Businesses within scope will need to assess their categorization, eligibility for exemptions and NIS2 obligations; failure to do so could result in fines up to EUR10 million or 2% of global turnover.
NIS2 extends competent authorities the authority to conduct on-site and off-site inspections, random checks, security audits, requests for information or evidence of cybersecurity policy implementation.
What is NIS2?
The European Union's NIS2 Directive is intended to assist critical entities with increasing cyber resilience and strengthening cross-border collaboration in response to rising cyber threats. Among other things, it establishes regulatory requirements, reporting obligations and penalties to protect Europe's vital services.
NIS2 promotes best practices in cybersecurity within the EU, such as multi-factor authentication (MFA). MFA allows individuals and companies to verify their identities using methods beyond password authentication to reduce data breaches and security incidents. By mandating that companies implement these measures, NIS2 helps prevent loss of private data as well as disruption caused by cyberattacks.
NIS2 broadens the scope of sectors and organizations subject to compliance with its Directive while also implementing new criteria for determining criticality of an organization. Whereas NIS' original version differentiated between essential service operators and digital service providers, NIS2 replaces this distinction with an important-essential classification system for organizations; depending on which category an entity falls into, different supervision and reporting requirements will apply.
The NIS2 Directive includes new rules intended to improve incident response and notification in major events, particularly essential or important entities. According to this directive, all essential and important entities must report incidents within 24 hours after discovering an event to authorities and service users with initial reports containing basic details as well as an assessment of its impact. Subsequent reports must be filed within 72 hours; finally a final report must be communicated within one month.
NIS2 also implements an improved and focused approach to investigating cyberattacks by assigning specific roles for relevant authorities and EU Member States, along with stiffer penalties for noncompliance and holding management bodies responsible for any cybersecurity-related incidents that arise.
Companies now face more pressure than ever to comply with the NIS2 Directive and ensure they meet its stringent requirements, not only improving risk management and protecting against cyberattacks but also helping avoid disruptions, protecting data security and contributing to company success. Therefore, this should be treated as a top-management priority rather than simply another risk item or task on their list of things-to-dos.
NIS2 Scope
NIS2 expands upon the scope of NIS Directive I in several ways. It expands on which sectors it covers, sets a size threshold limit and mandates entities report significant cyber incidents to authorities.
Also essential is creating a cybersecurity governance framework with clear lines of authority and communication, along with an assessment process that addresses both current and potential future threats. Furthermore, entities must possess both technical and operational capacity in order to respond promptly in the event of incidents.
NIS2 requires entities to develop and implement a security management system in order to comply with its requirements, while setting out specific rules for those providing services across multiple EU member states - these requirements include having a single point of contact (SPOC) for each service offered, creating and running an incident response team (CSIRT), as well as devising a crisis plan with provisions for business continuity and recovery.
NIS2 gives authorities investigatory powers, granting them the ability to investigate essential or important entities both proactively and post (i.e., after a security incident) through investigatory investigations. Sometimes authorities may exclude entities not located within EU from NIS2.
NIS2 gives EU member states leeway to identify smaller entities with high security risk profiles and cover them under this directive, regardless of sector or size threshold. Entities are required to conduct regular risk analyses to ascertain compliance levels and make an annual compliance evaluation report available publicly.
The NIS2 regulation covers all EU member states. Each individual state determines which sectors fall within its purview and the reporting requirements associated with NIS2 regulations.
NIS2 compliance can be an arduous challenge for midsized and large organizations that must assess their current cybersecurity practices, evaluate risks, identify gaps and drive change. Therefore, organizations should start preparing now with a holistic approach to security and risk management that considers all areas. Cisco can assist them by offering expertise, insights, recommendations advisory capacity services in addition to products. Its Zero Trust security architecture also enables deep visibility into assets, access and network flows for vulnerability detection while its Granular Enforcement of Policy helps secure data and applications more securely.
NIS2 Obligations
NIS2 is a cybersecurity directive applicable to companies in industries considered essential to both economic development and society. The directive sets compliance requirements that must be fulfilled by these companies, along with their supply chains, as well as minimum sanctions and reporting obligations which EU Member States must enact into local laws.
As an update to NIS-D, which came into force in 2021, NIS2 introduces several significant modifications. For instance, its directive has eliminated any distinctions between operators of essential services and digital service providers; entities will instead be classified as essential or important entities based on their size or function - this change should have an uplifting impact on business' digital security maturity levels.
NIS2 includes an obligation for entities regulated under it to conduct a risk analysis and take measures to guarantee service continuity in case of an incident, as well as require them to have an Incident Response Team for Computer Security Incidents (CSIRT).
Notably, this directive establishes personal liability for members of management at important and essential entities when noncompliance with cybersecurity risk management requirements occurs, along with minimum sanction levels of 10 million euros or 2% of annual global turnover for legal entities.
NIS2 also simplifies incident reporting obligations over its predecessor, including sending an early warning alert within 24 hours to authorities and CSIRTs with preliminary suppositions or indicators that an incident might have taken place. Furthermore, 72 hours post incident report submission requirements apply under NIS2.
However, NIS2 presents numerous other changes. Thus, any company in any sector covered by it must carefully determine whether they fall within its scope and, if so, what their compliance obligations are.
NIS2 Compliance
As European nations pass the NIS2 Directive into national laws, organizations must examine its potential effects on security and prepare for implementation. The directive brings stricter penalties for noncompliance as well as increasing its scope to cover more proactive monitoring of critical infrastructure. Furthermore, reporting incidents directly to national authorities becomes necessary under this regime.
Organizations should begin the process of identifying themselves as being in scope by conducting a Business Impact Analysis and identifying their core processes and systems that support them. Once identified as within scope, organizations will need to implement robust attack surface management (ASM), third-party risk management (TPRM), network security solutions that identify, assess and mitigate internal and external cybersecurity threats such as Zero Trust technologies that offer agility and scalability needed for quickly deploying, protecting and monitoring critical networks and applications.
As well as implementing ASM and TPRM solutions, the directive requires entities to form incident response teams that must notify national authorities within 24 hours and public-facing notifications within 72 hours. This timeline is significantly faster than GDPR requirements.
The NIS2 Directive places new requirements on relevant entities regarding governance. They must establish clear lines of communication and authority between themselves, the authorities, and suppliers; implement a cybersecurity risk management framework including policies, standards and procedures as well as key roles and responsibilities identification; train staff on reporting incidents as necessary and respond accordingly; train management accordingly to maintain control over incidents when necessary.
The NIS2 Directive also emphasizes the need for entities to utilize international standards like ISA/IEC 62443 when protecting industrial control system (ICS) infrastructure, providing companies that have demonstrated experience using this standard with speedy NIS2 compliance efforts. In addition, multi-factor authentication (MFA) must be utilized when accessing remote devices containing operational technology devices; Cisco SEA provides MFA via Security Assertion Markup Language (SAML) or native MFA in order to safeguard credentials against being compromised while keeping critical infrastructure safe.
Comments