What is the NIS2 directive?
What is NIS2?
On 17th January 2023, new EU legislation to improve cybersecurity came into force. The Network and Information Systems Security Directive (NIS2) aims to establish a minimum level of cybersecurity standards throughout Europe, and replaces the Network and Information Systems (NIS) Directive established in 2016.
The original NIS legislation was formed in response to concerns about cybersecurity and a changing threat landscape, and events in recent years (the COVID-19 pandemic, Russia’s invasion of Ukraine, a continuing increase in ransomware attacks) have prompted the EU to expand and strengthen the original Directive, resulting in NIS2. The impact of this new Directive could be as significant as GDPR, so you need to be aware of the upcoming requirements…
What did the original NIS Directive say?
The 2016 Directive defined two types of organization:
- Essential services such as energy, transport, water and healthcare providers
- Digital service providers, e.g. online marketplaces, cloud computing services and search engines
Businesses that fell into either category had to comply with the following 3 requirements:
- to take appropriate security measures to protect themselves from cyber threats
- to report any incidents that had a significant impact on operations
- to notify relevant authorities in the event of major incidents
In the original legislation, it was up to EU Member States to decide the types of businesses that had to comply with NIS, but NIS2 has renamed the categories to ‘essential entities’ and ‘important entities’, and is more specific about the types of businesses that fall into each category.
Who will be affected by NIS2?
NIS2 applies to both EU-based organizations and organizations based elsewhere that provide their services within the region. EU Member States must maintain an up-to-date list of all essential and important entities operating within their jurisdiction.
Essential entities include:
- Energy providers
- Transport companies
- Banking and financial market infrastructure
- Healthcare and pharmaceutical manufacturers
- Drinking water and wastewater infrastructure
- Public administration
- ICT services
- Digital infrastructure, including cloud service providers, data centers, domain name systems (DNS), and public communication networks
Important entities include:
- Postal and courier services
- Waste management
- Chemical manufacturing
- Food production and processing services
- Production of electronics, machinery and motor vehicles
- Online marketplaces, search engines and social networking sites
- Higher education and research institutions
What are the new NIS2 requirements?
The NIS2 Directive has a larger scope than NIS, applies to a greater number of sectors and industries, and is more explicit in outlining the cybersecurity measures it will require of organizations. NIS2 also aims to increase collaboration on cybersecurity between EU Member States.
In the new legislation, essential entities have a more rigorous set of requirements than important entities. Essential entities can be investigated at any time through audits and inspections, whereas important entities will only be investigated after an incident. Here are the key points of NIS2:
- Information security policy. Organizations must assess the potential impact of a cyberattack and must be proactive in managing risk, by implementing strong information security policies
- Incident prevention, detection and response. Businesses will be required to have incident prevention and response strategies in place, and they must test these plans and provide training for staff
- Business Continuity. As part of their incident response strategies, businesses must ensure they can continue operating in the event of a cyberattack. NIS2 focuses on cloud backup solutions to help businesses recover lost data and restore operations with minimal disruption
- Incident reporting. NIS2 stipulates that both categories of organizations are required to notify the relevant authorities in the event of a significant cyber event, and sets out a strict timeline for reporting – which we explain in the next section
- Supply chain security. NIS2 requires businesses to assess the vulnerabilities of their supply chains, including services like data storage providers. In simple terms, NIS2 requires businesses to consider not only their own cybersecurity, but that of any third parties they deal with
- Disclosing vulnerabilities. If an organization finds a vulnerability within their network, they must disclose it to the relevant authority. Organizations must also provide channels for the public to report vulnerabilities, and are required to act on any such reports
- Obligations on management teams. Senior staff and management teams can be held personally liable for their organization’s lack of compliance with NIS2
- Fines for non-compliance.
For essential entities, the fine for non-compliance can be up to €10 million, or 2% of the business’s worldwide annual turnover.
For important entities, the fine is up to €7 million, or 1.4% of the worldwide annual turnover
- Collaboration. NIS2 encourages the sharing of data between authorities, and requires those bodies to work together when responding to incidents. The aim is to have an EU-wide response to threats, rather than just national or localised responses. This emphasis on collaboration includes the establishment of the ‘Cyber Crises Liaison Organisation Network’ (EU-CyCLONe), a centralized body for managing incidents
NIS2 Incident Reporting
In the event of a breach or incident, organizations must follow a 3-step reporting procedure:
- They must give the relevant authority a ‘first early warning’ within 24 hours of the discovery of an incident
- The affected organization must then provide a more formal incident notification within 72 hours
- A final report must be given a month after the formal incident notification, and the organization must respond to any requests for status updates and provide progress reports if asked to do so
NIS2: Important dates to remember
NIS2 officially came into force on 17th January 2023, but EU Member States have until 17th October 2024 to make NIS2 law. In all likelihood, NIS2 compliance won’t be enforced until early 2025, so organizations have time to prepare.
What you need to do now
Until your region puts NIS2 into law, you don’t have to take any specific actions. However, many of the security measures set out in NIS2 are actions you should be taking anyway, to protect your business-critical data. These include:
- Conducting an audit of your data. It’s not just stored on traditional servers now; you need to know exactly which cloud services and Software-as-a-Service (SaaS) apps are being used to store and process your business data
- Regularly reviewing your existing cybersecurity tools and strategies
- Encrypting data, both during transfer and at rest
- Having a secure backup solution in place for all your data, including data you store on SaaS applications
- Having a comprehensive Disaster Recovery and Business Continuity strategy, and testing it on a regular basis
- Ensuring all staff receive cybersecurity training and regular refresher sessions
Prepare for NIS2 – secure your SaaS apps
A crucial part of ensuring your data is protected against cyber threats and your business is compliant with security regulation is making sure you have adequate backup in place for all your data, whether it’s stored on traditional on-premises servers or on cloud applications. As businesses increase their SaaS app usage – and adopt a diverse range of smaller apps, not just the most well-known cloud tools – securing data has never been more urgent. Apps like Trello, Asana, GitHub, GitLab, Xero, and Quickbooks don’t offer backup, which means you, the user, must ensure your data is protected.