsible for handling significant cyber security incidents and emergencies (known as cyber crisis management authorities). It is the responsibility of the Member States to guarantee that these authorities possess sufficient resources to effectively and efficiently carry out the tasks assigned to them.
Does NIS2 apply to your organisation?
NIS2 will include a broader set of sectors (listed below) than the original NIS Directive. The sectors are divided into essential and important entities. The difference between these two is that a disruption of service within the essential group is expected to have serious consequences to a country's economy and security.
Unlike the original NIS and its OESs, with NIS2 will use a different approach. A "size-cap" is introduced meaning entities in the following sectors that are categorised as medium or large by the EU (over 50 employees and/or annual turnover over €10 million), will be subject to the NIS2. However, entities defined as critical in the Directive (EU) 2022/2557 will be a subject despite the size or turnover. Critical entities include the essential entities shown below, as well as the production, processing and distribution of food.
- Financial market infrastructures
- Drinking water
- Waste water
- Digital infrastructure
- Trust service providers
- Top-level domain name registries
- Providers of public electronic communications networks
- ICT service management (B2B)
- Public administrations
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacture of medical devices, electronic products and transport
- Providers of online marketplaces, online search engines and social networking services platforms
- Research organisations
The Directive also applies to entities that meet the following criteria:
- Sole providers of a service essential for the maintenance of critical societal or economic activities within a Member State
- Disruption of their service could have a significant impact on public safety, public security, or public health
- Disruption of their service could induce significant systemic risk, especially for sectors with potential cross-border impacts
- Critical entities with national or regional importance within a specific sector or service, or interconnected sectors within a Member State
- Public administration entities at central or regional level providing services with significant impact on critical societal or economic activities after a risk-based assessment
Member States have the option to include public administration entities at the local level and educational institutions, especially those conducting critical research, within the scope of this Directive.
Supervision and enforcement
When it comes to the supervision of essential and important entities under the NIS2 Directive, there are some key differences in the approach.
For essential entities, regulators and authorities need to ensure that the measures put in place are strong enough to effectively mitigate risks and ensure the security of essential services. The aim is resilient supervision that acts as a barrier against any potential disruptions or failures.
For important entities, the focus is on monitoring and addressing incidents based on evidence or information indicating non-compliance. Regulators need to keep an eye on the operations of important entities and take appropriate actions when incidents happen. The focus is on detecting any issues quickly to maintain the smooth functioning of important services.
While the level of supervision may differ, the ultimate goal is to protect both essential and important entities and maintain the overall security of the digital infrastructure. The specific requirements and supervisory measures for each category are designed to match the criticality and potential impact of their services, ensuring that proper security measures are in place and any non-compliance is well addressed.
If an operator does not meet the requirements, an administrative fine up to €10 million or 2% of the total global annual turnover can be enforced. In the most severe cases, fines up to €20 million or 4% of the total global annual turnover can be enforced.
This was the second part of our three-part blog series regarding The NIS2 Directive. Read the final part NIS2: get compliant with Cyberday
Questions and feedback
Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via firstname.lastname@example.org or the chat box in the right lower corner.