In December 2022, a new directive was adopted to ensure a high common level of cybersecurity in the EU. Directive (EU) 2022/2555, also known as the NIS2 Directive, repeals and replaces the former Directive (EU) 2016/1148 on the security of network and information systems – also known as the NIS1 Directive. In this blogpost, we will highlight the core changes to this framework, as well as frame the new Directive in the EU’s broader cybersecurity strategy.
BACKGROUND
STRONG INCREASE IN CYBER INCIDENTS
The NIS1 Directive was adopted in 2016 and had to be transposed by the Member States by 9 May 2018. That process was only completed in 2019, due to some Member States not meeting the deadline.
In the field of cybersecurity, as lot has happened since then. Today, it is estimated that 22% of EU enterprises have suffered ICT-related security incidents in 2021. Ransomware attacks were up 41% in 2022. The global average cost of a data breach was in 2022 estimated at USD 4,35 million – even going up to USD 10,1 million in the healthcare sector. The global cost of cybercrime was estimated at EUR 5,5 trillion by the end of 2020.
At the same time, the increasing interconnectedness of all layers and sectors of society and the growth of teleworking following the COVID-19 pandemic result in an ever more important reliance on network and information systems. This underlines the need for strong policies in the field of cybersecurity.
WHERE DID NIS1 FALL SHORT?
However, while reviewing the NIS1 Directive, it was discovered that this framework failed to meet its projected goals in several ways.
- First, the Directive left too much discretion to Member States to determine what constitutes a provider of essential services. For instance, some Member States designated certain hospitals as essential entities, while others did not. A major railway operator in one Member State was designated as essential, but a similarly-sized operator in a different Member State was not. This results in an uneven playing field, given that some entities face the operational cost of compliance with this framework, while similar entities in other countries do not. Conversely, it also means that some entities will be more prepared in their cyber resilience, while others are not.
- Second, effective information sharing never really took off under NIS1. The directive did not impose clear requirements to share threat or vulnerability information, and did not manage to convince entities to do so in practice.
- Third, supervision and enforcement were highly divergent between Member States, with some being downright ineffective.
Weighing a number of different policy options, the European Commission decided on a complete repeal and replacement. The NIS2 Directive was proposed late 2020 and adopted in December 2022. It will have to be transposed by the Member States by 17 October 2024 and becomes applicable the day after.
WHAT WILL NIS2 CHANGE?
FROM NETWORK AND INFORMATION SECURITY TO CYBERSECURITY
NIS2 is not a completely novel framework. it largely maintains the approach set by the NIS1 Directive, but with a tightened scope and a few new obligations. Also in terms of overall scope, the focus has shifted from ‘network and information security’ to ‘cybersecurity’. This is important, as cybersecurity – as defined under the EU Cybersecurity Act – also covers “the users of such systems, and other persons affected by cyber threats”.
FOCUS ON ESSENTIAL AND IMPORTANT ENTITIES
In terms of covered entities, NIS2 excludes small and micro-enterprises in most cases. The focus has been shifted to essential and important entities, as described in Annexes 1 and 2 to the Directive. This list has been substantially expanded from NIS1.
New entries marked as essential include, amongst others,
- electricity producers,
- hydrogen operators,
- basic pharmaceutical product manufacturers,
- R&D entities,
- digital infrastructure (including IXPs, DNS and TLD service providers, data centers, trust services providers, etc.),
- public administrations and
- space ground operators.
In terms of other critical sectors, NIS2 marks
- postal and courier services,
- waste management,
- chemicals manufacturing and distribution,
- food businesses in wholesale distribution and industrial production,
- medical devices production,
- certain machinery and transport production,
- research organizations, and
- digital providers such as online marketplaces, search engines and social networks.
MINIMUM REQUIREMENTS FOR NATIONAL STRATEGIES
Member States must still adopt a national strategy. NIS2 more clearly sets out the minimum requirements for such strategy, thus leaving less discretion than NIS1.
New is that Member States must also designate authorities responsible for the national management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Also their tasks are clearly set out. Furthermore, NIS2 more clearly elaborates the duty for Member State authorities to coordinate and cooperate with each other.
At the EU level, NIS2 maintains the Cooperation Group, with support of the European Commission and ENISA – having now been designated as the EU agency for cybersecurity. Also the national cyber crisis management authorities receive an EU-platform: EU CyCLONe. New is that Member States may submit their national policies for peer review.
GREATER RESPONSIBILITY FOR MANAGEMENT
In terms of risk management, NIS2 puts greater responsibility on the management bodies of entities. They must undergo training and can be held liable for infringements against this framework.
This ensures that upper management becomes a direct stakeholder in the cybersecurity compliance of their organization, and that they are more enticed to make available adequate budgets therefor.
RISK-BASED APPROACH WITH MINIMUM ELEMENTS
NIS2 maintains the risk-based approach set out by NIS1, but more clearly elaborates the minimum elements of such approach. As before, significant incidents must be notified to CSIRTs. NIS2 sets out clearer deadlines for when such notification should occur, and may also require the recipients of the services involved to be notified if they could be adversely affected.
STRONGER ENFORCEMENT
Regarding supervision and enforcement, NIS2 more clearly formulates the competences of authorities in this field, as well as the actions they can take. Regarding fines, NIS2 imposes certain thresholds, ensuring that fines are more harmonized across the EU.
THERE IS MORE TO CYBERSECURITY THAN NIS2
OTHER RELEVANT CYBERSECURITY INSTRUMENTS
Since NIS1, several other texts have been adopted in the field of cybersecurity.
One text is the EU Cybersecurity Act, which designates ENISA as the EU agency for cybersecurity and establishes an EU-wide certification scheme for ICT-products, services and processes.
Closely linked to NIS2 is the new Directive on the resilience of critical entities (CER Directive), which focuses more on the physical security of essential entities – whereas NIS2 focuses on their cybersecurity.
CYBERSECURITY FRAMEWORKS FOR SPECIFIC SECTORS
Also specific sectors can adopt their own cybersecurity framework, tailored to the needs and challenges of that sector. In this sense, NIS2 serves as the lex generalis in the field of cybersecurity, where sector-specific texts can serve as lex specialis.
One example of such sector-specific text is the Regulation on digital operation resilience for the financial sector (DORA). This text imposes specific requirements on 21 types of regulated financial entities, as well as on the third-party ICT service providers on which they rely.
CONCLUSION: MORE ORGANISATIONS WILL NEED TO PROFESSIONALISE THEIR CYBERSECURITY
- NIS2 is a welcome renewal of the EU’s cybersecurity framework. It sets out to address the main shortcomings of its predecessor, while also being more geared towards new and evolving cyber threats.
- The Directive maintains the general approach of NIS1 – with tightened requirements and an increased scope – and should therefore not be too surprising for most entities.
- Nevertheless, the scope expansion will mean that a whole range of new entities will have to get their cybersecurity compliance in order.
Do you have any questions regarding the cybersecurity compliance of your organization? Please contact Timelex.
FAQs
What is the NIS2 directive on cybersecurity? ›
The Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cybersecurity across the Member States.
What does the NIS2 directive apply to? ›The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023.
What are the changes in the NIS2 directive? ›NIS2 Directive significantly expands the scope of sectors and introduces a size threshold to define which entities fall in its scope and would be required to report significant cybersecurity incidents to the national competent authorities.
Is the NIS 2 directive in force? ›The new version of the Network and Information Systems Directive (NIS2 Directive, "NIS2") came into force on January 16, 2023. The new rules are likely to apply as of October 2024 (see the next steps section below).
Who does NIS2 apply to? ›Who does NIS2 impact? Because NIS2 is an EU directive, it applies to all companies based within an EU member state. The new directive applies to companies designated as “Essential Entities” and “Important Entities”.
What is the difference between NIS and NIS2? ›Unlike the previous iteration of the NIS directive, the EU's NIS2 seeks to harmonise requirements across member states by setting out minimum rules for regulatory frameworks and establishing clearer and stronger minimum cybersecurity measures that must be implemented.
What is the NIS 2 Directive proposal? ›The NIS 2 Directive aims to achieve a common level of cybersecurity across the Union, with a view to improving the functioning of the internal market. The new legislation will impose stricter requirements with regard to risk management, reporting, and information exchange in the area of cybersecurity.
What are the key points of the NIS Directive? ›The Directive requires that any strategy should include things like governance frameworks, response and recovery measures, public and private sector security cooperation planning, security awareness education programs, risk assessment plans, and lists of people and organizations involved in the strategy.
What sectors are covered by NIS2? ›...
The following sectors will be included:
- Energy (electricity, oil, gas, district heating, and hydrogen)
- Transport (air, rail, water, and road)
- Banking, Financial market infrastructures, healthcare (including labs and research on pharmaceuticals and medical devices),
NIS2 will replace the EU's existing (and first) cybersecurity law, the NIS Directive. NIS2 will require organizations across different sectors to ensure that networks and systems they use to deliver services and conduct their activities attain a higher level of cybersecurity.
Who is affected by NIS2? ›
Who is affected by NIS 2 directive? NIS2 directive is aimed at all public and private entities operating in the EU that are critical to the economy and society.
Why is NIS2 important? ›The goal of NIS2 is to create a standard level of protection across the EU by implementing cybersecurity requirements and measures in all EU member states. It lists affected sectors, identifies security requirements, unifies reporting obligations, and introduces enforcement measures and sanctions.
Does NIS2 replace NIS? ›The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.
Is NIS2 mandatory? ›NIS2 advices that all employees receive such training, but this is not mandatory. Furthermore, it requires risk management and assessment activities to be performed to ensure that management is aware and has considered the cybersecurity risks within their organization.
What are the dates for NIS2? ›The Official NIS2 release Date
The deadline for Member States to transpose the NIS2 Directive into applicable, national law is 17 October 2024.
Are NIS and the UK GDPR the same? No. The two laws are intended to address different things. NIS concerns the security of network and information systems and the digital data within them whilst the UK GDPR concerns the processing of personal data.
What is the NIS in the United States? ›The National Intelligence Strategy of the United States of America (NIS) is a product of the Office of the Director of National Intelligence (DNI). Drafted and implemented in 2005 while John Negroponte served as the DNI, it describes the drastic overhaul the United States (US) intelligence community will carry out.
What does NIS stand for in cyber security? ›What does NIS mean? 'NIS' is shorthand for 'network and information systems'. It refers to: electronic communications networks; devices or groups of interconnected devices that automatically process digital data; or.
What two types of Organisation must comply with the NIS? ›NIS applies to two groups of organisations: operators of essential services (OES) and relevant digital service providers (RDSPs).
When was the NIS 2 Directive? ›Since 16 January 2023, what is termed the NIS 2 Directive has been in effect.
What are the three foundational information security principles? ›
The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.
What is the NIS 2 directive for the energy sector? ›The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.
What are the three main federal cybersecurity regulations? ›The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA).
What is ISO 27032 2012 information Technology -- security Techniques -- Guidelines for cybersecurity? ›ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and.