What is the NIS 2 Directive? A European Approach to Cybersecurity
Published 08/30/2024
Originally published by Schellman.
As technology continues to evolve and embed itself more into society, regulations to govern its use and protect consumers are struggling to keep up in parts of the world. But not so in the European Union (EU), where they’ve recently made progress on a wave of new cyber legislation—among those is the NIS 2 Directive.
Otherwise known as the Network and Information Systems Directive 2, this decree is the successor to 2016’s NIS Directive—which is now known as NIS 1—and outlines an EU-wide approach to cybersecurity. As Member States must adopt and publish the measures necessary to comply with NIS 2 by October 17, 2024, it’s important to grasp what’s changed in the update to the directive and that’s where we can help.
In this article, we’ll break down what’s different in the NIS 2 relative to NIS 1, why it’s important to comply, and how you can get started in achieving compliance.
What are the Differences Between NIS 1 and NIS 2?
Given that its primary goal is to enhance the resilience of EU critical infrastructure and digital service providers against cyber threats, there had to be some updates made to the NIS 2 from the original NIS 1.
We’ve outlined five key takeaways as follows:
1. New, Wider Scope of Coverage
Before understanding anything else, it’s important to understand who is subject to the directive’s mandates, particularly because NIS 2 has expanded its scope beyond that of NIS 1 to include more sectors and entities. These included organizations are classified as either Essential or Important:
Essential Entities |
Important Entities |
Though there’s variance based on sector, Essential Entities are generally those that have:
|
Though there’s variance based on sector, Important Entities are generally those that have:
|
Includes the following sectors:
|
Includes all the sectors listed under “Essential Entities” and within the size threshold for “important entities” PLUS the following:
|
2. Enhanced Risk Management and Cybersecurity Requirements
NIS 2 now requires that Essential and Important Entities conduct regular risk assessments and adopt appropriate risk management practices to prevent and minimize the impact of cyber incidents.
Not only that, but the directive also sets out new and specific security measures and capabilities that entities must implement to safeguard their network and information systems, which include the use of:
- Multi-factor authentication (MFA) or continuous authentication solutions;
- Encryption;
- Logging; and
- Incident detection and response mechanisms.
3. Improved Incident Reporting and Cooperation
To facilitate the timely responses of coordinated collective actions in mitigating the effects of cyber threats, entities are also now required to report significant cyber incidents to national competent authorities promptly.
In a circling of the wagons of sorts, NIS 2 also further promotes collaboration among member states through the establishment of national authorities and a NIS Cooperation Group to facilitate information sharing, best practices exchange, and joint responses to cross-border cyber incidents.
4. Heightened Focus on Business Continuity and Resilience
Through these new mandates for more advanced and robust cybersecurity measures as well as the new obligations regarding incident reporting, it’s clear that the NIS 2 directive is aiming to not just minimize disruptions caused by cyber incidents at their points of origin, but also the ripple effect given these new measures that will help maintain the continuity of essential services.
5. Promoted Culture of Cybersecurity
In a similar vein, the new NIS 2 Directive also appears to be encouraging a proactive approach to cybersecurity across industries and sectors—by setting clear requirements and promoting best practices, the EU wants to foster a sweeping standard across the Union that sees cybersecurity prioritized and integrated into business operations.
As part of this initiative and to help promote a top-down approach to information security, NIS 2 mandates regular security awareness training for management and encourages organizations to train all employees as well.
What are the Penalties for Noncompliance with the NIS 2 Directive?
While the NIS 2 requirements for compliance are the same for both Essential and Important Entities, the supervision and penalties vary between the two:
- Essential Entities:
- Penalties for non-compliance can amount to €10,000,000 or 2% of the total annual worldwide turnover in the previous fiscal year—whichever amount is higher.
- Important Entities:
- Penalties for non-compliance can amount to €7,000,000 or 1.4% of the total annual worldwide turnover in the previous fiscal year—whichever amount is higher.
5 Helpful Steps in Achieving NIS 2 Compliance
Although the deadline for compliance is in October 2024, organizations required to comply with the NIS 2 Directive should begin to assess where they stand against the requirements now so you can implement the necessary controls you’ll need to ensure you have the appropriate safeguards in place in time.
To help point you in the right direction, here are 5 basic steps you can take to get started in your compliance with the NIS 2 Directive.
1. Understand the Scope and Requirements
First, you’ll need to determine whether your organization falls under the classification of an Essential or Important Entity.
Once you clarify that, you can then study any incident reporting obligations or compliance requirements outlined in the NIS 2 Directive that are relevant to your sector and operations as you plan your next moves.
2. Conduct a Risk Assessment
Given the new emphasis on continuity and minimizing greater disruption, don’t just perform a basic risk assessment—use the results to then identify and prioritize the following elements that could impact your delivery of essential services or digital services:
- Critical network and information systems;
- Potential vulnerabilities; and
- Cyber, legal, and regulatory risks.
3. Implement Robust Controls
As we mentioned previously, NIS 2 has new requirements for technical and organizational measures so you’ll need to deploy and maintain:
- Access controls and MFA;
- Encryption;
- Supply chain security;
- Intrusion detection systems; and
- Incident response plans.
You’ll also need to ensure policies, procedures, and controls are documented and aligned with the NIS 2 requirements.
4. Establish Incident Response Capabilities
In complying with the new incident response focus, you’ll need to develop and implement an incident response plan that includes procedures for detecting, understanding, reporting, and mitigating cybersecurity incidents promptly.
Ensuring management is aware of your plan and their role is not only important—given that they’re responsible for approving organizational cybersecurity risk-management measures, overseeing their implementation, and can be held liable for any related infringements—but it’s also mandatory.
That being said, you should also train all personnel on cybersecurity protocols, incident response procedures, and their roles and responsibilities.
5. Ensure Compliance and Continuous Improvement
Even when you believe your organization has made all the necessary implementations, you should continue to regularly monitor your compliance with the NIS 2 requirements and subsequent amendments through audits, assessments, and internal reviews. Document your findings and take corrective actions as necessary.
For the peace of mind that comes with external validation of your efforts and the confirmation of your compliance, consider engaging with an independent audit firm for an assessment of your organization’s cybersecurity posture against the NIS 2 requirements.
Other Cybersecurity Regulation Considerations in the EU
In its efforts to establish a unified approach to cybersecurity across the EU and enhance trust in the digital economy, the NIS 2 Directive requires a high level of cybersecurity preparedness, response capabilities, and cooperation among Member States and ensure the protection of critical infrastructure and services.
Related Articles:
Reflections on NIST Symposium in September 2024, Part 2
Published: 10/10/2024
To Secure the AI Attack Surface, Start with Fundamental Cyber Hygiene
Published: 10/10/2024
AI and Data Protection: Strategies for LLM Compliance and Risk Mitigation
Published: 10/09/2024
FedRAMP Loves Compliance as Code: Insights from the OMB’s Recent Memo
Published: 10/08/2024