Have you heard of the NIS Directive? The full name is quite a mouthful, "DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union". The informal name has been shortened to the Network and Information Security (NIS) Directive. The aim of the directive was to develop a common level of cybersecurity across the Member States that could be applied to entities of critical national importance.
The original version of NIS was promulgated in 2016 and has since been repealed and replaced with the new NIS2 Directive. Unfortunately, NIS has proven difficult to implement or manage, and there was a need to update and clarify a number of key points. This is why NIS2 is now heading our way.
The proposed NIS2 Directive seeks to build upon the framework established by the original directive, adapting it to the evolving cybersecurity landscape. Some of the key objectives of the legislation include:
1. Strengthening the security and resilience of critical sectors: The directive aims to further enhance the cybersecurity measures and incident response capabilities of operators of essential services to mitigate cyber threats and ensure the continuity of critical services.
2. Expanding the scope of regulated entities: The NIS2 Directive intends to broaden the range of entities covered, potentially including new sectors, such as certain segments of the financial industry and digital platforms.
3. Improving cross-border cooperation: The directive seeks to strengthen collaboration and information sharing between EU member states, enabling more effective responses to cross-border cyber incidents and promoting a harmonized approach to cybersecurity across the EU.
4. Strengthening enforcement and compliance: The NIS2 Directive proposes stricter enforcement mechanisms and penalties for non-compliance with the requirements. It also emphasizes the need for regular security assessments and the implementation of appropriate risk management practices.
Does This Impact You?
It's possible that NIS wasn't on your radar, so you may think that it doesn't pertain to you. However, directives like NIS2 have an impact on all of us. This is because of the broad language of NIS, which aims to enhance the overall cybersecurity posture and resilience of critical infrastructure and digital service providers across the European Union. It establishes security and incident reporting obligations for operators of essential services, extending this to include:
- Digital service providers
- Energy
- Health
- Transport
- Banking
- Digital Infrastructure
- Financial Marketing Infrastructure
- Drinking Water Supply and Distribution
Every person reading this article relies on these critical services in our personal and professional lives. Even in the unlikely event that you don't directly fall into one of these categories, you should understand what NIS2 is, and what's coming next.
What do you need to know?
There is a lot to NIS2 that needs to be taken into consideration, but some key takeaways can be found in Article 20, Governance, and Article 21, Cybersecurity risk-management measures. Article 20 states that management bodies of essential and important entities must approve their cybersecurity risk-management measures or "can be held liable for infringements."
In addition, Member States shall ensure that the "members of the management bodies of essential and important entities are required to follow the training and "shall encourage essential and important entities to offer similar training to their employees on a regular basis." This shouldn't come as news to anyone working in the cybersecurity profession, but it is stated here as a cautionary warning to relevant entities that they need to improve the skills and knowledge of everyone in their organisations.
What are the important dates to be aware of?
By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive, and they must apply those measures from 18 October 2024.
Note the two requirements here:
- Adopt.
- Publish.
This means that they are required not only to say they have adopted (applied) these measures but they must be transparent and publish what they have done. This distinction is important. By 17 July 2024, and every 18 months thereafter, the European cyber crisis liaison organisation network (EU-CyCLONe) shall submit to the European Parliament and to the Council a report assessing its work.
Who does it apply to?
NIS2 is about critical national infrastructures, so if you fall into the obvious industries, i.e., power, water, and food supply, then it should be pretty obvious that NIS2 will impact you. But if you provide services or products to these industries, then you need to be aware of it too.
You should, at the very least, review the details in Annex I and Annex II of the NIS2 Directive to understand if you are directly impacted by it.
Conclusion
NIS2 is coming. Organisations have over 12 months to adopt the requirements and then will be required to publish the details of their controls. Given the kinds of organisations we're talking about, if work hasn't started already, this is a huge undertaking. Get started today.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.