NIS 2 Directive : implications for system and infrastructure security
KeywordsNIS 2 Directive
Responding to the evolving and expanding threat landscape, the evolution of digitalization, as well as the increase in cyber-attacks, the Commission proposed to expand the scope of the Network and Information Security (NIS) Directive, aiming to increase the level of cybersecurity in Europe in the longer term. Regulatory changes are geared by the effectiveness of the existing legislation, the development of technologies, our ever increasing dependence on information technology, with more sectors and services being increasingly interconnected, and the new ways attackers exploit vulnerabilities and launch their cyber-attacks. After a two-year legislative process, political agreement on NIS 2 took place in May 2022 followed by its publication in the Official Journal of the European Union (OJ L 333/80) entering into force on the 16th of January 2023. Following the recent reform of the NIS Directive this study identified the contributions to the EU cybersecurity regulatory landscape as well as the implications for system and infrastructure security, including an action plan for entities, to help them comply with NIS 2, and for Computer Security Incident Response Teams (CSIRTs) in the performance of their tasks. The key findings of the study, include: a) Expanded scope, as the “directive applies to public or private entities which are medium-sized enterprises and which provide their services or carry out their activities within the Union”. The expansion of the scope covered by the new rules, will help increase the level of cybersecurity in Europe in the medium and longer term . b) Increased risk management requiring from “essential and important entities to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems”; c) Accountability of top management for non-compliance with the NIS 2 requirements, resulting in serious consequences; d) Alignment with sector-specific legislation, in particular, the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER); e) Streamlined reporting obligations, requiring from public or private entities that are victims of cyberattacks to declare within 24 hours an early warning to the CSIRT or, where relevant, their competent authority, followed by a submission of an incident notification “without undue delay and in any event within 72 hours after having become aware of the incident, with the aim, of updating information submitted in the early warning notification”. This will make it possible to assess the importance and seriousness of the cyberattack, while avoid over-reporting and creating an excessive burden on the entities covered; f) Imposition of fines, as in the event of non-compliance with the rules established by the NIS 2 Directive, entities can be subject to fines up to €10 million or 2% of their total turnover worldwide, whichever is higher (the same as a GDPR fine for a less serious violation); g) Formal establishment of the European Cyber Crises Liaison Organisation Network (EU - CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents and crises; h) Voluntary peer-review mechanism aiming to strengthen mutual trust and learning from shared experiences in the Union, achieving a high common level of cybersecurity; i) Security of supply chains and supplier relationships, by ensuring that risk is managed within these processes; j) Upgraded tasks and powers of CSIRTs, as they undertake new roles while expanding existing ones under the NIS Directive. CSIRTs tasks and powers are expanded from monitoring and analysing incidents to providing, upon request, assistance to entities, collecting and analysing forensic data and providing dynamic risk and incident analyses. In addition, proactive scanning of public networks and Coordinated Vulnerability Disclosure (CVD) tasks have been added to the tasks of CSIRTs. The NIS 2 Directive aims to set the baseline for cybersecurity risk management measures, harmonizes the cybersecurity requirements and implementation of cybersecurity measures in all EU Member States, addresses security of supply chains and supplier relationships, includes incident reporting obligations for essential and important entities in all EU Member States and introduces accountability of top management for non-compliance with the NIS 2 requirements. It is an ambitious piece of legislation that requires a lot from companies and Member States in achieving a high common level of cybersecurity across the EU. Like its predecessor it is a challenging and costly task, but considering the “annual cost of cybercrime to the global economy is estimated to have reached €5.5 trillion by the end of 2020” , it is a small price to pay. The NIS 2 Directive will care the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole and will ensure stronger risk and incident management and cooperation. The enforcement of NIS 2 is not scheduled for tomorrow. Nevertheless, entities falling under the scope of the NIS 2 Directive should start working on compliance now, as some of the work might take more time than planned. The majority of the work to be done should be organized along the following three pillars: a) Governance, b) Incident Detection and Response, and c) Security Testing. Entities should investigate whether the fall under the scope of the NIS 2 Directive. If they fall under scope of the Directive, they should explore the organisational, financial and technical phases/steps that will be obliged to implement for complying with the Directive. Their actions should revolve around the cybersecurity measures (requirements) outlined in Article 21. Member States, including their CSIRTs and national cybersecurity offices, will have to adapt to the increased tasks and number of entities. This will require additional capacity, in terms of human and financial resources to fulfil the increased tasks, as well as attracting expertise that may not be possible due to the lack of resources or a lack of candidates with the right skills and qualifications. Use of automated tools for scanning or information sharing must comply with the human rights principles, established in the EU Charter of Fundamental Rights, and in national constitutions of Member States, including the right to privacy and data protection.