The NIS-2 Directive: raising the security bar in Europe

In the final days of December 2022, a new Information Security Directive has been published by the European Commission. The NIS-2 Directives, aimed at improving the resilience of Europe’s Network and Information Systems, succeeds and supersedes its older brother by both broadening the scope and taking into account the ever changing information security landscape. In other words: more rules, relevant rules, but also more Governmental support for more European organizations. In this article, we provide you with a broad overview of the brand new NIS-2 Directive.

The NIS-2 is a quite a lengthy read, with 144 recitals and 46 articles. Since it is a Directive, and Directives need to be implemented in national laws, the NIS-2 only directly applies to EU member states. For the Netherlands, the national implementation of the NIS in 2018 was called the Wet Beveiliging Netwerk- en Informatiesystemen. (WBNI). Organizations will have to comply with the national law of the countries they are established in and operating in, so for Dutch organizations we recommend to keep your eyes open for a WBNI-2 or similar.

Scope

Compared to the NIS, the NIS-2 leaves significantly less room for EU member states to determine which (types of) organizations are in scope. Sixteen sectors are considered to be critical, of which nine have the highest priority. These are:

1. Energy
2. Transport
3. Banking
4. Financial market infrastructures
5. Health
6. Drinking water
7. Waste water
8. Digital infrastructure
9. ICT service management (B2B)

All nine sectors are divided into several sub-sectors. If an organization fits the description of one of the sub-sectors and has an annual turnover of >10 million euro or more than 50 employees, they are referred to as Essential Entities (EE’s) in the NIS-2. Other organizations also placed in scope of the NIS-2 but not deemed Essential are called Important Entities (IE’s). Some exceptions apply of course.

Requirements

The two most important articles for EE’s and IE’s, are NIS-2 articles 21 and 23. These articles cover a minimum level of security and obligation to notify a supervisor in case of significant incidents respectively.

Article 21: Information Security measures must be taken by EE’s and IE’s to manage the risks posed to their systems. Examples of these measures are Risk analysis policies, Incident handling, Business continuity planning, Access control policies, Supply chain security, and Awareness. If you are ISO 27001- or NEN 7510-certified, most of these measures are likely in place.

Article 23: After becoming aware of a significant incident, EE’s and IE’s should provide the CSIRT with an early warning within 24 hours. Within 72 hours, an official notification should be given. Within one month, a full final report must be submitted.

Other takeaways

The following stood out to us as well:

• There is a strong emphasis on risk-based security management
• The national implementation (e.g. a WBNI-2) may be stricter than the NIS-2. Not less strict.
• If you are an EE or IE, you can request the nationally appointed CSIRT to scan your external infrastructure for vulnerabilities or even monitor it for an extended period of time.
• National Supervisory Authorities are equipped with several enforcement “tools”. Should an entity still refuse or fail to comply, more drastic measures can be taken until the entity take the right steps:
  • Certifications and authorizations for providing the main services (e.g. a license to operate) can be revoked. This could, in theory, mean that hospitals are no longer allowed to provide care to patients.
  • The CEO or legal representative of the entity can be barred from exercising managerial functions in the company.

What’s next?

This article only scratches the surface of the NIS-2. We expect it to have significant impact on many organizations in scope. The impact will not be as present for consumers as the GDPR, but all organizations in scope need to reserve time to check their compliance. Luckily, EU Member states have until October 18 2024 to create national laws. This should be ample time to prepare.

In the meanwhile, we suggest you take a look at the Dutch Cybersecurity Strategy. Not only does this give a great idea where The Netherlands will focus their Information Security effort, national cybersecurity strategies are actually mandatory for EU-member states and must be(come) an important source of information for EE’s and IE’s.

Image credit: @cbpsc1 via Unsplash