EU agrees on NIS-2 Directive: Organisations need to strengthen third-party risk management

Jelle Groenendaal | Chief Product Owner

Last week the EU reached an agreement on the Network and Information Security 2 (NIS-2) Directive, which requires organisations in a wide range sectors to manage third-party risks proactively. EU member states will have 21 months to transpose the Directive into national law. After that, organizations will have to be compliant, otherwise fines may follow.

What is the NIS Directive?

NIS-2 is the successor of the current NIS Directive. Enacted in 2016, the NIS Directive is the first EU-wide legislation on cyber security. It requires member states to ensure that organisations part of a nations’ critical infrastructure have appropriate security measures in place to manage security risks and remain resilient in case of an attack or disruption.

Why NIS-2?

The EU developed NIS-2 because of “the increasing degree of digitalization and interconnectedness of our society and the rising number of cyber malicious activities”. According to the Commission, the Directive modernises the existing legal framework taking into account the increased digitization of the internal market in recent years and an evolving cybersecurity threat landscape. The EU acknowledges that both developments have been further amplified since the onset of the COVID-19 crisis. NIS-2 also addresses several weaknesses in the current NIS Directive, such as the small scope of applicability, limited attention to risk management and the lack of enforcement mechanisms.

NIS-2: What will change with regard to third-party risk management?

The objective of NIS-2 is to be broader-reaching and more comprehensive. Looking at third-party risk management specifically, NIS-2 includes three major changes that you should consider (please note that the final text version of the Directive is still pending):

1. Specific requirements for third-party risk management

  • NIS-2 emphasizes that organisations should proactively manage risks introduced by third parties. This includes all suppliers and service providers and should be considered from a multidisciplinary risk perspective. The Directive states that organisations at least should:

  • Assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures (article 43)

  • Exercise increased diligence in selecting a managed security service provider (article 44)

  • Address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions (article 45)

  • Carry out or participate in coordinated sectoral supply chain risk assessments (article 46)

2. Organisations in a wide variety of sectors need to comply

The expanded scope includes more sectors, which are being referred to as either ‘essential’ or ‘important’ entities based on how critical they are to the economy and society. This includes organisations in the following sectors:

  • Healthcare

  • Transport

  • Banking

  • Digital infrastructure

  • Water supply

  • Energy

  • Digital service providers

  • Data centers

  • Providers of public electronic communication services

  • Water management

  • Manufacturing of medical devices and chemicals

  • Food

  • Space

  • Postal administration

  • Public administrations

3. Non-compliance can be punished with fines

Sector-specific supervisory bodies will get the authority to impose sanctions and fines to organisations that do not comply with the NIS-2 Directive. The administrative fines can be up to 2% of the total worldwide annual turnover of the organisation.

What are the next steps?

The political agreement reached by the European Parliament and the Council is now subject to formal approval. Once published in the Official Journal, the Directive will enter force 20 days after publication. Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to do this.

Blogs

Read more...

We’d love to hear
from you

img

We’d love to hear
from you

Send Us a Message