Volg ICTI

The NIS-2 Directive: raising the security bar in Europe

| Joost Krapels | Security

In the final days of December 2022, a new Information Security Directive has been published by the European Commission. The NIS-2 Directives, aimed at improving the resilience of Europe’s Network and Information Systems, succeeds and supersedes its older brother by both broadening the scope and taking into account the ever changing information security landscape. In other words: more rules, relevant rules, but also more Governmental support for more European organizations. In this article, we provide you with a broad overview of the brand new NIS-2 Directive.

The NIS-2 is a quite a lengthy read, with 144 recitals and 46 articles. Since it is a Directive, and Directives need to be implemented in national laws, the NIS-2 only directly applies to EU member states. For the Netherlands, the national implementation of the NIS in 2018 was called the Wet Beveiliging Netwerk- en Informatiesystemen. (WBNI). Organizations will have to comply with the national law of the countries they are established in and operating in, so for Dutch organizations we recommend to keep your eyes open for the National implementation of the NIS-2.

Update 07-2024: At the end of the article, we give a status update on the Dutch implementation of the NIS-2 as of July 2024.

Scope

Compared to the NIS, the NIS-2 leaves significantly less room for EU member states to determine which (types of) organizations are in scope. Sixteen sectors are considered to be critical, of which nine have the highest priority. These are:

  1. Energy
  2. Transport
  3. Banking
  4. Financial market infrastructures
  5. Health
  6. Drinking water
  7. Waste water
  8. Digital infrastructure
  9. ICT service management (B2B)

All nine sectors are divided into several sub-sectors. If an organization fits the description of one of the sub-sectors and has an annual turnover of >10 million euro or more than 50 employees, they are referred to as Essential Entities (EE’s) in the NIS-2. Other organizations also placed in scope of the NIS-2 but not deemed Essential are called Important Entities (IE’s). Some exceptions apply of course.

Requirements

The two most important articles for EE’s and IE’s, are NIS-2 articles 21 and 23. These articles cover a minimum level of security and obligation to notify a supervisor in case of significant incidents respectively.

Article 21: Information Security measures must be taken by EE’s and IE’s to manage the risks posed to their systems. Examples of these measures are Risk analysis policies, Incident handling, Business continuity planning, Access control policies, Supply chain security, and Awareness. If you are ISO 27001- or NEN 7510-certified, most of these measures are likely in place.

Article 23: After becoming aware of a significant incident, EE’s and IE’s should provide the CSIRT with an early warning within 24 hours. Within 72 hours, an official notification should be given. Within one month, a full final report must be submitted.

Other takeaways

The following stood out to us as well:

  • There is a strong emphasis on risk-based security management
  • The national implementation (e.g. a WBNI-2) may be stricter than the NIS-2. Not less strict.
  • If you are an EE or IE, you can request the nationally appointed CSIRT to scan your external infrastructure for vulnerabilities or even monitor it for an extended period of time.
  • National Supervisory Authorities are equipped with several enforcement “tools”. Should an entity still refuse or fail to comply, more drastic measures can be taken until the entity take the right steps:
    • Certifications and authorizations for providing the main services (e.g. a license to operate) can be revoked. This could, in theory, mean that hospitals are no longer allowed to provide care to patients.
    • The CEO or legal representative of the entity can be barred from exercising managerial functions in the company.

Update July 2024

The Dutch Government held an online consultation for the “Cyberbeveiligingswet” (Cybersecurity law), which is to be the National implementation of the NIS-2 in The Netherlands. The responsible minister, Dilan Yesilgöz-Zegerius, officially stated that the implementation deadline of October 2024 will not be met. The new goal is Q2 or Q3 2025. Reading through the proposed law and explanatory memorandum, the following caught our attention:

  1. Sector-specific CSIRTs, operating in collaboration with the National NCSC, are expected to be Z-CERT, CERT Waterschappen, and IBD. (Informatiebeveiligingsdienst)
  2. Registration of Essential Entities and Important Entities will be headed and maintained by the NCSC. By the 17-01-2025, this register must have been created unless the Cbw has not been approved yet.
  3. Where the NIS-2 mentions that an organisation’s board of directors should have received adequate and relevant training on information security risks and risk management, the Cbw goes quite a bit further:
    1. Every board member needs to be adequately trained
    2. Board members need to be trained within two years of entering the board
    3. Documented evidence of regular training needs to be kept
    4. Board members need to be able to show a training certificate if requested by the supervisory authority
    5. If a legal entity is part of your organization’s board of directors, the knowledge requirements for the board count for all directors of the legal entity as well.

The consultation closed on July 1st 2024. Once the Cbw goes into effect, we will update this article again.

In the meanwhile, we suggest you take a look at the Dutch Cybersecurity Strategy. Not only does this give a great idea where The Netherlands will focus their Information Security effort, national cybersecurity strategies are actually mandatory for EU-member states and must be(come) an important source of information for EE’s and IE’s.

Should you have any questions about the NIS-2, CER, or their National implementations, please don’t hesitate to reach out to us using the contact information in the footer!

Image credit: @cbpsc1 via Unsplash

Author: Joost Krapels
Joost Krapels has worked at ICT Institute from 2019 - oct 2024. He is a security and privacy officer with a lot of GDPR and ISO 27001 experience, and has Security+ and CISSP certification.