NIS2: All about the Directive, Legislation and Latest Status
NIS2: All about the Directive, Legislation and Latest Status
What is the NIS2 guideline?
The NIS2 Directive, also known as the Network and Information Systems Directive, is a European legislation aimed at strengthening cybersecurity in the European Union. It aims to protect essential services such as energy, transportation, health care and financial services. The directive requires European member states to take appropriate measures to enhance the security of their networks and information systems, report incidents and cooperate in combating cyber threats.
Why the NIS2 guideline?
In December 2020, the European Parliament proposed a revision of the NIS Directive (NIS2). Indeed, the parliament felt that the current NIS directive was no longer up to date due to the digital transformation of society. The new directive should ensure that safety requirements are strengthened. Implementation and compliance with NIS2 legislation are crucial to ensuring a high level of cybersecurity within Europe.
In brief:
What is NIS2?
NIS stands for Network and Information Systems, and NIS2 refers to the second version of legislation related to network and information systems.
Purpose of NIS2
The NIS2 directive is designed to increase cybersecurity within the EU through more comprehensive and stringent security requirements for various sectors. It encourages better cooperation and information sharing among EU member states to effectively respond to cyber threats. With stronger enforcement measures and increased fines, NIS2 aims to ensure that security protocols are consistently implemented and enforced by relevant European sectors.
What is CER?
Various threats are increasingly straining the security of our society and economy. Consider the war in Ukraine, cyber threats, the effects of climate change and COVID-19.
To strengthen the physical, digital and economic resilience of European member states in the face of these threats, the European Union adopted two directives in late 2022; the Critical Entities Resilience Directive (CER Directive) and the Network and Information Security Directive (NIS2 Directive). You can find more information about these guidelines on the nctv.com page
Important aspects of the NIS2 legislation
- Identification of Essential Services Operators (OES):
Under this law, certain companies and organizations considered essential are required to implement appropriate security measures. - Digital service providers:
In addition, digital service providers are also subject to this law and must take measures to prevent and, if necessary, report incidents. - Cooperation among EU member states:
The Network Information Security Cooperation Group (NITC) facilitates cooperation among member states in cybersecurity breaches. - Reporting requirements:
Companies covered by these regulations must report serious cyber incidents to national authorities. - Fines:
In case of non-compliance, significant fines can be imposed on violators of the NIS2 regulation. - Legal framework for cybersecurity:
Provides a general legal framework for cybersecurity within Europe to ensure a harmonized approach in this area.
Table of contents
What is the difference between NIS2 and the first NIS guideline?
The NIS2 directive is the successor to the first Network and Information Systems ( NIS ) directive adopted in 2016. Both directives are aimed at strengthening cybersecurity in the EU, but there are some important differences between the two.
- The first NIS directive focused primarily on the responsibilities of member states for protecting their own networks and information systems. In contrast, the NIS2 directive is aimed at protecting essential services such as energy, transportation, health care and financial services.
- The NIS2 directive requires mandatory incident reporting for organizations that provide or manage essential services. In the NIS1 guideline, incident reporting is not mandatory.
- The NIS2 directive also requires organizations that provide or manage essential services to conduct risk identification and assessment to improve the security of their networks and information systems. The NIS1 guideline does not require a specific risk inventory and assessment.
- The NIS2 directive also requires member states to cooperate in combating cyber threats and report incidents to the European Commission. The NIS1 directive does not require specific cooperation.
In summary, the NIS2 directive ensures that more companies must comply with stricter rules. Furthermore, these companies are required to report incidents. Also, the NIS2 directive requires better cooperation among member states.
Below is a table showing the differences between the NIS guideline and NIS2 guideline:
|
NIS Directive |
NIS2 guideline |
|
Scope: |
Scope: |
|
Obligations: Incident reporting not required, emphasized incident reporting requirements. |
Obligations: Incident reporting mandatory for organizations that provide or manage essential services. Introduces more stringent security measures that companies must implement in addition to incident reporting. |
|
Objective: Aimed at improving cybersecurity capabilities within vital sectors. No specific risk assessment and evaluation required. |
Objective: Goes broader by covering the entire digital economy while seeking maximum harmonization among member states. Risk inventory and assessment required for organizations that provide or manage essential services. |
|
Supervision: Gave each member state freedom in compliance, leading to inconsistencies. No specific collaboration required. |
Supervision: Pursues a more harmonized oversight mechanism to enable more consistent compliance standards within EU member states. Cooperation among member states required and report incidents to European Commission. |
The above table is only a summary of the main differences; it makes sense to consult the NIS2 guidelines themselves for more information.
Other relevant changes brought about by NIS2:
- The distinction between essential service operators and digital service providers is eliminated. This means that all medium and large entities operating in sectors or providing services covered by the directive are considered providers of essential services;
- It tightens security requirements by imposing a risk management approach with a list of minimum basic security elements to be applied;
- The introduction of more precise provisions on incident reporting procedure, content of reports and deadlines. Entities should notify each other and the European Network and Information Security Agency (ENISA) of significant cyber incidents and threats;
In addition, the NIS2 requires national authorities to enforce these rules more strictly. There will be a proactive policy where controls are carried out on a random basis. So the goal of this directive is more than ever to bring and keep cybersecurity at a decent level. When companies and entities do not have their security requirements in order, it is more likely to result in more and higher fines. Fines can amount to at least 10 million euros or 2% of total global sales. The EU hopes the new rules will increase information sharing and cooperation around cyber crisis management across government levels.
The scope of the NIS2 directive
NIS2 extends the scope of the existing NIS directive to various sectors important to the economy and society. About 4,000 institutions will be required to take more measures to manage cybersecurity risks. For example, they must meet stricter security and reporting requirements. All medium and large enterprises will also be required to have tougher security regulations.
To which sectors does the NIS2 legislation apply?
The NIS2 guideline applies to Category 1 and 2. NIS2 divides the various sectors into two categories, with each category encompassing a diverse group of organizations.
Category 1
Category 1 covers critical areas such as energy, transportation, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT services management, government and space. Organizations within this category fall under the NIS2 guideline if they have at least 50 employees and/or reach an annual turnover and/or annual balance sheet total of €10million.
Category 2
Category 2 includes sectors such as postal and courier services, waste management, chemical manufacturing, production and distribution, food manufacturing, processing and distribution, digital providers and research. Again, the NIS2 guideline applies to organizations that meet the criteria of at least 50 employees and/or an annual turnover and/or annual balance sheet total of €10million.
The distinction between “significant entities” and “essential entities” is important. Organizations in category 1 with at least 250 employees and/or annual sales of €50million and/or an annual balance sheet total of €43million qualify as “essential entity.” Essential entities are subject to stricter supervision and enforcement compared to major entities.
The expansion of sectors under NIS2 is intended to ensure that all organizations performing critical functions in society are protected from cyber threats. This approach focuses not only on preventing harm to individual organizations but also on ensuring the integrity and functioning of society as a whole. This means that sectors such as food production, waste management and the entire supply chain are now also covered.
If your organization is covered by NIS2, a number of things are going to change for you:
Sectors:
- Energy
- Transportation
- Banking
- Financial market institutions
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- Government Services
- Space
- Postal and courier services
- Waste Management
- Chemistry
- Nutrition
- Industry
- Digital providers
Changes:
- Stricter security requirements: Under NIS2, organizations must implement appropriate security measures and evaluate risks to ensure the security of their network and information systems. This includes reporting obligations in case of incidents.
- Cooperation and coordination: The directive encourages cooperation and coordination among member states and relevant authorities to improve the response to cyber incidents.
- Fines and enforcement: NIS2 provides for stiffer penalties and fines for organizations that fail to comply with security regulations.
- Audit and reporting requirements: Organizations may be subject to audit and reporting requirements to ensure compliance.
It is important to understand that the specific impact of the NIS2 directive on your organization will depend on several factors, including your business operations, the nature of the digital services you offer and the nature of your critical infrastructure. Your organization may have to comply with specific security standards and reporting requirements to be in compliance.
NIS2 and European cyber defense policy
The second generation of the European Network and Information Systems (NIS2) Directive has been in effect since Jan. 16, 2023. It builds on the original 2016 NIS guideline. The goal then was to unify European cyber defense policy for network and information security in order to reduce the impact of cyber incidents.
What is Europe's cyber defense policy?
European cyber defense policy aims to strengthen cybersecurity in the European Union. This includes measures to improve information systems security, incident reporting and response, and cooperation between member states and EU institutions.
An important part of European cyber defense policy is the Network and Information Systems Directive (NIS) and the Network and Information Systems Directive (NIS2). These directives require member states to take appropriate measures to improve the security of their networks and information systems, report incidents and cooperate in combating cyber threats.
In addition, the EU has also adopted the European Cybersecurity Act in 2019, this is aimed at strengthening EU cybersecurity through a collaborative approach. This establishes a European certification framework for ICT products, processes and services.
The EU has also established the European Cybersecurity Agency (ENISA), which supports member states in developing their national cybersecurity strategies and in implementing the NIS directive. ENISA is also working with the European Commission, member states and the private sector to improve cybersecurity.
Finally, the EU also plays an important role in international cybersecurity cooperation by participating in international organizations and forums such as the G7, G20 and OECD.
The European cyber defense policy aims to strengthen EU cybersecurity through legislation, certification, cooperation among member states and EU institutions, and international cooperation.
NIS2 and the NIB2?
First, the difference between the NIS2 and the NIB2. The NIB2 is the Dutch translation of the NIS2. So whether it’s the “network and information systems directive” or the “network and information security directive,” the content is largely the same. However, while translating the European directive into Dutch law, there is room for interpretation.
Network and Information Systems Security Act (Wbni).
The “Network and Information Systems Security Act” (Wbni) is the Dutch implementation of the first EU directive on the security of network and information systems, known as the NIS Directive. With the advent of NIS2, which is a revised and expanded version of the original NIS directive, the Netherlands will need to revise and update the existing Wbni to meet the new requirements.
The core of NIS2/NIB2
At the heart of NIB2 is the duty of care and the duty to report. We can assume that the core of the directive remains largely the same.
- The duty of care requires organizations to put the entire infrastructure in order. For example, it becomes mandatory to have the facilities to monitor what is happening on the network.
- The reporting requirement wants organizations to must report when they experience a cyber incident. So for all organizations seen as providing “essential services,” there is (much) work to be done.
Duty to report: data breaches, ransomware attacks or abuse of vulnerabilities
The reporting requirement will increase cyber resilience. Under the current situation, an organization only has to report a data breach, but not a ransomware attack or abuse of a vulnerability, for example. So this is going to change.
By reporting and sharing information about a cyberattack, companies can more easily learn from each other how to optimize their security.
Depending on the current infrastructure, much may need to be done to comply with the standard that will eventually become law. For example, companies may be required to comply with the ISO 27001 standard. For many companies, this will mean investing heavily. There is talk of a revenue cap that would exempt smaller companies from this, but these organizations would still be at as much risk as before
Duty of care: monitoring the systems
The various duties at organizations to which NIS2 applies may face many investments. Thus an important part of the duty of care is monitoring the systems. This is usually done in a security operation center (SOC) but setting this up requires a lot of equipment and, even more troublesome, personnel. For many organizations, therefore, it will be interesting to outsource this to a party such as NFIR that offers a SOC as a service. In this way, an organization can meet the new duty of care without having to set up an entire SOC. In addition, as a cybersecurity expert, NIFR often provides additional services to enhance increase cyber resilience.
It is wise to get started as soon as possible, figuring out what the new law means for both organizations that fall within NIS2 guidelines and other organizations may have to make quite a few changes. A first step you should take as a company now is to map out your cybersecurity maturity level and degree of risk management.
Vital sectors
The number of organizations facing cyberattacks has been increasing in recent years; so has the damage and impact of a successful attack. Ensuring the continuity and integrity of some vital sectors is therefore the main idea behind the NIS2 directive.
Make an immediate appointment with an NFIR specialist who knows all the ins and outs of the NIS2 guidelines combined with cybersecurity experience.
- Do you already have an information security policy?
- Do employees know what their role is?
- Do they know how to recognize phishing emails?
- By getting serious about it now, you will avoid surprises when the law goes into effect.
NIS2 compliance: strategic advice for CISOs
Failure to comply with the NIS directive has legal and strategic implications for organizations. CISOs need to get to work. When companies and entities do not have their security requirements in order, it is more likely to result in more and higher fines. Fines can amount to at least 10 million euros or 2% of total global sales.
Obligations under NIS2
NIS2 imposes several obligations on organizations considered essential service providers or digital service providers. The main obligations arising from NIS2:
- Incident reporting requirement:
Essential service providers and digital service providers are required to report serious security incidents to national authorities. - Security requirements:
Organizations must comply with specific security measures such as access controls, encryption and monitoring of networks. - Risk assessment and risk management:
It is required that organizations conduct regular risk assessments and implement an effective risk management process. - Cooperation with national authorities:
Organizations should cooperate with relevant national authorities in dealing with cyber risks and recovering after incidents. - Supervision by national authority:
National authorities monitor compliance with NIS2 obligations by essential service providers and digital service providers. - Confidentiality and information sharing:
There are rules for ensuring confidentiality when sharing information between organizations and government agencies. - Penalties for non-compliance:
Organizations risk fines or other penalties if they fail to comply with the requirements of NIS2.
Risk Management
The key obligations under NIS2 Risk Management:
- Identification of Cybersecurity Risks:
Organizations need to identify potential internal and external threats that could affect their operational critical systems. - Evaluating Cybersecurity Risks:
Thorough analysis should be performed to determine the impact and likelihood of risks to critical systems. - Implementation of Security Measures:
Appropriate technical and organizational measures should be taken to minimize risks and establish incident response plans. - Incident Reporting:
Reporting of serious incidents to national authorities should be done in a timely manner according to the required procedures. - Collaboration with Other Actors:
Collaboration with other essential services, government agencies or CERTs is crucial in establishing coordinated response mechanisms. - Continuous Monitoring and Update:
Regular monitoring, evaluation and updating of security measures are necessary to adapt to new threats.
Incident Report
Under the NIS2 legislation (NIS Directive 2016/1148), organizations are required to report incidents related to their network and information systems. These notification requirements aim to strengthen cybersecurity in Europe and ensure the resilience of essential services and digital infrastructure. The obligations under NIS2 Incident Reporting are a critical aspect of cybersecurity management for organizations providing essential or digital services. Timely and accurate response to incidents can limit potential damage and improve the safety level of systems in line with European directives.
Incident reporting responsibilities:
- Notifiable Entities:
Organizations classified as an essential services provider or digital services provider are subject to the notification requirements under NIS2. - Incident definition:
An incident under NIS2 can range from a data breach to a cyber-attack that affects the availability, integrity or confidentiality of systems. - Reporting process:
When an incident occurs, reporting entities must immediately report it to the competent authorities as established by national legislation. - Information in Notification:
The report should include relevant information about the incident, potential impact, actions taken and any risks to other parties. - Timelines:
There may be specific time limits for submitting a report after discovery of an incident.
Information exchange
The obligations under NIS2 information sharing is an important aspect within the broader framework of cybersecurity regulations in Europe, aimed at increasing resilience against cyber attacks and ensuring that critical infrastructures are digitally protected.
Obligations under NIS2 information sharing include:
-
Identification of essential service providers: Under NIS2, specific entities are identified as essential service providers, such as providers of energy, transportation, banking, healthcare and digital infrastructure. These entities must be identified according to criteria established by the member states.
-
Appropriate technical and organizational measures: Essential service providers must implement appropriate technical and organizational measures to manage risks to their network and information systems. This may include conducting risk assessments, developing security policies and conducting regular reviews.
-
Incident reporting: In the event of a serious cyber incident, essential service providers must immediately report the incident to the appropriate national authorities or Computer Security Incident Response Teams (CSIRTs). These reports are crucial for coordinating responses to cyber threats.
-
Collaboration with other actors: Essential service providers are encouraged to collaborate with relevant government agencies, certification bodies, regulatory authorities and other actors in the cybersecurity domain to share best practices and develop joint incident response plans.
-
Periodic review and reporting: Essential service providers are required to periodically review their compliance with cybersecurity requirements and report to the national authority in charge of enforcement.
Strategic dilemmas
From a CISO’s perspective, there are several complex strategic dilemmas on the table when communicating with executives. Some examples include:
- Cost of compliance: The NIS Directive requires organizations to take certain technical and organizational measures to ensure the security of their network and information systems. Implementing and enforcing these measures can be costly, and the CISO will need to properly justify the costs and benefits of compliance.
- Impact on business operations: The CISO may need to work with administrators to determine the potential impact on business operations and develop a plan to address any disruptions.
- Risk assessment: The CISO should help administrators understand the risks associated with different types of threats and identify the most effective measures to mitigate those risks.
- Communication with stakeholders: The CISO will need to work with administrators to establish a plan for communicating with stakeholders about incidents that may affect them.
Potential implications for the CISO or affected board member
Non-compliance with the NIS directive can lead to fines and other penalties. The exact consequences for a CISO or board member who knowingly fails to comply with the directive depend on specific provisions and the national law of the member state where the company is located.
In general, the NIS Directive requires member states to establish sanctions for non-compliance that are “effective, proportionate and dissuasive.” These penalties may include fines, corrective action orders or other measures. The NIS directive also provides for the possibility of “joint and several liability” for organizations guilty of “gross negligence or willful misconduct” with respect to the security of their network and information systems.
In addition to the potential legal consequences, non-compliance with the NIS Directive can also negatively impact an organization’s reputation and credibility by showing that it does not take cybersecurity seriously and is not committed to protecting the security and privacy of its customers’ information. Non-compliance with the NIS guideline can also expose an organization to legal action from customers, regulators or other stakeholders.
Advice for CISOs.
-
1. Maak uzelf vertrouwd met de vereisten van de NIS2-richtlijn
De NIS2-richtlijn is van toepassing op “exploitanten van essentiële diensten” en “digitale dienstverleners” en bedrijven die online marktplaatsen, online zoekmachines en cloud computing-diensten aanbieden. Het is belangrijk dat u de specifieke vereisten van de NIS2-richtlijn begrijpt en weet hoe deze op uw organisatie van toepassing zijn.
-
2. Beoordeel uw huidige beveiliging
Het is belangrijk om inzicht te krijgen in de huidige staat van uw netwerk- en informatiesystemen (NIS) beveiliging en om eventuele gebieden te identificeren die verbetering behoeven. Dit kan u helpen uw inspanningen te prioriteren en u eerst te richten op de belangrijkste gebieden.
-
3. Ontwikkel een plan voor naleving
Zodra u uw huidige beveiligingspositie hebt beoordeeld, kunt u een plan ontwikkelen om uw bedrijf in overeenstemming te brengen met de NIS-richtlijn. Dit kan betekenen dat u nieuwe beveiligingsmaatregelen moet nemen, bestaande maatregelen moet bijwerken of nieuw beleid en nieuwe procedures moet vaststellen.
-
4. Overleg met relevante belanghebbenden
Voor de naleving van de NIS2-richtlijn kan de betrokkenheid van verschillende belanghebbenden nodig zijn, waaronder werknemers, klanten en regelgevende instanties. Het is belangrijk met deze belanghebbenden samen te werken en ervoor te zorgen dat zij op de hoogte zijn van de vereisten van de NIS-richtlijn en de mogelijke gevolgen daarvan voor hen.
-
5. Controleer en evalueer uw nalevingsinspanningen
Naleving van de NIS2-richtlijn is een continu proces. Het is belangrijk dat u uw inspanningen om aan de voorschriften van de NIS2-richtlijn te voldoen, regelmatig controleert en evalueert om na te gaan op welke gebieden extra inspanningen nodig zijn.
Make an immediate appointment with an NFIR specialist who knows all the ins and outs of the NIS2 guidelines combined with cybersecurity experience.
- Do you already have an information security policy?
- Do employees know what their role is?
- Do they know how to recognize phishing emails?
- By getting serious about it now, you will avoid surprises when the law goes into effect.
How can NFIR help you with NIS2?
Pentesting
The NIS2 directive requires organizations to conduct risk assessments to identify vulnerabilities. Identifying these risks can be done by performing a pen test or penetration test. Penetration testing is designed to assess the security of network and information systems. This is done by performing controlled attacks and vulnerability scans. The tests help identify security weaknesses that can be exploited by malicious actors. NFIR offers pen testing that can help you with this.
Security Monitoring
The NIS2 directive requires that organizations take appropriate measures for network and information system security, and network monitoring can be an essential part of these measures. The purpose of network monitoring is to detect potential threats and security breaches to network and information systems and respond to suspicious activity in real time. In a number of areas, NFIR security monitoring can support you in complying with NIS2:
- Incident detection: Indeed, organizations must be able to detect suspicious activity, intrusion attempts, malware, and other potential security incidents in their networks and systems.
- Real-time monitoring: It is important to continuously monitor networks and systems to immediately respond to threats. This can include receiving real-time alerts and initiating automatic responses.
- Logging: It is important to keep logs of network activity and security events, as these can help investigate incidents and demonstrate security compliance.
Network monitoring is an important element of the overall security measures needed to comply with the NIS2 directive. NFIR can help your organization identify and mitigate risks, minimize damage in security incidents and meet the reporting requirements set forth in the directive.
Consultancy and Incident Response
In addition to additional information about the NIS2, NFIR can assist you in creating an incident response plan. Within NIS2, it is required to respond quickly and effectively to security incidents as they occur. This includes isolating affected systems, analyzing the incident and taking corrective action. NFIR can also assist you with an incident through Incident Response or Digital Forensics.
Pentests
Our certified ethical hackers identify vulnerabilities in your IT infrastructure, web application, mobile application, API, or OT environment. NFIR is in posession of the CCV pentest quality mark.
Security Monitoring
Security Engineers from our Security Operations Center monitor 24/7/365 all IT and OT log sources of your digital infrastructure for suspicious cyber threats.
Incident Response
Are you facing unexpected events in your digital infrastructure or are you a victim of a cyber attack? Our Computer Emergency Response Teams take immediate action and provide adequate assistance!
Security Awareness
Invest in employees' awareness of information security threats. We offer various services to improve Security Awareness.
Want to learn more about NFIR's services and how we can help you with your cybersecurity needs? If so, please feel free to contact us. Our team of experts is ready to provide you with the information and support you need.
