Last week the EU reached an agreement on the Network and Information Security 2 (NIS-2) Directive, which requires organisations in a wide range sectors to manage third-party risks proactively. EU member states will have 21 months to transpose the Directive into national law. After that, organizations will have to be compliant, otherwise fines may follow.
NIS-2 is the successor of the current NIS Directive. Enacted in 2016, the NIS Directive is the first EU-wide legislation on cyber security. It requires member states to ensure that organisations part of a nations’ critical infrastructure have appropriate security measures in place to manage security risks and remain resilient in case of an attack or disruption.
The EU developed NIS-2 because of “the increasing degree of digitalization and interconnectedness of our society and the rising number of cyber malicious activities”. According to the Commission, the Directive modernises the existing legal framework taking into account the increased digitization of the internal market in recent years and an evolving cybersecurity threat landscape. The EU acknowledges that both developments have been further amplified since the onset of the COVID-19 crisis. NIS-2 also addresses several weaknesses in the current NIS Directive, such as the small scope of applicability, limited attention to risk management and the lack of enforcement mechanisms.
The objective of NIS-2 is to be broader-reaching and more comprehensive. Looking at third-party risk management specifically, NIS-2 includes three major changes that you should consider (please note that the final text version of the Directive is still pending):
1. Specific requirements for third-party risk management
NIS-2 emphasizes that organisations should proactively manage risks introduced by third parties. This includes all suppliers and service providers and should be considered from a multidisciplinary risk perspective. The Directive states that organisations at least should:
Assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures (article 43)
Exercise increased diligence in selecting a managed security service provider (article 44)
Address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions (article 45)
Carry out or participate in coordinated sectoral supply chain risk assessments (article 46)
2. Organisations in a wide variety of sectors need to comply
The expanded scope includes more sectors, which are being referred to as either ‘essential’ or ‘important’ entities based on how critical they are to the economy and society. This includes organisations in the following sectors:
Digital service providers
Providers of public electronic communication services
Manufacturing of medical devices and chemicals
3. Non-compliance can be punished with fines
Sector-specific supervisory bodies will get the authority to impose sanctions and fines to organisations that do not comply with the NIS-2 Directive. The administrative fines can be up to 2% of the total worldwide annual turnover of the organisation.
The political agreement reached by the European Parliament and the Council is now subject to formal approval. Once published in the Official Journal, the Directive will enter force 20 days after publication. Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to do this.