On 16 January 2023 the NIS 2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) came into force. NIS 2 is a continuation, expansion and replacement of the original cybersecurity directive NIS 1 (Directive EU 2016/1148). NIS 2 aims to future-proof NIS 1 on account of the rapidly evolving cyber threat landscape and increasing reliance on digital technology. It achieves this goal by imposing obligations on Member States (MSs) to regulate organisations in key sectors, ensuring critical and important infrastructure is resilient in the face of cyber threats.
MSs have until 17 October 2024 to transpose the directive into law, after which organisations falling under the remit of NIS 2 will face significant penalties for non-compliance. Service providers in these areas will need to ensure they embed appropriate and proportionate information security controls to comply. This article highlights some of the key provisions of the directive and provides guidance on what steps in-scope organisations should be taking to meet its requirements.
Classifying In-Scope Organisations
NIS 2 has increased the reach of organisations that will come under its remit. Instead of the terms used by NIS 1 (‘Operators of Essential Services’ and ‘Digital Service providers’) NIS 2 is applicable to what it refers to as Important Entities (IEs) and Essential Entities (EEs). These categories apply to both private and public bodies.
Essential Entities (EE) includes any organisations:
Within the sector of energy, transport, public administration, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management and space, and that meet or exceed the criteria of ‘medium sized enterprises’.
Important Entities (IE) includes any organisations:
Within in the sector of food, chemicals, postal services, waste management, research, manufacturing and digital service provision, and that meet or exceed the criteria of ‘medium sized enterprises’.
The term ‘medium sized enterprise’ is borrowed from Recommendation 2003/361/EC (Article 2 of the Annex). For an organisation to come under this category, they must employ over 50 personnel or have an annual turnover or balance sheet exceeding EUR 10 million. There are some exceptions for essential service providers who will be in scope regardless of their size.
NIS 2 Key Requirements and Approach
Under NIS 2, MSs must ensure that IEs and EEs take appropriate and proportionate measures to manage the risks posed to their information security. The Directive calls for a risk-based approach, with MSs needing to give consideration to an entity’s size, degree of exposure to risk, as well as the likelihood, severity and impact of any potential risk events. Additionally, the directive promotes an ‘all hazards’ approach, which encompasses protections against various types of threats, spanning network and information systems security, as well as physical and environmental security measures.
The Directive stipulates the following requirements for IE/EEs as a minimum:
- Risk management and information security policies
- Incident handling
- Business continuity, disaster recovery and crisis management
- Supply chain security and systems lifecycle security
- Policies and procedures for cryptography
- Basic cyber hygiene practices and cybersecurity training
- Measures to assess the effectiveness of cybersecurity risk-management
- HR security , access control policies and asset management
- Authentication and secure communication
The bigger picture: Whilst this article has been focused on the requirements for IEs and EEs, the NIS 2 imposes new far reaching obligations which fall on MSs, EU Cybersecurity bodies as well as pivotal tech providers. These include obligations to ensure union level coordination in critical supply chain risks, information sharing obligations for pivotal tech service providers, as well as the establishment of a Cooperation Group to coordinate and exchange information.
NIS 2 Non-Compliance Penalties and Fines
Whilst NIS 1 left penalties to the discretion of MSs to determine, NIS 2 sets out specific penalties in the following forms:
- Non-Monetary remedies: To include compliance orders, binding instructions, security audit implementation orders and threat notification orders (requiring communication with customers).
- Criminal Penalties: To be determined by MSs.
- Administrative fines: To include a maximum fine level of €10 million or 2% of the global annual revenue (whichever is higher) for EEs and a maximum of €7 million or 1.4% of the global annual revenue (whichever is higher) for IEs. NIS 2 also dictates for which breaches fines should be applied.
What steps should in scope organisations be taking to comply:
Whilst the NIS 2 is yet to be transposed into MSs law, organisations that will be considered IEs/EEs would be wise to take steps now to identify and address any gaps ahead of the October 2024 deadline. Below are some of the core steps to take for compliance:
- Essential asset inventory and impact assessment: Conduct a full inventory to identify all business processes and technology that are relied upon for the provision of essential services and conduct business impact assessments.
- Third-party service controls and SLAs: Ensure appropriate controls and SLAs are in place with any third parties that these essential services are dependent on.
- Cyber incident and continuity policies: Develop and maintain policies to cover cyber incident response, business continuity and disaster recovery. Ensure that these policies are appropriately communicated, reviewed and tested.
- Essential IT Security policies: Ensure that policies are in place covering logical access controls, change management, systems development and lifecycle, patching, asset management and physical security.
- Vulnerability risk assessment and mitigation: Conduct risk assessments for all known vulnerabilities/risks (for example reliance on End of Service Life Software). Ensure that these risks are mitigated and monitored.
- Information security training and awareness: Ensure all staff undertake periodic training on information security and are communicated to in relation to relevant threats.
- Essential technical controls: Ensure sufficient technical controls are in place (for example: all endpoints have malware protection in place, backups and patches are being conducted regularly, appropriate mail filtering is in place, network traffic logs are routinely monitored).
At Trilateral Research our Data Protection and Cyber-risk Team are able to provide comprehensive cybersecurity services to organisations. Our cybersecurity services include Gap Analyses, Risk Management and Mitigation Services, Security Awareness Training, Vulnerability Scanning, Penetration Testing, Policy Development and Testing and Compliance Support. For more information on how Trilateral can assist with improving your organisations cyber security posture, please feel free to contact our advisers.