The European Union enacted the Network and Information System (NIS) regulation in July 2016 with the intention of ensuring a specific level of security for networks and information systems belonging to critical and sensitive infrastructures in EU member states. Six years later, modifications to this regulation are gaining momentum, with the Commission, the European Parliament, and the European Council reaching their first agreements in May and June 2022. The yet-to-be-adopted revised NIS2 Directive has already prompted numerous inquiries regarding its implications and application scope.
Why is a revision to NIS Directive required?
In 2016, the European Union issued the NIS Directive to combat the pervasive and sophisticated cyberattacks on vital infrastructures. With the NIS Directive, the EU aimed to direct its members to develop national and cross-border cybersecurity norms and regulations. Although the plan was excellent, its execution was difficult. The directive relied heavily on the discretion of individual member states, and lacked the accountability required. As a result, security in the public and private sectors became fragmented.
What prompted the EU to act is the rapidly expanding threat landscape that places increasing pressure on enterprises to develop the capacity to effectively prepare for and manage a cyber crisis. For example, although the Thales Data Threat Report 2022 recorded a 44% global increase in the volume and severity of attacks against critical infrastructures, Deloitte demonstrates a staggering 220% growth across the EU Member States between 2020 and 2021. In addition, the transition to remote work introduced new vulnerabilities, with 79% of critical infrastructure businesses reporting security concerns. Malware and ransomware have become the leading sources of increased security attacks, because of their effectiveness in delivering big pay-outs with relatively low cost. The current geopolitical climate has heightened the risk of cyberattacks, particularly for operators of key services that could be targets of hybrid warfare.
In 2020, the European Commission revised the Directive, to “further strengthen overall cybersecurity in the Union” to address emerging cyber threats. The repeal of the NIS Directive will enter into force in 2024 and is expected to impose more stringent requirements on a broader scope of actors.
NIS2 has three general objectives:
1. Increase the cyber resilience of a broad range of European Union-based enterprises operating in all relevant industries and performing essential activities.
2. Reduce inconsistencies in internal market resilience in industries currently covered by the directive by unifying cybersecurity capabilities.
3. Enhance joint situational awareness and the collective capacity to plan and respond by boosting information sharing and establishing norms and procedures in the case of a large-scale incident or crisis.
What are the changes in NIS2 Directive?
NIS2 encompasses three changes when compared to NIS:
1. Expanded applicability
Under the current Directive, operators of essential services (such as banks, healthcare providers, and providers of drinking water and energy) and digital service providers (to include cloud service providers and online marketplaces) are already required to improve their digital security and report cyber incidents.
NIS2 broadens the scope of NIS by adding new industries, such as telecommunications, postal services, social media platforms, and public administration, which includes state and provincial government agencies. Entities under the purview of NIS2 will be divided into two categories: essential entities and important entities, with distinctions made based on the importance of the connected sectors. Important entities are primarily medium- to large-sized entities, for which a hypothetical disruption of services would not have severe societal or economic repercussions.
NIS2 will also apply to subcontractors and service providers with access to vital infrastructure, who were left out of the original version of the regulation, because vulnerabilities in a provider's infrastructure could compromise the security of the critical organization for which it operates. In the energy sector, for instance, security precautions will no longer be limited to electricity producers, transporters, and distributors. All subcontractors for essential infrastructure will be affected.
2. Strengthened security requirements
NIS2 includes a list of seven elements that all companies must address or implement as part of the security measures they take:
- Risk analysis and information system security policies.
- Incident handling (prevention, detection, and response to incidents).
- Business continuity and crisis management.
- Supply chain security.
- Security in network and information systems.
- Policies and procedures for cybersecurity risk management measures.
- The use of cryptography and encryption.
The proposal suggests a two-step process for incident reporting. Affected businesses are required to file an initial report within 24 hours of discovering an event, followed by a final report within one month.
In the supervision and implementation of these measures, management bodies will play a key and active role. Regarding enforcement, NIS2 specifies a minimum list of administrative sanctions that may be imposed on businesses that violate the regulations governing cybersecurity risk management or their reporting duties under the Directive. These sanctions include:
- Fines up to 10 million EUR or 2% of the total global annual turnover
- Management liability
- Temporary bans against managers
- Designation of a monitoring officer
3. Improved cooperation
NIS2 comprises provisions for measures to strengthen the level of confidence between responsible authorities, information sharing between competent authorities, and crisis response protocols.
In addition, the EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe) was developed to facilitate the coordinated management of cyber crises across the EU. In addition, the amended Directive would establish an EU crisis management framework, requiring Member States to prepare a plan and designate national competent entities accountable for reacting to cyber events and crises at the EU level.
NIS2 Technical and Organisational Measures Focus Area Case Study
The NIS2 proposal includes a list of key elements that all companies must address or implement as part of the measures they take.
In particular, Article 18 - Cybersecurity risk management measures, calls for “entities shall take appropriate and proportionate technical and organisational measures” [Article 18(1)]. And adds that the “measures shall include at least the following”:
“supply chain security including (…) providers of data storage and processing services or managed security services” [Article 18(2d)] and
“the use of cryptography and encryption” [Article 18(2g)]
What does that mean?
NIS2 holds organisations directly responsible. When outsourcing their Information Communications Technology (ICT) activities, for instance to process and store data in the cloud, organisations must apply additional “technical and organisational measures” to be able to indeed take their share of responsibility and thus compensate the loss of control (outsourcing).
Why Cryptography and Encryption?
Implementing cryptography and encryption is a way for organisation to enforce technical and organisational measures: encrypted data can no longer be accessed without additional information (a cryptographic key) and thus give organisations controls over their cloud-based assets.
Encryption and Key Management Systems (KMS) are “technical measures” and are managed by organisations, not the cloud provider, hence defined as “organizational measures”.
Drawing on decades of experience helping corporate entities and public enterprises adhere to compliance mandates, Thales offers a broad portfolio of products and services that enable your organization to strengthen its cyber security capabilities, address the security of supply chains, streamline reporting obligations and comply with more stringent supervisory measures and stricter enforcement requirements for NIS2, and other regulations such as GDPR and the Schrems II ruling. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden. To learn more, visit our dedicated NIS2 page here or download the NIS2 compliance brief.