Updates to the latest iteration of the Network and Information Security (NIS2) Directive to coordinate cybersecurity across the European Union specify new terms and mandates for Member States. The guidance tasks leaders with applying cybersecurity considerations and requirements to entities that serve a large part of the populations and are considered vital to the economy based on services provided and size of operations.
Who Is Affected by the NIS2 Directive?
Entities fall into two categories: Essential Entities or operators of essential services, and Important Entities, where sectors are significant, though their disruption would not necessarily cause serious societal or economic consequences. The legislation hopes to ramp up cyber defenses without attempting to ‘boil the ocean.’
The European Parliament understands that sweeping cybersecurity regulations and mandates have the potential to price small and medium sized organizations out of business, weakening the market and creating heightened dependence on fewer providers.
The NIS2 legislation calls out the broad spectrum of resources available to entities to carry out cybersecurity considerations and requirements, noting “the supervisory and enforcement regimes for those two categories of entities should be differentiated to ensure a fair balance between risk-based requirements and obligations on the one hand, and the administrative burden stemming from the supervision of compliance on the other.”
- Financial market infrastructures
- Drinking water
- Digital infrastructure
- ICT-service management
- Public administration entities (excluding the judiciary, parliament, and central banks)
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Food production, processing, and distribution
- Manufacture of medical devices, electronic products, and transport
- Digital providers
Broad Security Requirements for All Entities
- Risk analysis and information systems security policies
- Incident handling (prevention, detection, and response)
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems
- Policies and procedures for cybersecurity risk management measures
- The use of cryptography and encryption
While all entities are subject to these seven broad security requirements, the legislation requires Essential Entities to have proactive supervision and oversight on requirements, while Important Entities are subject to reactive supervision if/when a reported incident is significant and triggers supervision.
What Changed in the NIS2 Directive?
NIS2 incorporates a two-phased incident reporting structure. Regardless of proactive or reactive supervision, the legislation mandates any significant incident to be reported within 24 hours of onset, adding details within 72 hours. More detailed reporting is required as a follow-on measure 1 month after the onset of a significant incident. This structure is an attempt to swiftly capture immediate details to prevent widespread impacts from similar attacks, and to provide in-depth analysis after the fact for security researchers and future resilience planning.
A significant cybersecurity incident is defined as an incident that either has cause or is capable of causing severe operational disruption of the services or financial loss for the entity concerned, and/or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Entities are further expected to indicate whether they suspect the significant incident is the result of unlawful or malicious activity, and whether the incident might have transnational impacts.
Although the legislation provides nuanced guidance, much of its impact depends on entities’ understanding of attacks and impacts. For example, entities will need to quickly identify the potential impacts of incidents before or as they unfold – to include loss of view and loss of control scenarios that impact the functioning of services and processes. Stakeholders at each entity will need to assess impacts to both the affected network and information systems, the reliance on those systems, and the expected duration and severity of disruption of services.
Article 7: National Cybersecurity Strategy
Article 7 mandates each Member State in the EU to adopt a national security strategy with the following strategic objectives in mind and in scope:
- Objectives and priorities of the Member State’s cybersecurity strategy
- A governance framework to achieve stated objectives and priorities
- A governance framework clarifying roles and responsibilities for Member State stakeholders, established points of contact, and computer security incident response trams (CSIRTs)
- A mechanism to identify relevant assets and Member State risk assessments
- An identification of the measures ensuring preparedness, response, and recovery planning to include public-private cooperation
- A list of the authorities and stakeholders involved in the implementation of the national cybersecurity strategy established by and for the Member State
Article 7 stipulates additional policies each Member State shall incorporate into their strategies, including ICT supply chain considerations, guidance for small and medium-sized enterprises, vulnerability management, internet security, requirements for adopting certain technologies and information sharing tools, training and education, and plans to enhance the general level of cybersecurity awareness for citizens in the general population.
Article 21: Additional Cybersecurity Risk-Management Measures
Risk management in Article 21 is three-pronged, tackling technical, operational, and organizational approaches to the security of network and information systems entities rely on for the provision of goods and services. The legislation directs entities to assess the proportionality of risk management activities, considering their degree of exposure to risks, size, likelihood of incidents and their severity, and the societal and economic impacts stemming from potential incidents.
As a baseline, NIS2 promotes including the following measures in each risk management program at the entity level:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, such as backup management and disaster recovery, and crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies, and asset management
- The use of multi-factor authentication or continuous authentication solutions
The European Commission will continue to expand on technical and methodological requirements related to the NIS2 directive. NIS2 is only one part of a broader 5-point plan the EU is enacting to address cybersecurity. The Commission continues to outline revisions to the 2008 European Program for Critical Infrastructure Protection (EPCIP).
NIS2 describes an “all hazards” approach to risk management in the same way that the EPCIP outlines 11 risk areas, to include natural disasters, terrorist attacks, internal threats, and sabotage, but also public health emergencies like the recent COVID-19 pandemic. Similarly, in the U.S. the Cybersecurity and Infrastructure Security Agency (CISA) has recently delivered critical infrastructure cyber performance goals to prioritize decisions, spending, and action across critical sectors and entities whose disruption, degradation, or destruction will impact life, the economy, or national security.
CISA’s broader strategic plan outlines 4 main goals and 19 collective objectives for the agency, including the roll out of sector-specific standards and recommendations to guide security decisions. The plan notes that “operational technology (OT) and industrial control systems (ICS) pose unique risks that demand particular focus due to the heightened consequences of disruption and challenges related to deploying certain security controls at scale.”
While NIS2 Directive does not specifically address OT, its many considerations will strengthen entities’ risk management and security policies, building resilience across and Member States and their essential and important entities.