NIS-2 aims to establish an EU wide common security standard for critical infrastructures and adjacent industries as well as vital supply chains. Here is a brief recap - and also a good reason why even non critical industries should pay close attention.
The second generation of the European Network and Information Systems (NIS2) directive will be transposed into the legislation of each EU country. It builds on the original NIS directive from 2016. The aim then was to unify European NIS policies to reduce the impact of cyber incidents, particularly targeting businesses and institutions and services of a critical nature.
At the heart of NIS 2.0 are two key elements: the duty of care and the duty of notification. The duty of care obliges organisations to put their entire infrastructure in order. For instance, it becomes mandatory to have the facilities to monitor activities on the network. The duty of notification wants organisations to have to report when they face a cyber incident. This notion is not entirely new as the GDPR regulations demand the same. So for all organisations seen as providing 'essential services' there is a lot of work to do, since many organizations have just now become aware that the NIS2 directive is now applicable to them directly.
So it looks like organisations in numerous sectors will have to start taking measures to take cybersecurity maturity to a higher level. The exact level of this maturity level will still be determined by each country's government. This is similar to the standard that government agencies are currently required to meet, but other rules may start to apply. The details will ultimately have to emerge from the resulting legislation, just as the Network and Information Systems Security Act is an interpretation of original NIS directive. National legislation is, as of mid July 2023, still pending and in various stages of draft.
More cyber attacks
The need to increase the cyber resilience of vital services is obvious. Over the past few years, we have seen an upward trend in the number of organisations facing cyber attacks. In addition, we also see an increase in the damagesand lasting impact of a successful attack. The NIS2 directive was therefore created to safeguard the continuity and integrity of a number of vital sectors as well as supply chains. The original NIS covered sectors such as energy, drinking water and banks. The NIS2 drastically expands the list of vital sectors to include government services, food and managed service providers, among others.
EU Member States now have until 17 October 2024, to transpose its measures into national law. That sounds long, but for a law of this stature, that is a reasonably short timeframe. The NIS2 is a big step in the right direction when it comes to cybersecurity. However, it does take away a certain amount of freedom. Currently, the cybersecurity landscape among companies is very fragmented. Companies choose for themselves to what extent they do something about cybersecurity or not. By implementing the directive, you take away this freedom, but you can be sure that parts of the infrastructure meet a common minimum security standard. Since comprehensive risk management is also part and parcel of NIS2, companies will have to put down in writing, which measure were and were not taken to improve security.
The notification requirement will increase cyber resilience. In the current situation and as dictated by GDPR regulations, an organisation only has to report a data breach, but not, for example, a ransomware attack (which by now is in most of the cases also a data breach due to double extortion schemes) or abuse of a vulnerability. So this is going to change. With information about a cyber attack being reported and shared clearer and in a more efficient way, companies will find it easier to learn from each other how to optimise their security.
Duty of care
But the duty of care will also make some demands on organisations. Depending on the current infrastructure, a lot may have to be done to comply with the standard that will eventually be included in the law. So organisations to which the NIS2 applies will have quite a lot to deal with. The various duties require a lot of investment. For instance, an important part of the duty of care is monitoring the systems. This is usually done in a security operation centre (SOC) but setting this up requires a lot of equipment and even more problematic these days, staff. For many organisations, it will therefore be interesting to outsource this to a party offering a SOC as a service. This way, an organisation can comply with the new duty of care without having to set up a whole dedicated SOC by themselves – which is already a daunting task, not helped at all by the rather narrow time frame. Bear in mind, setting up an in-house SOC as well as the required infrastructure and the associated staff are cost prohibitive for a small company, so using external services is a de facto requirement. In addition, these cybersecurity parties often offer additional services to increase cyber resilience.
Why NIS-2 is a good idea, even outside critical sectors
But even if an organisation does not fall within the scope of the NIS2, it is wise to pay attention. Just because you are not designated as a vital sector does not mean you are less at risk. These organisations can also learn a lot from the duties and requirements that will be included in the new law. The NIS2 is inevitable and it is therefore important to see if you, as an organisation or company, fall within the scope. If so, it is wise to get started as soon as possible because it can take a lot of time to figure out what the new law will mean for you. A first step you can take as a company right now is to map out your cybersecurity maturity level and degree of risk management. Do you already have an information security policy and emergency disaster plan in place? Do employees know what their role is? Do they know how to spot phishing emails? By getting serious about it now, you will avoid surprises when the law comes into force. And those companies to which NIS-2 is not applicable? It turns out that all of the concepts, most notably those in Article 21 of NIS-2, are good idears, regardless of criticality. Continuous or multifactor authentication are just as good an idea as constant security training and having good recovery plans in case of an outage. And that is universally applicable, regardless of what industry you are working in.
You can find more information about the NIS2 directive here.
Eddy Willems
Security Evangelist