Guide to Understanding the NIS2 Directive for Cybersecurity

Guide to Understanding the NIS2 Directive (Network and Information Security)

The European Union, like every other major economic bloc, has experienced a precipitous rise in cyberattacks particularly on its critical infrastructure assets. Indeed, the Commission of the European Union was one of the first regulators to promulgate legislation specifically designed to improve the security and resilience of its critical services.

The NIS1 (Network and Information Security) Directive

Passed into law in 2016, the NIS1 (Network and Information Security) Directive sought to enhance cybersecurity cooperation among EU Member States and harmonise approaches across the Bloc.

Intended to bolster the ability of critical infrastructure entities to withstand attack, NIS1 attempted to mitigate the threats to network and information systems used to provide essential services in key sectors, thereby ensuring the continuity of such services and contributing to the security and effective functioning of the EU’s economy and society.

The cyber risk environment, as we all know, has only deteriorated since 2016. The Covid period, by most accounts, represented a watershed moment for the acceleration of the cyber threat.

Meanwhile, implementation of the Directive, left up to the individual Member States, lagged far behind the risks it was intended to mitigate – NIS1 itself was written to leave wide latitude to Member States to regulate their own critical infrastructure sectors.

Incident reporting obligations, for instance, were implemented in significantly different ways across the Bloc. Divergences in supervision and enforcement also abounded. As a result, fragmentation of the internal market persisted, while cyber vulnerabilities increased.

In the final count, NIS1, despite some successes, was not able to effectively address the Bloc’s current and emerging cybersecurity challenges.

NIS2 versus NIS1

Major reforms were, therefore, in order. And they soon came in the form of NIS2, the successor to NIS1. NIS2 was passed into law in November 2022, coming into full force in 2023.

What are some of the major changes from NIS1?

Broadens the list of applicable entities

Under NIS1, Member States themselves were responsible for identifying critical infrastructure entities qualifying as operators of essential services.

That’s not the case with NIS2. The current Directive establishes a uniform criterion for determining qualifying entities via the application of a size-cap rule. Now, all medium-sized enterprises or larger operating within the following sectors (many of which are additions from NIS1) are subject to the new Directive:

• Energy (electricity, district heating and cooling, oil, gas, and hydrogen)
• Transport (air, rail, water, and road)
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• ICT service management (business-to-business)
• Public administration
• Space

Besides essential entities, important entities now fall under the scope of the Directive, as well. These organisations must also comply with the stringent new cybersecurity risk-management measures and reporting obligations that we’ll detail later.

Important entities, however, will have a different supervisory authority (than essential entities) to enforce their obligations as well as a different penalty regime for non-compliance.

Cybersecurity risk-management measures

That being said, the heart of NIS2 compliance for both essential and important entities is the requirement to adopt cybersecurity risk-management measures. These are measures that will apply to all operations and services of the entity concerned, not only to specific information technology IT assets or critical services that the entity provides.

What are the prescribed measures?

In subsequent guidance, the EU clarifies that these entities must “take appropriate and proportionate technical, operational[,] and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services.” Network and information systems, here, refer to the following:

• Electronic communication networks
• Any device or group of interconnected or related devices, one or more of which, carry out automatic processing of digital data
• Digital data stored, processed, retrieved, or transmitted by electronic communication networks or devices for the purposes of their operation use, protection, or maintenance.

Add to that, the measures, covering hardware, firmware, and software used in the activities of an entity, should be risk-based and able to prevent or minimise the impact of incidents.

In the Directive, the EU also points out that network and information systems’ security threats can have different points of origins, with any type of event having a negative impact on the network information systems of the entity potentially leading to an incident. On these grounds, the Directive requires compliant measures to be based on “an all-hazard approach.” To comply with the terms of the Directive, such an approach must address the physical and environmental security of network and information systems from systems’ failure, human error, malicious acts, or natural phenomena.

Compliant measures should, therefore, protect both the entity’s network and information systems and the physical environment of those systems from any event, including sabotage, theft, fire, flood, telecommunication or power failures, and/or unauthorised physical access that is capable of compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the services offered by, or accessible via, network and information systems.

Per the Directive, entities should at least take the following measures:

• Policies on risk analysis and information system security
• Incident handling
• Business continuity, e.g., backup management and disaster recovery; and crisis management
• Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
• Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• Basic cyber hygiene practices cybersecurity training
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption
• Human resources security, access control policies, and asset management
• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity

Reporting obligations

Another important aspect of NIS2 is its incident reporting obligations. The Directive compels essential and important entities to notify, without undue delay, their CSIRT (computer security incident response teams) or, where applicable, their competent authority, of any significant incident.

What qualifies as an incident? Per the Directive, an incident represents a broad category, defined as any event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the services offered by, or accessible via, network and information systems.

A subset of such events, significant incidents are those that go one step further in impact. They are events that have caused or can cause severe operational disruption of the services or financial loss for the entity concerned or have affected or can affect other natural or legal persons by causing considerable material or non-material damage.

The multi-stage approach to reporting significant incidents

To respond to significant incidents, entities must follow a multiple-stage approach, entailing early warning, incident notification, and a final report. If that’s not enough, these three elements may have to be supplemented by intermediate reports and a progress report.

As the Guidance notes, here, this multi-stage approach “aims at striking the right balance between, on one hand, swift reporting that helps mitigate the potential spread of significant incidents and allows essential and important entities to seek assistance, and, on the other, in-depth reporting that draws valuable lessons from individual incidents and improves over time the cyber resilience of individual entities and entire sectors.”

So, what’s the multi-stage approach in its entirety? Entities must:

1. Within 24 hours

Submit an early warning, without undue delay and in any event within 24 hours of becoming aware of the significant incident, to the competent CSIRT or authority.

That early warning must include, where applicable, an indication whether the significant incident is suspected of being caused by unlawful or malicious acts or if it could have (in terms of whether it is likely to have) a cross-border impact.

What’s more, an initial assessment should consider the affected network and information systems, in particular their importance in the provision of the entity’s services, the severity and technical characteristics of a cyber threat, and any underlying vulnerabilities that are being exploited, as well as the entity’s experience with similar incidents.

Indicators such as the extent to which the functioning of the service is affected, the duration of an incident, or the number of affected recipients of services may play an important role in identifying whether the operational disruption of the service is severe.

2.  Within 72 hours

Submit an incident notification, without undue delay and in any event within 72 hours of becoming aware of the significant incident. Thereafter, an intermediate report may be requested by a competent CSIRT or authority. In case an intermediate report is requested, it must include relevant status updates.

3. Within one month

Submit a final report to the competent CSIRT or authority not later than one month after the submission of the incident notification, unless the incident is still ongoing at that time, in which case a progress report must be provided and the final report within one month of the handling of the incident.

That final report must include a detailed description of the incident, including its severity and impact, the type of threat or root cause that is likely to have triggered the incident, the applied and ongoing mitigation measures, and, where applicable, the cross-border impact of the incident.

Where do we go from here?

Beyond requirements for entities themselves, NIS2 includes mandates for Member States. Each Member State must adopt a national cybersecurity strategy, inclusive of policies touching on supply-chain security, vulnerability management, and cybersecurity education and awareness. The Member States must also produce and regularly update a list of operators of essential services, ensuring that entities within their borders comply with requirements. 

The date by which Member States were required to adopt and publish the national measures necessary to ensure compliance with the Directive was set for 17 October 2024, with enforcement set to begin the day after. As of this writing, though, only four EU Member States (Belgium, Croatia, Italy, and Lithuania) fully transposed the Directive into national law.

As a result, the Commission opened infringement procedures, sending letters of formal notice to the remaining 23 Member States. The Commission, as a matter of law, has further leverage. The Commission may issue a reasoned opinion, i.e., a formal request to comply with EU law. Continued non-compliance on part of a Member State could then lead to its referral to the Court of Justice of the European Union, introducing the specter of financial sanction.

The clock is, therefore, ticking for critical infrastructure entities, many of whom were already identified by NIS1. What’s more, although the majority of Member States have yet to complete transposition of the Directive into national law, many have already begun, including the EU’s largest economy, Germany.

So, whether NIS2 is national law or not, it’s EU law. Accordingly, critical infrastructure entities should be prepared.

How can they? Well, Noggin can help if you’re looking for an integrated resilience workspace that helps your teams work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.

Don’t take our word for it, though. Request a demonstration to see Noggin in action for yourself.