Strengthening EU-wide cybersecurity and resilience
The Network and Information Security Directive (NIS2) aims to boost cybersecurity capabilities for organizations operating in Europe. The directive outlines three main pillars that will support organizations and Member States to enhance cybersecurity risk management, improve incident reporting and facilitate cross-border communication on cyber threats and actions.
The European Court of Auditors published a brief in 2019 that addressed 10 challenges the EU faces when creating a cybersecurity policy for Europe. One of the challenges addressed gaps in EU law and its uneven transposition. NIS 2 more effectively addresses some of the gaps in the NIS 1 by issuing a more prescriptive version of the original directive.
NIS 2 improves on the previous NIS Directive by raising the bar for critical infrastructure protection in EU countries, expanding the number of sectors in scope, and defining fines for non-compliance.
The three pillars of the NIS 2 Directive
Cybersecurity Risk Management
Organizations are required to implement comprehensive risk management measures. This includes conducting regular risk assessments, implementing appropriate security policies, and ensuring that both technical and organizational measures are in place to manage and mitigate potential cybersecurity threats. The aim is to create a proactive approach to cybersecurity, where risks are identified and addressed before they can cause significant harm.
Incident Reporting
Timely and accurate reporting of cybersecurity incidents is crucial under NIS 2. Entities must report significant incidents to relevant authorities promptly, ensuring that responses can be coordinated effectively at both national and EU levels. This pillar emphasizes transparency and accountability, helping to mitigate the impact of cyber incidents and fostering a culture of vigilance and preparedness.
Information Sharing
The directive encourages enhanced information sharing between public and private sectors, as well as among different organizations within the same sector. By sharing threat intelligence, best practices, and lessons learned from past incidents, organizations can build a collective defense against cyber threats. This collaborative approach aims to improve overall resilience and create a more informed and connected cybersecurity community.
The power of a directive in the EU
There are several types of legislative acts in the EU, and the distinctions are important to understand how they are applied and enforced.
NIS 2 is an EU directive adopted by the European Parliament and Council in November 2022 and applies to organizations operating in Europe.
Within the EU, a ‘directive’ is a legislative act that “sets out a goal that EU countries must achieve.” This is done through the process of transposition, which is a “process of incorporating EU directives into the national laws of EU Member States”.
Unlike a regulation, a directive is not directly applicable in all Member States. Rather it requires each Member State to adopt the measures of the directive into national law by a given deadline. For NIS 2, the deadline to transpose the Directive is October 17, 2024.
The process of transposition is monitored by the European Commission. The Commission will confirm that each Member State has met the required deadline for implementing the new directive into national law and that the text of the new national legislation meets the objectives of the directive.
If a Member State does not meet the deadline for transposition, the Commission could impose a fine or penalty on the Member State.
At the same time as governments across Europe are drawing up new legislation, companies operating in Europe in sectors that fall under the ‘essential’ or ‘important’ categories under the NIS 2 Directive are preparing to meet compliance requirements based on the text of the Directive.
Regulatory compliance is only the first step to digital operational resilience
C-Risk can help you effectively communicate the financial and operational impact of cyber risks, ensuring strategic resource allocation that aligns with your business objectives.
NIS1 vs NIS 2: What’s changed?
- Extended scope of application
- New sector categories
- Member States can identify an essential entity regardless of size or sector
- Introduction of proportionality
- Incident reporting timeline specified
- Administrative fines defined for non-compliance
New sectors, entities and exceptions
Due to the expanded scope with new sectors, a size threshold has been introduced to define essential entities and important entities. This means that all medium and large-sized companies in identified sectors are in scope. The Directive also provides for Member States to identify smaller entities with a high risk profile to be covered under the terms of the Directive.
Entity categories in scope for NIS 2
Generally, an organization qualifies as essential entity if it is in one of the determined sectors (refer to Annex I of the Directive (EU) 2022/2555) and has at least 250 employees, turnover of at least EUR 50 million and/or a balance sheet total of at least EUR 43 million.
The exceptions to the size requirement for entities are qualified trust services, DNS, TLD, public administration or those determined to be “essential” by the Member State transposing the directive into law.
Important entities are those defined in Annex II the Directive (EU) 2022/2555. They can include both large and medium enterprises. If an enterprise has between 50 and 249 employees and a turnover of more than EUR 10 million and less than EUR 50 million it is considered “important”. Small and microenterprises are typically considered out of scope, unless a Member State has identified it as its importance at a national or regional level.
Incident reporting requirements
Operators of essential services must report incidents to a competent authority. Under NIS1, entities were required to notify without any undue delay incidents with a significant impact on the continuity of essential services. NIS 2 has defined a strict timeline for reporting “significant incidents” to authorities:
- 24 hours to report on incident once identified
- 72 hours to submit an analysis to the authorities
- One month after incident notification for final report
Administrative fines and penalties for non-compliance
Administrative fines are defined for infringement. Member States can impose periodic penalties to compel entities to cease infringement. And natural persons can also be held liable for non-compliance.
Prepare for NIS 2 compliance
NIS 2 outlines the measures that should be taken to manage cyber risk and the requirements for defining and reporting significant incidents.
· Do you have a cybersecurity risk management policy?
· Have you identified your critical digital assets?
· Could you quickly report the impact of a significant cyber event?
· How do you document and communicate cyber risk?
· Have you identified your third-party risks?
A data-driven cyber risk management strategy can help respond effectively to these questions.
One of the first steps an organization can take to prepare for NIS2 is to conduct an audit of its cybersecurity program to identify gaps where identification, analysis and reporting can be improved. Then you can develop a plan to address these gaps so that when NIS2 is transposed you can fully comply with NIS2 requirements.
By using quantitative data to assess cybersecurity risk, an organization can meet compliance requirements, but also better prioritize security controls that align with business objectives.
C-Risk can help you address new compliance requirements introduced under NIS 2. For more information schedule a 30-minute call with one of our cybersecurity and risk management experts to discuss your challenges.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.