On December 14, 2022, the European Parliament and the Council of the European Union approved the directive known as NIS2 (Network and Information Security) whose title, as published in the Official Journal of the European Union, makes clear its intention: on measures for a high common level of cybersecurity across the Union. The NIS2 objectives are to strengthen cybersecurity, integrating it into the basic functioning of public and private organizations and creating a united front among Member States.
The idea of the commission in charge of drafting it was to improve, strengthen, correct deficiencies and bring to the current context the objectives of the first NIS directive of 2016, the first cybersecurity law of the European Union. The key points that justified this revision of the NIS were:
- Companies showed insufficient cybersecurity resilience.
- Insufficient homogenization between Member States and between business-industrial sectors and lack of a common strategy.
- Insufficient understanding of the scope of the challenges and threats.
Furthermore, the covid-19 crisis did accelerate the digital transformation of society and made clear the weaknesses caused by the dependence on digital solutions, as well as the close interdependence between the different agents in the internal market. This crisis was framed as a catalyst that prompted the European legislative bodies to update the NIS1.
The NIS2 directive sets out its basic objective of strengthening the global level of cybersecurity in the Union based on the three fundamental pillars of the NIS1, namely:
1- Requirement of Member States to create a national cybersecurity strategy, as well as the designation of national computer security incident response teams (CSIRT in acronym), a competent national cybersecurity authority and a single point of contact.
2- Creation of a cooperation group aimed at exchanging information between Member States.
3- Adoption of cybersecurity measures in critical sectors for the economy and society, highly dependent on information technologies: energy, transportation, banking, finance, sanitary water, healthcare and digital infrastructures.
Member States must have the contents of the NIS2 directive merged and adapted into their legal systems by October 17, 2024.
Changes in NIS2
Critical infrastructures
The distinction existing in the previous directive between essential services and digital service providers is refocused in favor of a classification based on their relevance: essential entities and important entities. Although the requirements in both will be the same, they will differ mainly, but not only, in the supervisory measures: essential entities will always have to comply with them, while important ones only in the event that the authorities receive evidence of non-compliance. compliance.
The sectors considered to be of high criticality already included in the previous directive, namely energy, transport, banking, finance, water, health, digital infrastructures, have been joined by the following:
- Public administration.
- Space.
- Sewage water.
- Digital service providers.
- Postal and courier services.
- Waste management.
- Manufacturing, production and distribution of chemical substances and mixtures.
- Production, transformation and distribution of food.
- Manufacturing.
- Investigation.
Member states have some room to decide which category each of the sectors would fall into, as well as to decide whether a small company, in principle outside the scope of the directive, should also adapt has its field of business falls into some of the categories.
Cooperation between States
With the aim of improving cooperation between Member States, the European Agency for Cybersecurity (ENISA) will create a database of vulnerabilities in which all entities, whether or not they fall under the umbrella of this directive, can contribute voluntarily.
Incident report
Incident reporting will continue to be done through the single point of contact designated and coordinated by a CSIRT (or competent authority). What the new NIS2 directive has updated are the time frames: 24 hours for early communication, 72 hours for complete notification of the incident assessing its severity and scope, and one month for sending the final report.
In addition, the CSIRT (or competent authority) will have to send an anonymized list of incidents on a quarterly basis.
Supply chains
The NIS2 also focuses on supply chains, where clients subject to the directive are often put in contact with suppliers outside their reach. As the strength of a chain is that of its weakest link, the directive will determine that in this case the client must demand a certain standard in terms of cybersecurity from its supplier.
Management accountability
Another novelty in the new directive is that the accountability of company management is required. This entails risk assessments, incident action plans, internal cybersecurity training, etc., all of which are mandatory.
Sanctions
The amounts of administrative sanctions for non-compliance with the measures included in the directive are readjusted, with maximum fines of 10 million euros (or 2% of annual revenue) for essential entities and 7 million euros (or 1.4% of annual revenue) for important entities. In addition, the possibility of filing criminal charges against the management of organizations is contemplated in case of severe negligence in the face of a cyber attack.
How to prepare for the arrival of NIS2?
The text of the directive is a dense and very technical reading in which a person not familiar with legal jargon will have a hard time finding their footing, with 144 prior considerations and 46 articles. As we have seen, they affect key aspects of the day-to-day life of the companies to which it will be applied. Although the main focus will be on large companies with a certain muscle, which usually already have departments dedicated exclusively to legal issues, we have also commented that the determining factor in having to comply with the requirements of the directive is the nature of the work performed.
Furthermore, this directive is included in a broader series of legal transformations promoted by the Union, all related to the computer security space, such as the Cyber Resilience Law (CRA) or the Digital Operational Resilience Regulation (DORA), among others.
Given this, the question of how to prepare for the arrival of NIS2 is perfectly justified. Below we detail some key points to keep in mind:
Anticipation
These processes are slow, while at the same time they tend to sink to the bottom of the priority pile. It may be beneficial to consider these changes to be positive and will all help strengthen the entity even in the absence of legal imperatives.
Risk management system
Organizations will have to study their own processes and structures to identify the risks present, as well as establish protocols for action and definition of responsibilities.
Cybersecurity as corporate culture
Despite how difficult this step is, it must be promoted at all levels within the organization until it is perfectly integrated into the day-to-day life of the organization. All members have to have a minimum knowledge of good practices, common attacks, what to watch for and how to protect themselves.
Seek professional assistance
The safest way to follow this path towards compliance with the contents of the NIS2 directive is to do so supported by a team of experts in the field, aware of the limitations that companies have in these situations, and who can adapt to the needs. particular to each case.
In summary, the European Union directive NIS2 proposes the creation of a common and robust front against cyber threats, always on the rise and always evolving. Although they will not become law until the end of 2024, the changes that entities in essential and important sectors will have to make are far-reaching, so the first steps should already be in process or, at least, on their agendas.