New EU-wide Security Legislation NIS-2 Directive was Approved
What is the NIS-2 Directive?
On the 10th of November 2022, the European Parliament has approved of setting up a high common level of cybersecurity across the EU. The new Directive for Network and Information Security, known as the NIS-2 Directive, aims to further improve the resilience and incident response capacities of both public and private sectors and the EU as a whole. The Directive gives priority to dealing with current and emerging cyber threats in order to protect vital sectors of the EU economy and society.
Why NIS-2 Directive?
The first NIS Directive was approved in 2016 and has introduced practices across the EU member states, provided thresholds, templates and tools, and laid the groundwork for common approaches and procedures. However, implementation has proven to be difficult and very fragmented due to limited sectoral scope and lack of clarity. The COVID-19 pandemic has accelerated the move towards digitalization, while the geopolitical conflict implicates heightened exposure to new threats. Today, cybercrime is the fastest-growing form of crime worldwide. In this context, the EU decided that now is the time to update the NIS Directive.
NIS-2 Directive in Practice
The new Directive brings three main changes.
First, NIS-2 Directive will expand the sectoral scope. The first Directive covered operators of essential services (e.g. banks, healthcare providers and water and energy companies) and digital service providers (e.g. cloud service providers and online marketplaces). Some sectors that are added include telecom, social media platforms and public administration. Additionally, companies will be classified as either ‘essential’ or ‘important’ based on the criticality of their services.
Second, all companies in the scope are to adhere to strengthened security requirements, including risk analysis, information system security policies, incident response, business continuity and crisis management, supply chain security, assessment of effectiveness of risk management measures and encryption, vulnerability disclosure and finally assessment of the security controls. Incident reporting will need to happen in 2 stages: an initial report within 24 hours of becoming aware of the incident and a final report after 1 month. A minimum list of administrative sanctions can be applied when entities breach these rules.
Third, the EU wants to improve cooperation among all the member states, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among member states (EU Cyber Crisis Liaison Organization Network or EU-CyCLONe). This cyber crisis management hub will coordinate the management of major pan-EU cyber incidents across its member states. The goal is to increase trust and implement rules on information sharing between competent authorities. Furthermore, the Directive provides procedures in the event of a large-scale incident or crisis.
How can Ordina help organizations
The new Directive brings an increased scope combined with additional cybersecurity and reporting requirements. This implies that many companies in the scope are not yet NIS-2 compliant today and need further improvements in their security. There are also time constraints, as each EU member states shall implement the framework into national law by September 2024, 21 months after the Directive was approved by the EU Parliament.
Ordina helps clients the prepare for the NIS-2 Directive by providing our expertise in the field of cybersecurity. First; we may perform an assessment to discover the gaps against the requirements and our HPT teams will work further to provide assistance where necessary.
References