NIS2

• Purpose: The directive aims to enhance cybersecurity across the EU by establishing a high common level of cybersecurity measures and cooperation among Member States.

• Background: It builds on the previous Directive (EU) 2016/1148, addressing its shortcomings and adapting to new cybersecurity challenges1.

• Scope: The directive applies to a wide range of sectors and services, including digital infrastructure, energy, transport, health, and public administration, among others.

• Implementation: Member States are required to establish national strategies, designate competent authorities, and ensure cooperation at both national and EU levels.

The NIS2 Directive is an updated version of the original NIS Directive (Network and Information Security Directive), enacted by the European Union (EU) to strengthen the cybersecurity of critical infrastructure and essential services. The NIS2 Directive reflects the increasing complexity of cyber threats and seeks to create a more robust cybersecurity framework across the EU. It applies to both public and private sectors that are deemed essential to the economy and society.

Key Features of NIS2

1. Expanded Scope

2. NIS2 significantly expands the scope of the original NIS Directive to cover more sectors and more types of organizations. It includes medium and large-sized organizations across a broader range of sectors, including:

3. Energy (electricity, oil, gas)

4. Transport (air, rail, water, and road transport)

5. Banking

6. Financial market infrastructures

7. Health (including hospitals, laboratories, and pharmaceutical companies)

8. Digital infrastructure (data centers, cloud services, DNS providers)

9. Public administration

10. Space Key Difference from NIS1: NIS2 extends coverage to more entities and incorporates sectors that weren’t covered by the original directive, like digital providers and more infrastructure areas.

11. Cyber Risk Management and Governance

12. Under NIS2, organizations must implement effective cybersecurity risk management measures. This includes governance practices like:

13. Incident prevention and detection

14. Resilience-building measures

15. Incident response protocols

16. It also requires top-level management accountability, meaning that senior executives or boards of directors are responsible for overseeing cybersecurity measures within their organizations. Example Requirements:

17. Security policies covering risk analysis, vulnerability management, and incident response.

18. Regular audits and security testing.

19. Collaboration with third-party vendors to ensure supply chain security.

20. Mandatory Incident Reporting

21. One of the core features of NIS2 is the mandatory incident reporting obligation. Organizations must report cybersecurity incidents that significantly affect the provision of their services to national cybersecurity authorities within tight time frames:

22. Initial notification within 24 hours of becoming aware of the incident.

23. A detailed report within 72 hours.

24. The reporting helps improve cyber threat visibility across the EU, enabling authorities to respond faster and more effectively to attacks. Difference from NIS1: NIS2 enforces stricter reporting deadlines and requires more comprehensive details of the incidents.

25. Cross-Border Cooperation

26. NIS2 seeks to improve cross-border cooperation and information sharing between EU Member States. This is done by:

27. Establishing a European Cyber Crises Liaison Organisation Network (EUCyCLONe) to facilitate joint responses to large-scale cyber incidents.

28. Requiring Member States to designate one or more Competent Authorities responsible for overseeing the implementation of the directive.

29. EU-wide coordinated vulnerability disclosure mechanisms are also introduced, so vulnerabilities discovered in any part of the EU can be shared with all relevant stakeholders.

30. Harmonized Cybersecurity Standards

31. NIS2 works towards harmonizing cybersecurity requirements across the EU. This reduces regulatory fragmentation, making it easier for businesses to comply with consistent standards across Member States.

32. The directive sets a minimum baseline for cybersecurity standards, with Member States allowed to adopt stricter measures but not weaker ones.

33. Penalties and Enforcement

34. Penalties under NIS2 are significant for non-compliance. Organizations can face fines up to €10 million or 2% of global annual turnover, whichever is higher, for serious breaches.

35. NIS2 aims to make organizations more accountable for their cybersecurity posture and places stronger emphasis on management responsibility.

36. Supply Chain Security

37. The NIS2 Directive introduces requirements for organizations to address cybersecurity risks related to their supply chains and relationships with third-party vendors.

38. Organizations must assess and manage risks not only within their own networks but also within those of their suppliers, partners, and service providers. This means increased scrutiny of third-party risk management and vendor contracts.

Differences Between NIS1 and NIS2

• Broader Coverage: NIS2 covers a wider range of sectors and organizations than NIS1, including medium-sized enterprises, whereas NIS1 focused mainly on larger operators of essential services.

• Tighter Incident Reporting: NIS2 imposes more stringent deadlines for reporting cyber incidents compared to NIS1.

• Greater Harmonization: NIS2 promotes more harmonized rules across the EU, reducing the regulatory divergence between Member States.

• Stronger Accountability: NIS2 places a greater emphasis on top-level management's role in ensuring organizational cybersecurity and mandates their direct involvement.

Sectors Affected by NIS2

NIS2 is broad in scope, covering both essential sectors and important sectors:

• Essential Sectors:

• Energy (electricity, oil, gas)

• Transport (aviation, maritime, road, rail)

• Banking and financial markets

• Health (hospitals, healthcare providers)

• Digital infrastructure (cloud, DNS, data centers)

• Important Sectors:

• Public administration

• Manufacturing (especially critical goods)

• Postal and courier services

• Waste and water management

• Digital services (search engines, online marketplaces)

Practical Example of NIS2 Compliance

Imagine a hospital operating in the EU:

• Under NIS2, the hospital must implement comprehensive cybersecurity measures to protect patient data, secure medical devices, and ensure uninterrupted access to critical systems.

• It must also assess cybersecurity risks across its supply chain (e.g., medical device manufacturers, software providers).

• In case of a cyberattack that compromises patient data or disrupts healthcare services, the hospital must report the incident to relevant national authorities within 24 hours, and provide a full report within 72 hours.

Failure to comply with these requirements, such as not implementing adequate security measures or failing to report incidents, could lead to fines and significant reputational damage.

How NIS2 Aligns with Other EU Cybersecurity Regulations

NIS2 complements other EU regulations, such as:

• Cyber Resilience Act (CRA): While the CRA focuses on ensuring that products with digital elements (like software and hardware) are secure, NIS2 focuses on ensuring that critical infrastructure and services are secure.

• Digital Operational Resilience Act (DORA): DORA applies specifically to the financial sector and ensures that financial institutions have strong cybersecurity and operational resilience measures, while NIS2 applies to broader sectors like health, energy, and public services.

• General Data Protection Regulation (GDPR): NIS2 and GDPR overlap when it comes to cybersecurity and data protection. A cyber incident might trigger obligations under both regulations, as a data breach under NIS2 may also be considered a personal data breach under GDPR.

Conclusion

The NIS2 Directive marks a significant step forward in the EU's approach to cybersecurity. It seeks to address the growing threats by enforcing stricter cybersecurity measures across a wide range of sectors, with an emphasis on incident reporting, cross-border cooperation, and harmonization of security standards. Organizations covered under NIS2 need to adopt more robust security practices, take responsibility for their supply chains, and ensure top-level management is actively involved in maintaining cybersecurity. With the increasing frequency of cyberattacks, NIS2 is crucial for protecting Europe's critical infrastructure and ensuring the resilience of essential services.

Private-Public Partnerships (PPPs): PPPs can leverage private-sector expertise to enhance services like information exchange, early warnings, and crisis management1. Support for SMEs: Member States should address the cybersecurity needs of small and medium-sized enterprises (SMEs), offering guidance and assistance to tackle challenges like low cyber-awareness and high costs of cybersecurity solutions2. Active Cyber Protection: Member States should adopt policies for active cyber protection, including prevention, detection, and mitigation of network security breaches3. Vulnerability Handling: Entities should establish procedures for handling vulnerabilities, including receiving information from third parties and coordinating disclosure timelines4.

Verification of Registrant Contact: TLD name registries and domain name registration service providers must verify at least one means of contact for the registrant1. Public Availability of Data: Data concerning legal persons, such as the registrant’s name and contact number, should be publicly available2. Email addresses can be published if they do not contain personal data3. Lawful Access: Specific domain name registration data concerning natural persons should be accessible to legitimate access seekers in accordance with Union data protection law4. Jurisdiction and Cooperation: Entities fall under the jurisdiction of the Member State where they are established5. Cooperation and mutual assistance between Member States are required for supervisory actions

Top-Level Domain (TLD) Registry: An entity responsible for administering a specific TLD, including domain name registration and technical operations. Domain Name Registration Services: Includes registrars and agents acting on behalf of registrars, such as privacy or proxy registration service providers1. Digital and Trust Services: Definitions and roles of digital services, trust services, and qualified trust service providers as per EU regulations. Online Services: Definitions of online marketplaces, search engines, cloud computing services, data center services, content delivery networks, and social networking platforms.

Supplier and Service Provider Vulnerabilities: Entities must consider specific vulnerabilities and overall cybersecurity practices of their suppliers and service providers1. Corrective Measures: Entities must take necessary corrective measures without undue delay if they find non-compliance. Implementing Acts: By October 17, 2024, the Commission will adopt technical and methodological requirements for various service providers. Security Risk Assessments: Coordinated security risk assessments of critical supply chains will be carried out by the Cooperation Group, the Commission, and ENISA

Committee Assistance: The Commission will be assisted by a committee as per Regulation (EU) No 182/2011. Review: By October 17, 2027, and every 36 months thereafter, the Commission will review the directive’s functioning and report to the European Parliament and Council. Transposition: Member States must adopt and publish measures to comply with the directive by October 17, 2024, and apply them from October 18, 2024. Amendments and Repeals: Several regulations and directives will be amended or repealed effective October 18, 2024.