The NIS2 Directive has been published. What’s next?
On 27th of December 2022, the Commission of the European Union published the NIS2 Directive (furthermore: Directive), which will enter into force on 16th of January 2023, and Member States have to transpose the provisions into their national legislation until 17th of October 2024.
In this article, I will summarize what is new in the NIS2 Directive and I will also share some interesting facts about it.
Organizations subject to NIS2
The scope of the NIS2 Directive applies to "essential entities" and "important entities" operating in the European Union. These categories are not clear at first sight.
Essential entities are organizations whose loss or disruption of services could directly or indirectly, temporarily or in the long term have a serious impact on the economy, energy supply, health, communications and public administration of our society. Annex I of the NIS2 Directive lists the sectors of essential entities, which are:
- Energy (Electricity, District heating and cooling, Oil, Gas, Hydrogen),
- Transport (Air, Rail, Water, Road),
- Financial market infrastructures,
- Drinking water,
- Waste water,
- Digital Infrastructure (e.g., Internet Exchange Point providers, DNS service providers, Cloud computing service providers, Trust service providers etc.),
- ICT service management (business-to-business),
- Public Administration.
The category of important entities includes public and private organizations in the sectors which are key to our social and economic activities. However, micro and small enterprises are excluded from the scope of the Directive. Annex II of the NIS2 Directive lists the sectors of important entities, which are:
- Postal and courier services,
- Waste management,
- Manufacture, production and distribution of chemicals,
- Production, processing and distribution of food
- Manufacturing (e.g., medical devices, electrical equipment, computers, motor vehicles, trailers and semi-trailers)
- Digital providers (e.g., online marketplaces, online search engines)
- Research organizations.
Several organizations are now subject of the Directive, which will sooner or later come as a surprise to many of them.
Responsibility of the management
Based on the text of the Directive, Member States are required to ensure that the management bodies of essential and important organizations approve the cybersecurity risk management measures taken by these organizations to comply with Article 21, oversee its implementation and be held accountable for any breach of that Article by those organizations.
This is in line with the general "textbook" point of view that the ultimate responsibility for information security lies with the management of the organization, and this is similar to the German information security legislation (IT-Sicherheitsgesetz 2.0 - "IT-SiG 2.0"), which also defines the responsibility of management.
The Directive did not stop at the definition of the responsibilities of management, as the Directive requires Member States to ensure that members of the management bodies of essential and important organizations are required to attend relevant trainings. Requiring mandatory training for the management can help to increase understanding the importance of the cybersecurity field and thus increase commitment.
Additional security measures
The previous text of the Directive in draft status provided fewer protection measures than the current adopted version. The protection of network and information systems commensurate with the risks should be ensured by the following security measures, as set out in the published Directive :
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
The listed protection measures are not concrete enough to start implementation based on them. Existing frameworks (e.g. the ISO 27001 standard, which was updated in 2022, the NIST Cybersecurity Framework - CSF, which is under revision) and industry standards can be used. The Directive encourages the use of European and international standards and technical specifications relevant to the security of network and information systems in the context of standardization.
According to the text of the Directive, the Commission of the European Union may adopt additional requirements to define technical and methodological requirements for security measures, which may further assist compliance.
The Directive also sets strict incident reporting requirements, which are difficult to comply with for an organization without mature incident management processes and SIEM solutions. Incidents are often not detected or are detected only after a long time, as IBM's 2022 Cost of Data Breach Report shows with an average detection time of 277 days.
Significant incidents must be reported without delay to the relevant national CSIRTs, also known as "Computer Security Incident Response Teams", which in Hungary is expected to be the National Cyber Defence Institute. The Directive is quite broad in its definition, based on that an incident shall be considered significant if:
- it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
- it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
In addition to the CSIRT, service customers must also be notified about the incidents. If personal data is affected by the incident, it should also be reported to the data protection authority of the Member State concerned.
There are several types of incident reports:
- Early warning: in all cases, it must be submitted within 24 hours of becoming aware of the significant event, indicating whether the significant event is likely to have been caused by an unlawful or malicious act and whether it may have cross-border effects;
- Incident notification: it must be submitted within 72 hours of becoming aware of a significant event, updating the information referred to in the early warning and including an initial assessment of the significant event, including its severity and impact, and - where available - the indicators of compromise;
- Intermediate report: CSIRT or the competent authority may request on a case-by-case basis;
- Final report: a summary report, to be submitted within one month of the submission of the Incident notification. It must contain the followings:
- a detailed description of the incident, including its severity and impact,
- the type of threat or root cause that is likely to have triggered the incident,
- applied and ongoing mitigation measures,
- where applicable, the cross-border impact of the incident.
Advices to achieve compliance
All organisations are advised to first check whether they are subjects of the Directive. If the answer is yes, it is strongly recommended to start preparing for compliance as soon as possible and not waiting for the deadline for transposition of the Directive into the national law in 2024. If an organization has low maturity cybersecurity capabilities, it will take time to reach the expected level of compliance and there is no shortage of requirements.