The Network and Information Systems Directive (NIS2), due to come into effect in October 2024, seeks to improve cyber resilience in the European Union (EU). Its effects are likely to be wider reaching, though, bringing in more stringent processes and controls and redefining how we provision services to organizations that are deemed nation-critical.
The mandatory directive will have teeth, with strict penalties for non-compliance for both the business and senior board personnel, who can be held directly accountable and prevented from holding similar positions in the future. It also aims to increase intelligence sharing between member states and enhance supply chain security. This latter measure will see the directive have a global impact.
NIS2 is much wider in scope than its predecessor: all businesses – including small and micro businesses – that are deemed to have an important or essential role in a member state are now covered. Yet those outside of its jurisdiction may find themselves required to comply by association, including those outside the EU that are supplying services to the EU.
Suppliers will get sucked in
Under Article 21, organizations must put cybersecurity risk measures in place, and Section 21(2)(d) is specific to supply chain security. It details the need to conduct internal and coordinated risk assessments to establish vulnerabilities specific to suppliers, service providers, and their cybersecurity solutions and processes. So, a non-EU-based provider of operationally critical products or services selling to a business classed as important or essential and based in the EU would be in scope.
We can expect buyers and providers to incorporate these risk assessments, as well as other elements associated with NIS2 such as incident reporting procedures, into future contracts. There are strict reporting obligations, with a compulsory early warning immediately following a breach, which must be communicated to the relevant authority within 24 hours. A full notification report is required to be filed after 72 hours, and a final report a month later.
However, implementing additional measures could prove costly, with reports suggesting the cost of compliance may rise by 22% for those not previously subject to NIS1. So how can organizations that must prepare to meet NIS2 control spending?
Achieving compliance through other standards
Firstly, while NIS2 is wide-ranging, covering risk management, cybersecurity best practices, and business continuity/disaster recovery (BC/DR) elements, it includes several requirements, such as for an ISMS (information security management system) that can enable the organization to comply by virtue of other standards.
Most of the requirements can be mapped to cybersecurity and risk standard ISO27001 and the remainder to BC/DR standard ISO22301. At the same time, those with IT/OT environments can also use IEC62433, for example. It’s also important to note that where an EU legal act such as DORA or PSD2 is already being observed with respect to cybersecurity or incident response, that ruling takes precedence, so there is no need to duplicate effort.
Similarly, many of the controls can also be performed using existing systems without the need to reinvent the wheel. Security and incident event management (SIEM) is a prerequisite, for example, to provide centralized log management and the ability to detect and respond to incidents. Those businesses without a next-gen SIEM in place can opt to outsource this capability via a managed security services provider (MSSP).
Determining what is needed will require gap analysis by closely examining the requirements of NIS2 against the current security measures already in place, and there will be some areas that require extra legwork.
For example, from a technology perspective, cryptography and encryption are a significant focus in NIS2 in their own right, rather than in relation to specific controls. Strategically, there is also more emphasis on the role of senior management in spearheading risk awareness throughout the business. Plus, as NIS2 is partly a risk-based regulation, it will require assessments to be performed continuously, much like ISO27001.
Why NIS2 is necessary
NIS2 is undisputedly an important turning point and a response to a growing cyber threat to national interests. We’ve seen Russia use Ukraine as a cyber range in which to test cyber weapons, and nation-state-sponsored attacks are growing, with the majority of APTs now attributable to Russia, China, Iran, or North Korea.
Meanwhile, the FBI warned in September that fluctuating energy prices could well see attacks against critical national infrastructure increase in the US, revealing how interdependent the markets are.
So, given that NIS2 is a sign of the times, is it likely to be adopted elsewhere? In the UK, which continues to comply with NIS1, it’s thought unlikely that NIS2 will be adopted verbatim, although amendments have been made, such as the extension of the regulations to include managed service providers (MSPs) to help protect the critical businesses they serve. That said, the UK government also gave itself the power to amend the NIS regulations in the future to ensure they remain effective.
We could see NIS2 become a trailblazer, much like GDPR was for data protection regulations, giving nations a blueprint on how to protect the organizations that are critical to their economies. The directive sets the bar higher with respect to security, effectively creating a new minimum baseline and quicker response reporting that will make it much harder for a cyberattack to severely impact the functionality of a state. It’s an ambitious undertaking and one that will have widespread repercussions – and not just for those within the EU.