As of January 2023, new European guidelines known as the Network and Information Security Directive 2 (NIS-2) have been implemented to strengthen cybersecurity across various sectors across the European Union. Companies and organisations need to comply with these guidelines. This blog post summarises what we know about this legislation (UPDATED 2024).
What is NIS-2?
The NIS-2 Directive builds on the previous NIS Directive and aims to enhance the security of network and information systems within the European Union. This requires member states to identify and implement appropriate security measures. The primary objective? Reduce cyber risks and limit the impact of cyber incidents. NIS-2 targets legal entities operating in critical sectors such as energy, transportation, healthcare, and financial services, but also other sectors crucial to the ongoing function of the economy and society. Below is a list with sectors in scope:
- Digital infrastructure
- Water supply
- Digital service providers
- Data centers
- Providers of public electronic communication services
- Water management
- Manufacturing of medical devices and chemicals
- Postal administration
- Public administrations
How to become NIS-2 compliant?
The NIS-2 Directive contains guidelines that must be transposed by European member states into local legislation before October 17 2024. It will only become clear what the exact requirements are for organisations to comply with once this process is complete. Currently, for many European countries, it remains uncertain how this translation into local legislation will manifest. A concern in this regard is that European countries may interpret the directive in their own way, potentially leading to varying requirements being imposed on organisations in each country based on the same directive.
Nevertheless, it is advisable to assign the responsibility of NIS-2 compliance to a compliance officer in advance. NIS-2 will have significant implications for organisations in Europe.
- Risk ownership and board accountability in NIS-2 compliance: Under the NIS-2 Directive, board members play a pivotal role in ensuring compliance with risk management obligations. The directive mandates that the board not only approves cybersecurity risk management strategies but also actively oversees their execution. Importantly, the NIS2 Directive introduces personal liability for board members of essential entities in cases of non-compliance. Additionally, the directive requires board members to undergo training to effectively fulfill their risk management responsibilities.
- Security Measures as outlined in NIS-2 Directive’s article 21: The NIS-2 Directive, particularly in its Article 21, details essential security risk management practices for both essential and important entities. These practices encompass a range of measures such as incident handling, ensuring business continuity during crises, maintaining basic cyber hygiene, and implementing secure encryption policies and procedures.
- Supply chain security under NIS-2 Directive: For organisations within the scope of NIS-2, a crucial element of risk management involves securing the supply chain. This entails assessing and mitigating risks associated with suppliers and service providers, including evaluating their product quality and cybersecurity practices, such as secure development processes.
- Incident reporting requirements in NIS-2 Directive: Significant incidents necessitate immediate reporting to governmental bodies like the Computer Security Incident Response Team (CSIRT) or relevant authorities. According to NIS-2, organisations must provide an initial warning within 24 hours and a detailed incident report within 72 hours. Additionally, they are obligated to inform customers about incidents that could negatively impact service delivery. Significant incidents are characterised by substantial operational, financial, or material impacts.
What does NIS-2 state about third-party ICT risk?
The NIS-2 Directive states that organisations in scope should take into account "Supply chain security, including security-lreated aspects concerning the relationships between each entity and its direct suppliers or service providers" (Article 21).
The Directive also mandates member states to include "cybersecurity in the supply chain for ICT products and ICT services" (article 7).
Finally, the Directive requires member states to perform "coordinated security risk assessments of critical supply chains" (article 22). This also suggests that organisations being part of a critical supply chain must have a decent understanding of their third-party relationships and associated risks.
In summary, it is advisable for organisations to proactively initiate the structuring of their third-party risk management strategies, despite the lack of clarity on the precise regulatory requirements. The Directive clearly underscores the importance of accounting for supply chain risks, mandating that organisational leaders implement strategies to effectively identify and mitigate risks, particularly those inherent in the supply chain.
Why is complying with NIS-2 important?
For organisations that fall under NIS-2, compliance is a critical task in the coming period. Non-compliance with NIS-2 could result in substantial fines, up to 2% of the annual turnover. More importantly, adhering to NIS-2 guidelines is essential to ensure digital security and prevent cyberattacks. NIS-2 mandates organisations to elevate their digital security and adapt to the growing threats of cybercrime.
What if your sector is not mentioned?
Even though NIS-2 mainly focuses on vital sectors, these guidelines may also impact companies not operating within these sectors. For example, suppliers to businesses in vital sectors might be asked to comply with NIS-2 to continue their operations. Thus, organisations need to assess the impact of NIS-2 on their clients and suppliers and take timely actions to meet these requirements.
How can a company or organisation prepare for NIS-2?
To prepare for NIS-2, organisations must first determine if the guidelines apply to them or their clients or partners. The Dutch National Cyber Security Centre advises organisations not to wait until the legislation and regulations are completely clear. The risks that organisations and systems currently face are already present. Organisations that take action now not only protect themselves against these existing risks but will also be better prepared for the introduction of new legislation. This can be achieved by taking the following measures:
- Conduct a risk analysis and assessment of the physical and digital risks that could disrupt your organisation's service delivery.
- Implement measures where possible to better protect the organisation and supply chain against these risks.
- Establish procedures that enable your organisation to detect, monitor, resolve, and report incidents that may disrupt business processes.
What could happen if you do not comply with NIS-2?
Besides the financial repercussions, failure to comply with NIS-2 might damage the company's reputation, primarily if a cyberattack occurs due to the neglect of the guidelines. Hence, being NIS-2 compliant is not just about avoiding penalties, but also about ensuring digital security and maintaining the trust of customers, business partners and other stakeholders.