The last few months of 2022, the European Parliament ratified a new version of the Network and Information Security (NIS) Directive (NIS2). Adopted on Nov. 28, member states now have two years—until Oct. 18, 2024—to acknowledge and formally adopt it. NIS2 addresses some limitations from the first version where some areas of improvement were needed to counter risk introduced by digital transformation and by evolving cyber threats that exposed a lack of resilience within systems supporting businesses in the EU.
NIS2 better addressed a few of NIS1’s challenges, providing:
A better and wider scope of application
A rationalization of previous minimum security requirements and new incident-reporting rules
A better definition of supervising and controls with specific and more cost-effective sanctions for failing to comply with the directive
A better focus on risk management and vulnerability management, as well as significant focus supply chain cybersecurity
An enhancement and incentive to improve threat information sharing between member states
Compared to NIS1, which states a company’s obligation to adopt security measures appropriate to risks, NIS2 introduces some measures that must be mandatory adopted by entities subjected to the compliance.
Let’s quickly walk through some of the previous bullet points giving some additional information:
Wider scope: Entities have been reclassified as “essential” and “important" and will be subjected to the same obligations for risk management and incident reporting. Essential entities will be subject to so-called “ex ante monitoring” (e.g. regular audits and focus on cybersecurity, on-site assessments, requests for information), while important entities will be subject to just “ex post monitoring.” NIS2 also expands the scope of entities subjected to compliance, excluding only small- and medium-sized companies. Among these, however, companies with elevated risks must comply as well. We are speaking about certain small enterprises and micro-enterprises that fulfill specific criteria that indicate a key role within society, the economy, or for particular sectors or types of service that will fall within scope of the directive.
Cyber risk management measures: There are some important additions because NIS1 was not aligned with state-of-the-art technology. The new measures to be adopted include policies and procedures regarding the use of cryptography, mandatory checks to outsourcers, supply chain security, risk analysis, incident handling, backups, business continuity, vulnerability management, and others included in Article 21 of the directive, including one very important requirement for the use of multi-factor authentication.
NIS2’s enhanced requirements around supply chain cybersecurity are crucial. For example, NIS2 recommends that the European Cooperation Group, already in place, in cooperation with the European Commission and ENISA and eventually after consulting relevant stakeholders including from the industry, should carry out coordinated security risk assessments of critical supply chains with aim of identifying, per sector, the critical ICT services, ICT systems or ICT products, relevant threats and vulnerabilities. This is similar to recommendations for 5G networks (Commission Recommendation (EU) 2019/534).
It’s also important to mention NIS2’s focus on the need to increase the EU’s level of cooperation with some key actors such as National Authorities and CSIRTs acting as trusted intermediaries. Vulnerability disclosures are encouraged in order to maintain a European vulnerability registry.
Also, reporting cybersecurity incidents that cause a significant impact to business and safety is now mandatory within 24 hours with more precise provisions on the reporting process, content and timeline provided in NIS2. The directive also formally establishes the European Cyber Crises Liaison Organization Network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents at the EU level.
But let’s concede that there are still gray areas. NIS2 must be “received” through “effective laws” in each member state, and will be more precise with the following:
Criteria and parameters for identifying the scope of assets that fall within the scope of applicability
Framework of specific security measures to be adopted for essential/important entities potentially depending on the specific sector
Relationship with “PSNC” (Italian Law for Cyber Security for specific entities) application on coincident ambitions and harmonization. So most likely, the Italian Agency for Cyber Security will provide harmonization with the Italian regulatory framework already in place such as PSNC. This need for harmonization most probably will be a challenge for other countries
Possible overlapping with some parts of the Digital Operational Resilience Act (DORA) regulation
NIS2 figures to bring important changes to the cybersecurity strategies of EU security leaders within critical infrastructure. The updated directive recognized shortcomings in the original document around important risk management processes, including the lack of resilience within systems supporting businesses in the EU, existing issues with threat intelligence sharing, joint incident response, and supply chain cybersecurity.
Leaders must understand their obligations within NIS2’s structure, make appropriate investments to reduce risk, and improve the overall cybersecurity standing of critical infrastructure entities across the EU. The end result will be not only resilient IT, OT and IoT systems, but also an economy and delivery of critical services resilient to malicious actors.
Roberto De Paolis has a degree in electronic engineering. He was a pioneer of telematics in Italy, when in 1984 with a Commodore 64, he founded and managed one of the first Bulletin Board Systems (BBS). His career path includes multiple professional roles as a consultant from 1999-2004. Subsequently he joined large companies like Northrop Grumman Italy, SKY, UniCredit Group, and ICCRREA Banking Group covering roles of increasing complexity and responsibilities exclusively related to Information and Cyber Security-ICT Security. Since 2018, Roberto has been in the lead role of IT Security Business Partner and Security Operations at Leonardo, one of Italy’s biggest companies, a provider of global security and advanced technology systems for applications in the aerospace, defense and security sectors.