On Thursday 28 October 2022, the EU Parliament’s committee on Industry, Research and Energy (ITRE) adopted the NIS-2 Directive with 70 votes in favour, 3 against and 1 abstention. The NIS2 Directive is the European Union's new cybersecurity legislation that will replace and strengthen the EU's current Network and Information Society Directive (NIS Directive - EU 2016/1148).
NIS2 applies to a broader scope of sectors and entities than those covered by NIS1, including essential and important entities operating in a defined list of sectors. The new Directive imposes direct obligations on management bodies concerning implementation and supervision of their organisation's compliance with the legislation, as well as requiring a range of other cyber risk management measures (e.g. supply chain and 3rd party supplier due diligence). NIS2 requires different levels of notifications depending on the incident or threat, including an initial report within 24 hours of learning about an incident (down from 72h in NIS1), this followed by "intermediate" and then "final" reports.
Most importantly, what makes this a game changer that should wake up any management, is its similarity with GDPR in how it makes senior managers accountable for cyber resilience with fines and penalties for non-compliance facing a up to EUR 10M fine or 2% of total global turnover.
It is therefore to be expected that small and medium-sized companies will quickly need to recruit a CISO role to meet the new security requirements. This adds further tension to a labour market that already seems to be at breaking point but is good news for managed service providers and advisory services that can offer support as a service.
The NIS2 Directive is expected to come fully into force in the next few months with a deadline of implementation by mid 2024.
The NIS Directive - Current scope
The first EU-wide cybersecurity legislation, adopted in 2016, was the NIS Directive. It focuses on operators of essential services (OES) and digital service providers' (DSP) risk management and reporting obligations to achieve a high level of common cybersecurity across the EU. Their scope was mainly focussed on following key sectors resulting in today's significantly improved security levels in Europe's critical infrastructure (see full NIS1 scope at bottom of article):
- Banking & financial market infrastructure
- Critical digital infrastructure
- Energy sector (Electricity supply/distribution/transmission, Oil transmission pipelines, production, refining and treatment facilities, storage and transmission)
- Water supply & distribution
The NIS2 - Important scope extension
NIS2 will affect a much greater number of entities than what is currently mandated by the NIS Directive. It eliminates the distinction between OES and DSP, and expands the pool of in-scope entities to include more "essential" entities (as listed in Annex I of NIS2) and "important" entities (as specified in Annex II of NIS2) moving from 19 sectors currently covered by the NIS Directive to a total of 35 sectors (see below).
For example, in addition to what is already included in the NIS Directive, organisations operating in the following areas will now also be covered:
- Digital infrastructure and service providers, including those offering public electronic communications networks or services, social networking platforms and data centre services.
- Subcontractors and service providers with access to critical infrastructure, who were overlooked in the first version of the directive, will also be subject to NIS2
- The pharma industry as part of healthcare
- Waste water and waste management
- Manufacturing of certain critical products (such as medical devices, vehicles, computers & electronic devices)
- Chemicals production and distribution
- Food production, processing and distribution
- Postal and courier services
- Public administrations
NIS2 not only covers a wider range of sectors but also provides more information on which organizations in those industries would be required to comply. Right now, under the NIS Directive, it is the Member States' responsibility to come up with a list of what they consider OESs and DSPs, but the new NIS2 Directive makes the scope more precise as it:
- clearly defines the size as of which medium and large entities that operate in the sectors covered by the new text will have to comply with the requirements contained in NIS2; and
- applies to entities that are considered "important" and "essential", regardless of their size, in certain circumstances, including:
- companies that offer public electronic communications networks or publicly available electronic communications services
- top-level domain name registries and domain name system services providers
- entities offering services whereby a potential disruption to those services could have an impact on public safety, public security or public health
- entities offering services whereby a potential disruption to the service could induce systemic risks, particularly in sectors where the disruption could have a cross-border impact
Information security management system (ISMS)
Both the NIS1 and NIS2 require top management to put in place an effective information security management system (ISMS) to prevent impacts on the covered entities. Many different approaches exist on implementing this, with some popular security frameworks like ISO27001, NIST, SOC2, ... . This does not mean companies need to be certified by such standards, but they should at a minimum implement the key elements these frameworks have in common to show a continuous effort and improvement of the security posture. This includes among others:
- Conduct risk management with identification, assessment and prevention measures
- Document assets, their dependencies and their security requirements
- Document stakeholders and their security requirements
- Document suppliers, their related risks and security commitments
- Document, formally validate and distribute commitment by staff to the company policies and procedures
- Incident documentation, communication, management and business continuity handling
- The implementation of technical and organisational security measures
- Conduct independent security audits
- Tracking of cyber security objectives to measure continuous improvement of your security posture
- Effective task and priority management during implementation
There are two ways to implement such a management system
- You have the competent staff internally, or are able to hire them, which is a sign that you probably already have some of the above-mentioned elements covered. In this case you should discuss with your team which security framework aligns best with your company and conduct a gap analysis compared to the new NIS2 scope so you can let them focus on this
- Hire a consultancy/advisory company that can assist you in the implementation. The advantage of this approach for top management is that they will profit from the expertise and objectiveness of the professionals that do this every day. It is also usually the most cost-effective approach for small to medium sized companies because you can align this resource to your financial flexibility (e.g. CISO as a service)
Both approaches have the following in common:
- You need to start the implementation as quickly as possible, because this takes time (1 year to 1.5 year depending on your current maturity)
- You need to show management commitment to this effort (acting as if this is a side project is 100% guarantee to fail)
- You need to allocate time and a budget for the implementation during the next year(s)
- You will need to have an efficient way to centrally document, manage and follow-up on the progress. Not having a central tool to manage this all will add min 33% of time to your implementation
With Brainframe.com we provide both individual companies and consulting/advisory companies a first of its kind solution combining ISMS, GRC, QMS and DMS in one platform for an efficient collaboration, documentation, implementation, certification and continuous improvement of any framework, standard or regulation like NIS2 to save your precious time.