The NIS Directive was adopted in July 2015 and implemented in the European Union on May 9, 2018. The directive published a series of cybersecurity requirements for operators of essential services and digital service providers. The aim was to enhance the security and resilience of critical infrastructure and services by enforcing a high common level of cybersecurity amongst all EU member states. Industry sectors deemed essential included energy, transportation, water, healthcare, and banking. In addition to the stated security measures, these organizations were also mandated to report significant incidents to national authorities.
New Directive Announced – NIS 2
In response to the accelerated digital transformation rate of business and society brought on by COVID, an update to the directive was published in December of 2022. The directive, known as the NIS 2 Directive, states that all EU countries will have to pass national/local laws about it no later than October 17, 2024, making national laws effective by October 17 at the latest. It will be adopted by EU member states and become applicable no later than October 18, 2024. One very important change is that the NIS 2 greatly expands the list of essential companies to include more than 160,000 organizations across Europe. For instance, NIS 2 adds the food sector to the list of essential services and adds a second category of important services.
NIS 2 is yet another example of the rapidly changing regulatory landscape across the world. Because the possible fines enforced by NIS 2 noncompliance can be as high as € 10 million or 2% of global turnover, it is essential that all business owners and leaders acquaint themselves with the newest directive. Due to the infancy of many digital technologies that fall under ever-changing compliance regulations, there remains a great deal of misunderstanding and confusion regarding cybersecurity responsibility and threat actors are taking advantage of it all.
Who is Subject to NIS 2?
Don’t think that NIS 2 doesn’t affect your organization just because it escaped the jurisdiction of the original NIS Directive.
- NIS 2 is applicable to an extensive list of digital service organizations including providers of DNS services, cloud computing services, data center services, content delivery, managed IT services, managed security services, and trust service providers. TLD name registries, online search engines, and social networking service platforms are also included.
- While the original NIS Directive had an exemption for small organizations with fewer than 50 staff members and an annual turnover or balance sheet below €10 million, there are no exemptions for digital service providers.
- Any company deemed “essential” with 250 employees or more and a turnover of € 50 million or a balance sheet of € 43 million falls under NIS 2 jurisdiction. Examples of essential organizations include energy, public administration, wastewater management, and banking.
- NIS 2 is also applicable to any organization deemed “important” with more than 50 employees and an annual turnover or balance sheet of € 10 million. Important organizations include those in manufacturing, Research organizations, and postal services.
It is important to note that the list of applicable organizations can be changed by individual member states within the EU. Member states have until April 2025 to finalize their own list of essential and important entities. While NIS 2 will not apply directly to England, the UK’s own NIS regulations will be strengthened to protect their own essential services against cyberattacks.
New Areas of Focus for NIS 2
Cybersecurity is a moving target and regulatory agencies must constantly update their requirements to keep up with the pace of technology intervention and evolving attack methodologies. NIS 2 builds upon the initial intent of its predecessor by enforcing a stricter baseline for cybersecurity risk management measures and reporting obligations. A key objective is to encourage organizations to take a more proactive approach to risk management rather than a reactive one. Some of the introduced in NIS 2 include the following:
- Organizations must assess their organization’s current risk management and cybersecurity posture to identify gaps that must be addressed to achieve compliance.
- Companies must address security risks in their supply chains and supplier relationships.
- Organizations deemed essential are subject to audits and inspections at any time while those deemed important can only be investigated once an incident occurs.
- Organizations will be required to conduct regular cybersecurity training and awareness assessments to give employees the knowledge and skills necessary to prevent and respond to cybersecurity incidents.
NIS 2 will enforce a strict schedule pertaining to incident response plans. Essential and important entities must notify their national Computer Security Incident Response Team and a competent authority regarding any incident deemed to have a significant impact on their supplied services within 24 hours. An incident notification must be announced within 72 hours of incident awareness and provide an initial assessment of the incident. A final report must be submitted no later than one month after the release of the incident notification. The final report must include a detailed account of the incident, including the likely cause of the incident as well as any mitigation measures that were taken to curtail and remediate the attack.
While enforcement of NIS 2 will take place at the national EU member state level, authorities are required to participate in incident response at the EU level to correct the lack of joint crisis response in the past. Member states are also encouraged to share more data between authorities which will aid in strengthening awareness across the EU and achieve a common understanding of the main threats and challenges across all member states.
How CYREBRO Can Help
NIS 2 does not just apply to large corporations and nation-states as many SMBs will fall into the applicable categories. Because SMBs often lack the resources, knowledge base, and talent to ensure protection against cyber threats, outsourcing is often a preferred option for these businesses. This is where a security operations center (SOC) such as CYREBRO which specializes in incident handling can offer real value.
CYREBRO helps meet the strict cybersecurity incident handling requirements of NIS2 including strategic monitoring, early threat detection, cyber threat management and remediation, and forensic investigation.
NIS-2 Incident Handling
No matter the size of their business, CYREBRO customers reinforce their security efforts with today’s innovative technologies offered by CYREBRO including AI and ML. Our proprietary detection algorithms strategically monitor, analyze, and interpret the consequences of events across all your business environments.
CYREBRO offers more than technology, however; our security teams have years of experience and have developed procedures and processes to help keep organization’s compliance in check. CYREBRO’s SOC identifies security and compliance activities that do not meet an organization’s compliance requirements through predefined rules, enabling organizations to meet their regulatory obligations. Contact CYREBRO to learn more about how NIS 2 may affect your business and what you can do to achieve compliance.