Inside the EU's Toughened NIS2 Cybersecurity Directive

The last few months of 2022, the European Parliament ratified a new version of the Network and Information Security (NIS) Directive (NIS2). Adopted on Nov. 28, member states now have two years—until Oct. 18, 2024—to acknowledge and formally adopt it. NIS2 addresses some limitations from the first version where some areas of improvement were needed to counter risk introduced by digital transformation and by evolving cyber threats that exposed a lack of resilience within systems supporting businesses in the EU.

NIS2 better addressed a few of NIS1’s challenges, providing: 

• A better and wider scope of application 

• A rationalization of previous minimum security requirements and new incident-reporting rules

• A better definition of supervising and controls with specific and more cost-effective sanctions for failing to comply with the directive

• A better focus on risk management and vulnerability management, as well as significant focus supply chain cybersecurity

• An enhancement and incentive to improve threat information sharing between member states

Compared to NIS1, which states a company’s obligation to adopt security measures appropriate to risks, NIS2 introduces some measures that must be mandatory adopted by entities subjected to the compliance.

Let’s quickly walk through some of the previous bullet points giving some additional information:

• Wider scope: Entities have been reclassified as “essential” and “important" and will be subjected to the same obligations for risk management and incident reporting. Essential entities will be subject to so-called “ex ante monitoring” (e.g. regular audits and focus on cybersecurity, on-site assessments, requests for information), while important entities will be subject to just “ex post monitoring.” NIS2 also expands the scope of entities subjected to compliance, excluding only small- and medium-sized companies. Among these, however, companies with elevated risks must comply as well. We are speaking about certain small enterprises and micro-enterprises that fulfill specific criteria that indicate a key role within society, the economy, or for particular sectors or types of service that will fall within scope of the directive.

• Cyber risk management measures: There are some important additions because NIS1 was not aligned with state-of-the-art technology. The new measures to be adopted include policies and procedures regarding the use of cryptography, mandatory checks to outsourcers,  supply chain security, risk analysis, incident handling, backups, business continuity, vulnerability management, and others included in Article 21 of the directive, including one very important requirement for the use of multi-factor authentication.

NIS2’s enhanced requirements around supply chain cybersecurity are crucial. For example, NIS2 recommends that the European Cooperation Group, already in place, in cooperation with the European Commission and ENISA and eventually after consulting relevant stakeholders including from the industry, should carry out coordinated security risk assessments of critical supply chains with aim of identifying, per sector, the critical ICT services, ICT systems or ICT products, relevant threats and vulnerabilities. This is similar to recommendations for 5G networks (Commission Recommendation (EU) 2019/534). 

It’s also important to mention NIS2’s focus on the need to increase the EU’s level of cooperation with some key actors such as National Authorities and CSIRTs acting as trusted intermediaries. Vulnerability disclosures are encouraged in order to maintain a European vulnerability registry.

Also, reporting cybersecurity incidents that cause a significant impact to business and safety is now mandatory within 24 hours with more precise provisions on the reporting process, content and timeline provided in NIS2. The directive also formally establishes the European Cyber Crises Liaison Organization Network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents at the EU level.

But let’s concede that there are still gray areas. NIS2 must be “received” through “effective laws” in each member state, and will be more precise with the following:

• Criteria and parameters for identifying the scope of assets that fall within the scope of applicability

• Framework of specific security measures to be adopted for essential/important entities potentially depending on the specific sector

• Relationship with “PSNC” (Italian Law for Cyber Security for specific entities) application on coincident ambitions and harmonization. So most likely, the Italian Agency for Cyber Security will provide harmonization with the Italian regulatory framework already in place such as PSNC. This need for harmonization most probably will be a challenge for other countries

• Possible overlapping with some parts of the Digital Operational Resilience Act (DORA) regulation

NIS2 figures to bring important changes to the cybersecurity strategies of EU security leaders within critical infrastructure. The updated directive recognized shortcomings in the original document around important risk management processes, including the lack of resilience within systems supporting businesses in the EU, existing issues with threat intelligence sharing, joint incident response, and supply chain cybersecurity. 

Leaders must understand their obligations within NIS2’s structure, make appropriate investments to reduce risk, and improve the overall cybersecurity standing of critical infrastructure entities across the EU. The end result will be not only resilient IT, OT and IoT systems, but also an economy and delivery of critical services resilient to malicious actors.