What is the NIS 2 Directive?
The NIS 2 Cyber Directive is move by the EU to set a new standard for cyber security across the member states. The EU Parliament calls it “A high common level of cybersecurity in the EU.” NIS 2 replaces the original Network and Information Security (NIS) Directive, which was the first EU-wide legislation on cybersecurity. For a variety of reasons, the original NIS implementation proved difficult, resulting in fragmentation at different levels across the internal market. NIS2 was released in December 2002 and goes into effect January 17, 2023.
The legal basis for both NIS1 and the proposed NIS2 is Article 114 of the Treaty on the Functioning of the European Union, whose objective is the establishment and functioning of the internal market by enhancing measures for the approximation of national rules.
What is changing between NIS1 and NIS2?
The are two fundamental updates that will have the most impact. First, NIS2 dramatically increased the scope of covered entities. NIS2 is adding new sectors based on their criticality for the economy and society. It also introduces a clear size cap – meaning that all medium and large companies in selected sectors will be included in the scope. In short, more entities will be required to comply.
The second major change is an increase in the required set of controls. Topics have been expanded from NIS 1, and concepts updated based on changes in the threat landscape.
Another major change will be expansion to third-parties and the supply chain. Member States in cooperation with the Commission and ENISA, will carry out coordinated risk assessments of critical supply chains.
Who must comply with NIS 2?
The new scope (Annex 1-3) includes 10 major sectors of the EU economy including 1. energy, 2. transport, 3. Banking, 4. Financial Markets, 5. Health, 6. Drinking Water, 7. Wastewater, 8. Digital infrastructure, 9. Public administration and 10. Space. The directive also specifies various sub-sectors that must comply. Given the new scope, nearly every business in the EU will fall under some level of jurisdiction.
Another change in scope is to make easier to exempt small businesses. The proposal has a general exclusion of micro and small entities from the NIS scope and a lighter ex-post supervisory regime applied to a large number of the new entities under the revised scope (so-called important entities). So while compliance will cover many more entities, very small organizations will likely be exempt.
What are the key requirements of NIS 2?
Comprehensive Cyber Security Controls
Member states must adopt a formal cyber security framework designed to reduce risk and recover in the event of breaches or incidents. (Articles 5 to 11). The control objectives are published in the Compliance Assessment Framework, updated by the NCSC. In summary, the CAF requires the organization to implement a comprehensive set of technical and management controls covering all aspects of cyber security. The controls are organized in 4 “Objectives”, each with its own subcategory list of Controls. “Compliance” with each Control is determined with three categories: Green (‘achieved’), Amber (‘partially achieved’), and Red ( ‘not achieved’). For example, one of the key Principles required for compliance is a complete set of information security policies:
B1.a Policy and Process Development
You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.
Another example includes device management (or asset management)
B2.b Device Management
You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.
In summary, compliance will require a comprehensive cyber security program that is documented, supported and maintained over time.
Requirements to Share Vulnerability Data
The Directive also establishes a framework for Coordinated Vulnerability Disclosure and
requires Member States to designate CSIRTs to act as trusted intermediaries and facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products. The European Union Agency for Cyber Security (ENISA) will be tasked with provide the mechanisms for sharing. While this was formulated in NIS 1, it never became fully functional.
Crisis Management Functions
Member States are required to put in place National Cybersecurity Crisis Management
Frameworks and by designating national competent authorities responsible for the
management of large-scale cybersecurity incidents and crises. These functions are likely to expand over time as more companies try to comply.
Member States are also required to designate one or more “national competent authorities” on cybersecurity for the supervisory tasks under NIS2 and a national single point of contact on cybersecurity (SPOC) to exercise a liaison function to ensure cross-border cooperation of Member State authorities.
What is the deadline for NIS 2 compliance?
The new (NIS2) EU Directive 2022/2555 was published on December 14, 2002. – and will take effect on 17 January 2023. Unlike an EU regulation which applies directly to covered entities, NIS2 requires EU member states to include the provisions of the directive into their respective national laws. Once a member state has implemented NIS2, entities which fall within the scope of NIS2 will be required to comply. Thus different compliance deadlines are likely to emerge.
Increased Enforcement with NIS 2
One of the main problems with NIS1 was supervision and enforcements. For example, Member States have been very reluctant to apply penalties to entities failing to put in place security requirements or report incidents. This can have negative consequences for the cyber resilience of individual entities. As part of the preparation for NIS 2, there is more consideration for the budget and resources required to actually enforce the Directives across the member states.
How to comply with NIS 2 cyber controls
Using our ComplianceShield platform, organizations can streamline compliance with NIS 2 controls as required in the CAF framework. Key features of ComplianceShield include:
- Governance Structure – Quickly build and document a governance structure as required by CAF. Enables the organization to ensure that the appropriate structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.
- Built-in Cyber Control Framework – The NIS 2 CAF framework contains a complete list of controls required to address all of the requirements of CAF, including controls required to manage and reduce risk.
- Complete Security Policy Library – A complete library of security policy templates covering all key areas of NIS 2. Enables the organization to define, implement, communicate and enforce appropriate policies and processes that direct its overall approach to securing systems and data that support the operation of essential functions.
- Compliance and evidence tracking – Enables cyber governance by continually tracking and monitoring the effectiveness of the cyber security program.
- Education and Training – Automates the education and training of all staff members via a built-in training portal. Staff have appropriate awareness, knowledge and skills to carry out their organizational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.
- Supply Chain Security – Vendor risk management functions, including policies, procedures and vendor assessment automation. Enables the organization to understand and manage security risks to the operation of essential functions that arise as a result of dependencies on external suppliers, including ensuring that appropriate measures are employed where third party services are used.
- Cyber Incident Reporting – Cyber security incident reporting and tracking system, including policies and procedures. Helps the company minimize the adverse impact of a cybersecurity incident on the operation of essential functions, including the restoration of those functions where necessary.