Late last year, the EU Parliament formally adopted a new Directive, NIS2, updating and superseding the existing NIS Directive which helped the organisations responsible for Europe’s critical national infrastructure to better understand, manage, and reduce their cybersecurity risk. NIS2 expanded the industries covered (broadening the concept of critical infrastructure to include telecoms, social media, and local government alongside utilities, digital infrastructure, banks, and healthcare), but it still fundamentally aims to strengthen cybersecurity requirements. It is estimated that about 160,000 organisations will be required to comply, grouped as either Essential or Important, with compliance requirements differing between categories.
So what do we need to know? Firstly, it is important to note that NIS2 is an EU Directive, not currently legislation in any member states and so while it “came into force” in January 2023, the deadline that organisations will need to watch for is 17th October 2024—because that is the deadline for national legislatures to turn the Directive into enforceable national laws. As we approach that date we will all have a clearer idea of how the relatively high level guidelines will be translated into legal requirements that we all need to follow. At this point, the Directive is high-level and still open to interpretation—deliberately so, because the more specific it is, the quicker it would become outdated.
What is included?
NIS2 comprises a number of areas where organisations will be required to implement security measures and achieve baseline standards. These areas are:
- Risk analysis
- Information system security policies
- Incident response (prevention and detection of a response to incidents)
- Business continuity and crisis management
- Supply chain security
- Assessment of effectiveness of risk management measures
- Vulnerability disclosure
Within these categories we see some detail about the requirement to report incidents, train management teams in cyber risk, and allow on-site inspections. There is also inclusion of non-compulsory recommendations around user training, and some less stringent allowances for organisations in the Important group.
Looking at this list you can see why we are already having conversations with customers and prospects about NIS2—there’s plenty in here that we can help with, even ahead of national lawmakers adding in much more specific details.
As is the custom with EU initiatives, this one shows its teeth through administrative fines of up to €10 million or 2% of the entity’s total turnover worldwide, whichever is higher, for “Essential Entities” (and there is a slightly lower fine too—€7 million or 1.4% global turnover for “Important Entitles”). These would be additional to any fines that may be applied due to a single incident also falling foul of GDPR rules.
Points to note
While we wait for this national legislation to see how the Directive is interpreted into law within the member states, we wanted to pick out a few things that are worth noting already.
1. Collaboration is at the core of NIS2
NIS2 has a strong focus on collaboration. We see this in the establishment of one of the best acronyms we have seen for a while: the EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe). This body is intended to facilitate coordinated management of EU-wide incidents. Other ways to improve collaboration can be found in the measures aimed at increasing the level of trust and information sharing between competent authorities.
2. Supply chain security is a priority
An understanding of the interdependent nature of cyber defence is also evident in the emphasis that NIS2 gives to more stringent rules on supply chain security. This is a hugely welcome focus within the directive and will require clever implementation to ensure we extract the most value from the intentions outlined. Auditing, monitoring, and acting upon supply chain risk is not straightforward and we hope to see some creativity from the industry in suggesting workable ways to collaborate on this issue. The aim must be to drive efficiency in the interests of productivity while avoiding debilitating bureaucratic processes. We need better security, not more paperwork.
3. Basic hygiene provides for robust preparation
The standards set in the Directive are nothing new for organisations—although their agreement as enforceable baseline standards is. They are things that should all be on the priority list for any organisation already. However there is definitely value in pointing out that some of the things we do today as basic hygiene can benefit from improvement. Cybersecurity and risk awareness training, for instance, is something that is an annual tick-box requirement already for many organisations (not least as a requirement for most cyber insurance policies). But we are hoping that NIS2 opens discussion as to the effectiveness of some of the ways we conventionally do things, for instance in this case we would like to see the industry place a greater emphasis on “just-in-time” training to help employees better assess risk at the point of its appearance. The ultimate goal is to change behaviour and break old habits, this is not achieved by a yearly 30 min training video.
A summary on any discussion around NIS2 at the moment can only really be “watch this space”. So much is going to be determined by the national governments of Europe (EEA) as they legislate on the matter over the coming 18 months. For information professionals (in particular governance, risk, and compliance (GRC)) now is the time to start to plan. The Directive gives a useful cheat sheet for best practices which can already be used to help prioritise initiatives that genuinely improve security posture, and rationalise those that are outdated or even hinder efforts.