Top

NIS 2: all about the new rules and how to prepare

On November 10, 2022, the European Parliament approved the Network and Information Security Directive, better known as “NIS 2.” It is a move that further improves and specifies the directions of NIS, the EU’s first cybersecurity legislation, adopted in 2016. The goal of NIS 2 is to cover a larger share of use cases in Europe and implement other security requirements absent in the first directive, bringing all EU states in line with it. From approval, member states have 21 months to transpose NIS 2 into national legislation once it is published in the Official Journal, which brings the maximum time for implementation to the end of 2024.

From NIS 1 to 2

NIS 2 repeals and replaces the Networks and Information Systems Directive 2016/1148 (NIS 1), which aimed to achieve a common high level of cybersecurity across the EU, with a focus on critical infrastructure protection. NIS 2 builds on the NIS 1 framework to impose cyber risk management, incident reporting, and information sharing obligations on certain types of organizations across a range of sectors. A law introduced because the European Union recognized that the implementation of NIS 1 now has limitations. In July 2020, the European Commission launched a consultation on the potential reform, noting that updates were needed as a result of the rapid pace of digitization, the increasing interconnectedness of sectors, and the increase in cyber risks. Identified shortcomings of NIS 1 included limited scope, lack of harmonization among member states, inconsistent levels of cyber resilience, and lack of joint crisis response mechanisms.

NIS 1 included requirements for taking appropriate and proportionate technical and organizational measures to manage cybersecurity risks. These were strengthened in NIS 2 for all entities to adopt single core policies. These include (among others): risk analysis and incident response; encryption and cryptography; vulnerability disclosure; cybersecurity training; and ICT supply chain security.

NIS 2’s emphasis on addressing risks in ICT supply chains implies that even enterprises theoretically outside the direct scope of the standard may be affected. When evaluating security policies, the entities involved will need to take into account the vulnerabilities of each direct supplier as well as the overall quality of IT security products and practices. These entities are encouraged to incorporate security risk management measures into their contractual agreements and to exercise greater care in selecting their managed security service providers. NIS 2 requires companies to undertake a risk assessment to determine the measures appropriate to their particular circumstances.

The scopes of application of the NIS 2 directive

NIS 2 applies to all entities that provide their services or carry out their activities in the EU. Then there is the definition of “entity,” by which the specifies entities of particular relevance within the scope of its application. Some exceptions relate to the size of a company, which means that small and micro enterprises are excluded. Member states may grant exemptions to specific entities engaged in activities in the areas of national security, public safety, defense or law enforcement.

Relevant sectors in which certain enterprises may qualify as essential or important entities include banking, financial market infrastructure, digital providers (i.e., online marketplaces, online search engines and social networking platforms), digital infrastructure (including providers of public electronic communications networks and services, cloud service providers and data centers), business-to-business ICT service management, energy, transportation, health, Space, certain types of manufacturing (including machinery, computers and electronics, motor vehicles and other means of transportation), production and distribution (e.g., food) and Utilities.

What it provides

NIS 2 requires “management bodies” of covered entities to approve the adequacy of cybersecurity risk management measures and oversee their implementation, and member states must ensure that management bodies can be held accountable for violations committed by the entity of provisions related to such measures. Members of the management bodies of covered entities will be required to undergo regular training in order to acquire sufficient knowledge and skills to identify risks and assess risk management practices and their impact on the services provided.  In relation to core entities, member states must ensure that a responsible natural person has the power to ensure their compliance with NIS 2 and that it is possible to hold such persons accountable for breach of duty.

Fulfillments, obligations and rules of NIS 2
Fulfillments, obligations and rules of NIS 2

Entities covered by the scope must submit an initial report or “early warning” to the relevant national authority or the Cybersecurity Incident Response Team (CSIRT) without undue delay and within 24 hours of when the entity became aware of a significant incident (rather than simply “without undue delay” under NIS 1). This must be followed by a more complete notification of the incident within 72 hours, followed by a final report no more than one month later.

Entities will also be required to notify affected users without undue delay, where appropriate. Usefully, notified national authorities or CSIRTs must respond to an initial report within 24 hours with initial feedback on the incident and, if requested, guidance on the implementation of possible mitigation measures. An additional change under NIS 2 is a simplified definition of “significant,” which aims to address over-reporting of incidents. Under NIS 1, in fact, companies had to consider an extensive list of factors to determine whether an incident should be reported. Under NIS 2, an entity reports only those incidents that: cause, or are likely to cause, serious operational disruption of services or financial loss to the affected entity; and have affected, or are likely to affect, other natural or legal persons, causing substantial tangible or intangible damage.

Fulfillments, obligations and rules of NIS 2

Certain stakeholders (including providers of cloud computing services, data centers, content distribution networks, managed services, online marketplaces, online search engines, and social networking platforms) will be required to submit certain information to the competent authorities to enable them to maintain an up-to-date registry. At this point, NIS 2 gives national competent authorities expanded and strengthened powers to supervise and sanction entities that fail to follow up on requests in advance.

NIS 2 will apply in parallel with and without prejudice to some existing EU regulations, such as the General Data Protection Regulation (GDPR). In particular, if competent authorities become aware of violations of the NIS 2 provisions on cyber risk management or incident reporting that may result in a personal data breach under the GDPR, they are required to inform the relevant data protection authorities. A number of EU sector-specific regulations were considered in the development of NIS 2. In particular, NIS 2 stipulates that where EU sector-specific legislation imposes equivalent requirements for essential or important entities to take measures or notify significant incidents, the relevant NIS provisions (and related supervision and enforcement) will not apply.

The NIS 2 provisions will apply to all entities identified by the Critical Entity Resilience Directive, which focuses on resilience against physical risk in many of the sectors within the scope of NIS 2. NIS 2 provides that any overlap with the Digital Operational Resilience for the Financial Sector (DORA) regulation will be addressed by DORA itself, being considered as lex specialist (i.e., a more specific law that will override the more general provisions of NIS 2).

How to prepare for NIS 2

Companies need to consider whether they fall within the scope of NIS 2 and, if so, whether they are considered important or essential entities. Potentially significant costs associated with complying with the new requirements will then need to be planned for. According to the EU impact assessment for NIS 2, companies that were within the scope of NIS 1 should expect an increase of up to 12 percent in their ICT spending for the years immediately following implementation. For companies that were not subject to NIS 1, the estimate is 22 percent. Entities within scope will need to review processes for managing cybersecurity risks (such as the main set of related policies) and incident reporting, and consider what changes need to be made to existing policies and procedures.

NIS 2 should lead to greater consistency in the implementation of cybersecurity measures across the EU. Organizations should prepare for compliance holistically, that is, by also taking into account relevant obligations under other laws. For example, cybersecurity policies and incident management procedures of entities under NIS 2 will need to consider all relevant requirements of applicable laws, including GDPR requirements for incident reporting and appropriate technical and organizational measures. This is because a GDPR-compliant incident response process will not be sufficient to fulfill the purposes of NIS 2, particularly in light of the tighter reporting timeframes.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.