The NIS2 Directive - What's in it for you?
After the extensive and ongoing implementation of the General Data Protection Regulation (GDPR), another (revised) legal framework is underway from the EU/EEA. To keep up with digitalisation, regulations are tightened further to protect the EU/EEA from cyber threats and attacks on critical infrastructure and organizations.
Colleagues Renate Thoreid and Espen Rahd from Norway and Lars Westerdahl from Sweden share their thoughts about the upcoming directive, and why compliance can add business value.
Objectives and Requirements of NIS2
The NIS2 Directive entered into force on 16 January 2023 and replaces the 2016 NIS Directive. “In short”, Renate Thoreid, Senior Cybersecurity Specialist at Watchcom, Norway informs, “will NIS2 expand the scope of its predecessor by including organisations in new sectors considered critical to our society”.
NIS2 is there to implement adequate and comprehensive security measures in networks and information systems, to both private and public sector organisations, including small and medium-sized businesses and players in relevant sectors in the EU.
“The end goal here is key – that by establishing this common understanding and methodology for working with cybersecurity, NIS2 facilitates collaboration across sectors and countries”, says Lars Westerdahl, Infrastructure Security Analyst at Combitech, Sweden. This approach will ensure organisations are better prepared in what has become an increasingly complex and ambiguous threat landscape.
Frameworks like NIS2 improves our collective awareness and resilience, ensuring a shared understanding of information security across sectors and countries.
Here are some of our recommendations to organisations covered by the directive:
- Have a clear responsibility structure for information security (including increased management responsibility)
- Identify and evaluate risks to information security
- Implement security controls and measures to manage identified risks Implement procedures for handling security breaches, including reporting to authorities and affected parties (it is recommended that organisations cooperate closely with national security agencies to address cyber threats) within 24 hours
- Ensure routines are in place for detailed descriptions of a security breach within 72 hours of recognising the breach
- Conduct regular audits and tests (emergency plans / exercises)
- Ensure sufficient training and cybersecurity awareness of employees
- Ensure that suppliers and partners have sufficient information security in their systems and processes (supply chain security is very important)
- Monitor and report unwanted events to authorities
- Collaborate with authorities and other relevant parties on information security
- Fulfil any sector-specific requirements for information security, depending on the industries and sectors the organisation operates within.
National security authorities are primarily responsible and will oversee NIS2 on a national level. They may impose fines or sanctions on organisations that do not comply with the requirements of the directive. The work of enforcing directives may also be delegated to other agencies such as national CERTs.
Who are covered by NIS2?
"Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected," states the Commissioner for the Internal Market, Thierry Breton in the Commission's press release.
Are you covered by NIS2? How should you implement the requirements?
The NIS2 Directive will cover providers of essential services based on size, impact, and sector. There are two service categories, "significant" and "important" services:
- "Significant" services include energy, transport, banking, and healthcare
- "Important" services include online marketplaces, cloud computing services, and search engines.
Authorities will monitor and supervise organisations to ensure compliance. Failure to comply can result in administrative fines of up to €10 million or 2% of global turnover. If an organisation has more than 250 employees and a turnover of more than €50 million, it falls into the "significant" category.
In the "important" category, there are 5-250 employees with turnover ranging from €10 million. In the case of serious breaches in the "significant" category, individuals may be barred from leadership positions, and certificates and authorizations may be revoked, in addition to fines.
One consequence of the division into two categories is that each category will be subject to its separate regulatory regime. Normally, it will be the responsibility of the national directorate for civil protection and emergency planning to enforce these regulations.
“If you already have implemented the NIS directive, all changes in NIS2 must be implemented by October 17, 2024. The same deadline applies to all organisations covered by the NIS2 directive,” informs Espen Rahd, Senior Information Security Consultant at Watchcom, Norway.
What does NIS2 mean for your organisation?
Organisations affected must comply with all requirements of the directive, including requirements for risk assessment, encryption, authentication, reporting of security incidents, and cooperation with authorities. It is important to note that the requirements will vary depending on size and services offered.
Many of the requirements and principles are already included in the Security Act and GDPR. In addition, recognized standards and frameworks are useful tools for managing and leading information security, such as ISO/IEC 27001, NIST Cybersecurity Framework, and CIS Controls.
Also, several essential services are based on a production site or a distribution system. In those cases, standards like IEC 62443 or NIST SP800-82 provides the same level of guidance.
“Compliance with NIS2 requirements will help increase the level of security and more effectively protect organisations against the ever-increasing threat landscape. Organisations´ market position will be protected, and compliance will also contribute to increased business opportunities”, says Renate.
“Absolutely, and we recommend that organisations start working on NIS2 compliance as soon as possible. After all, organisations need to be compliant as early as autumn 2024”, adds Espen.
What measures need to be taken?
Here is our 10-point list of what your organization can do to get started in meeting the NIS2 requirements:
- 1.Conduct an assessment of the organization's most critical services and infrastructure.
- 2.Develop an action plan based on risk assessment. The action plan should describe the measures that must be taken to address the identified risks.
- 3.Establish an information security management system. The system should ensure that the organization has control over all security-related aspects of the business.
- 4.Implement technical security measures such as firewalls, antivirus software, encryption, and access control. This will help protect the organization's IT infrastructure and sensitive data.
- 5.Introduce security awareness training for all employees. This will help increase awareness of cybersecurity and reduce the risk of employees making mistakes that could lead to security breaches.
- 6.Establish and practice crisis and emergency plans.
- 7.Conduct regular reviews and testing of security measures to ensure that they function as intended. This will help identify any weaknesses in the security system.
- 8.Ensure that you have a sufficient number of resources and expertise in place to implement and maintain the management system.
- 9.Conduct risk assessments to identify threats and risks and update security measures accordingly.
- 10.Establish contact and collaboration with relevant authorities.
“All in all, the NIS2 directive is a great framework to help build the organization's cyber resilience and risk mitigation”, concludes Lars.