As cyberthreats continue to grow in our increasingly connected world, becoming more complex and larger in scale, legislators are seeking to enhance the digital protection of companies, citizens, and nation states. To that end, the European Union (EU) has introduced the NIS2 (Network and Information Security) Directive to replace and fill in the gaps of its predecessor, the NIS Directive.
In this blog, we cover what the NIS2 directive is, who it applies to, and how it will affect your organization’s security requirements.
What is the NIS2 Directive?
The NIS2 directive is an EU legislative text which aims to establish a high level of common security across the EU in order to protect critical infrastructure and organizations from growing cyber threats over the long term. The NIS2 directive focuses on organizations providing essential services that contribute to the functioning of society, organizations that are often major targets for cybercriminals.
The NIS2 Has Three General Objectives:
- Increase cyber resilience across essential service providers
- Streamline resilience with stricter security requirements and penalties
- Improve the EU’s collective ability to prepare for and respond to cyber threats
Why Has the NIS2 Directive Been Developed?
The COVID-19 pandemic brought with it a dramatic change in the cybersecurity landscape. The world has rapidly become more digital and remote — the number of Internet of Things (IoT) devices globally, at 9.7 billion in 2020, is expected to nearly triple to over 29 billion in 2030. As a result, cyberthreats have skyrocketed, with an 81% increase since the start of the pandemic.
In acknowledgement of this, the European Commission proposed a repeal and replacement of the initial NIS directive (proposed in 2016, implemented in 2018), which had limitations, inconsistencies, and a lack of guidance on protecting against and responding to cybersecurity events.
In its place, the NIS2 directive offers a more clear, comprehensive policy aimed at strengthening the cybersecurity and resilience of more sectors and types of private and public entities in the EU.
Who Does the NIS2 Directive Affect?
The same entities covered by NIS are also covered by NIS2, however there are new additions, and the terminologies have changed. Instead of the NIS’ DSPs (Digital Service Providers) and OESs (Operators of Essential Services), the NIS2 directive distinguishes two types of entities:
- Essential Entities (EE)
- Important Entities (IE)
Essential Entities include the following sectors:
- Financial Market Infrastructure
- Digital Infrastructure (cloud providers, data centers, DNS, etc.)
- Public Administration
- Drinking Water
- Waste Water
Important Entities include the following sectors:
- Postal and Courier Services
- Waste Management
- Food Production, Processing, and Distribution
- Chemical Manufacturing, Production, and Distribution
- Manufacturing of: computer, electronic and optical products; medical devices; electrical equipment; motor vehicles, trailers and semi-trailers; other transport equipment
- Digital Providers of: online search engines; online marketplaces; social networking services platform
The following are new additions with the NIS2 directive:
- Wastewater and Waste Management
- Manufacturing of Certain Critical Products (medical devices, pharmaceuticals, chemicals)
- Postal and Courier Services
- Public Administration
- Providers of Public Electronic Communications Networks or Services
You are in the category of being an important or essential entity if your organization falls within one of these sectors. Important to note is that the NIS2 directive applies to organizations within the EU, as well as organizations outside of the EU that are essential within an EU country. All will be required to comply with the NIS2 directive.
How Does the NIS2 Directive Affect Your Organization’s Security Requirements?
While NIS2 is built on the initial NIS directive, there are several important changes that organizations will be required to consider.
NIS2 – Key Changes to Consider:
- Risk Ownership – Management bodies will have a crucial and active role in the supervision and implementation of NIS2 measures. They will also be liable for non-compliance and be subject to temporary bans and suspensions or the designation of a monitoring officer.
- Enforcement – Competent authorities can impose administrative fines up to 10 million EUR or 2% of the total global annual turnover of the company for not complying with the reporting and/or cybersecurity risk management measures.
- Security Obligations – NIS2 provides a list of security measures that shall be implemented, including risk analysis and information system security policies, incident handling, business continuity and crisis management, development and maintenance, policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management, effective use of cryptography and encryption.
- Supply Chain Security – Entities will need to perform due diligence to ensure the security of their supply chains.
- Incident Reporting – Incident response will play a critical role in compliance with NIS2. Entities should submit an initial notification within 24 hours to the relevant competent authority of any significant cyber threat that could have potentially resulted in a significant incident. Furthermore, the recipients of their services must be informed of incidents that are likely to adversely affect the provision of that service.
The level of requirement for cybersecurity risk management and reporting obligations under NIS2 depends on the ‘important’ or ‘essential’ entity classification assigned to an organization under the directive.
When Will the NIS2 Directive Be Enforced?
The NIS2 directive was approved by European Parliament on November 10, 2022, bringing the legislative process to a close. The regulation was approved by the Council of Ministers on November 28, 2022, and published in the Official Journal of the European Union on December 27, 2022. From the latter date, member states have 21 months to meet the requirements and incorporate the provisions of the NIS2 direction into national law — until September 2024.
What Should be the Next Steps for Your Organization?
To prepare for the NIS2 directive’s enforcement and to effectively manage evolving cyber risks, organizations should seek to improve cyber resilience capabilities.
Areas of focus to protect information security and prepare for compliance with the NIS2 directive:
- Raising of cybersecurity awareness and training
- Preparing risk management measures — effective identification, assessment, and elimination of cyber security risks
- Streamlining cybersecurity incident handling and reporting
- Improving cybersecurity infrastructure, practices, and overall cybersecurity posture
The NIS2 directive will harmonize cybersecurity efforts across member states of the European Union — but its requirements are stringent. While its enforcement is some months away, organizations should start working on compliance now to ensure preparedness when the time comes.
Game-Changing Data Security to Help Prepare for NIS2 Enforcement
Implementing robust digital encryption will be key to your organization’s readiness for the new NIS2 directive.
Theon Technology delivers the highest level of digital encryption that is practical for widespread enterprise deployment. Theon’s patented methodologies help protect against the growing cyber threats of today and tomorrow with a focus on data sovereignty, data security, and data compression, providing a software approach supporting multiple deployment models. Our SaaS utilizes quantum-resistant patented algorithms that deliver on the promise of truly scalable, commercially viable, enterprise ready One Time Pad-inspired security without the need for specialized hardware.
The Theon privacy suite provides secure services and technology for the most discerning and demanding privacy customers.
Begin preparing now for the future — Contact a Theon expert to find out how you can upgrade your defenses against the cyber threats of today and tomorrow. We also have free eBooks available for download, including our latest, The Big Clock, which outlines the urgency for updated cryptography with a rundown of the best quantum-resistant encryption solutions available.