NIS2: What it is, how it applies to your business, and what you need to do to prepare
Back in 2016, following increased concern over the threat of cyberattacks, the EU launched the first piece of EU-wide cybersecurity legislation – the Network and Information Systems (NIS) Directive. The directive aimed to increase member states’ cybersecurity capabilities, increase collaboration on cybersecurity, and encourage member states to ‘supervise’ cybersecurity across their Critical National Infrastructure (CNI), including healthcare, transport, and energy.
Fast forward to 2022, however, and the NIS Directive has begun to show its age. The COVID-19 pandemic, in particular, saw a huge increase in people’s reliance on digital technology, which was matched accordingly by a significant increase in cyberattacks. These increased attacks on CNI, as well as gaps in the original NIS legislation and inconsistency in how NIS has been implemented by member states, revealed the limitations of the previous model – and the urgent need to adopt a new one.
When will the NIS2 Directive be implemented?
Thus, NIS2 was drafted to increase cyber security resilience across EU member states’ CNI. Provisionally agreed to in May 2022, the legislation is expected to be formally adopted later this year, after which member states have 21 months to integrate it into their national law (i.e. mid-late 2024).
But what is this new legislation, and how does it differ from what came before? This blog will walk you through the key differences of NIS2 from its previous iteration and, most importantly, what you and your business need to do to prepare for its adoption ahead of its 2024 implementation.
What was wrong with the NIS Directive?
There are always issues when theory meets practice, and the NIS Directive was no exception.
NIS aimed at creating one cybersecurity standard across the EU, making it easier for member states to collaborate with one another and fight threats together. In reality, however, there has often been serious inconsistency in how the NIS Directive was implemented in different countries. The NIS instructed member states to supervise their CNI’s cybersecurity, but failed to consider the gulf between each state’s capability. A country like Germany, with plenty of resources and expertise in cybersecurity, is far more equipped to ‘supervise’ than a smaller member state.
Similarly, security and incident reporting requirements were left to each member state to decide. This inevitably led to inconsistency, creating particular difficulties for organisations which were operating across multiple countries, each with its different rules for companies to follow.
Inconsistency was also found in the information sharing between countries. The NIS Directive sought to improve collaboration, but as the NIS2 briefing reveals, states have often failed to share information systematically with one another. Nor have private companies demonstrated the cooperation hoped for by the NIS Directive.
But, more than anything else, the world is a different place than it was in 2016. Although the landmark NIS Directive made important steps in improving cybersecurity across the EU, the technological landscape, as we know, moves fast. 2016 may only have been 6 years ago, but in that time, we’ve seen an unprecedented global pandemic, a significant acceleration of digitisation, a disturbing rise in cyberattacks, and the emergence of new technologies, such as 5G.
One development has been the vast increase in attacks on supply chains, such as the SolarWinds hack. The ENISA warn of the impending danger of cyberattacks on the supply chain, predicting attacks on the IT and communications sector in particular.
Ciaran Martin, Head of the National Cyber Security Centre, ominously declared in 2018 that a major cyberattack on UK was a question of ‘when, not if’. As of 2022, that time appears to be closer than ever as a result of Russia’s war of aggression against Ukraine, with 72% of UK CNI organisations reporting a rise in cyberattacks since the beginning of the conflict. Considering the significant threat these attacks bring, creating the potential for economic, social, and even physical damage, addressing them is of paramount importance.
This new global context thus means a new response is needed, suited for the challenges of the present day. That response is NIS2.
What’s different about NIS2?
NIS2 continues the original NIS Directive’s mission to ensure a high common level of cybersecurity across the EU. Just one weak link can create a vulnerability that hostile agents can exploit, so it is crucial the entire EU abides by the same standards.
NIS2 differs, however, by aiming to address the issues with the previous NIS legislation and tightening up the rules. Most importantly, this concerns the inconsistent way in which the original NIS Directive was implemented, as this complicated collaboration between different countries, as well as undermining the overall effectiveness of EU cybersecurity.
New rules to reduce inconsistency
NIS2 makes important steps to reduce the inconsistency which plagued the NIS Directive. This includes removing the ability for member states to set their own requirements for security in some cases, which led to uneven regulation across the continent. Instead, all requirements will be dictated by the EU, creating a fixed standard across the union.
These require that organisations must ensure the following measures are in place to manage cybersecurity risks:
Risk analysis and information system security policies: one of the most important parts of cybersecurity is assessing what your level of risk is. Identify your most important assets and what an attack might look like. Constantly be on the watch for vulnerabilities which might threaten your network, or news of attacks on other members of your industry. Introduce policies for frequent and thorough risk analysis – try to be proactive, not reactive.
Incident prevention, detection, and response: leading from your risk analysis and identification of threats, take steps to defend against them. Identify your biggest vulnerabilities and put plans in place to prevent them from being successfully attacked. This requires rapid detection of an attack and a clear and focused response. Outline the chain of command in the case of an incident, so a detected threat can be dealt with by the proper department as soon as possible. Have plans and back-up plans; run drills; train all relevant parties.
Business continuity and crisis management: focus on setting up cloud storage backup solutions to ensure business can continue in the event of a cyberattack. Have plans for how your business will react to an attack and how it can recover from it as quickly as possible, minimising disruption.
Supply chain security: organisations must consider the vulnerabilities of each supplier and service provider, and their cybersecurity practices (this includes providers of data storage). Understand the risks, maintain a close relationship with suppliers, and continually update security to guarantee your protection.
Effective use of cryptography: encryption is crucial in keeping your information secure, so make use of cryptography to defend your network (for more information, check the ICO’s guide on how you can use encryption effectively).
Vulnerability disclosure: make use of open source to reveal vulnerabilities in your security. Provide ways for the public to report any vulnerability to you and ensure this information is acted upon by the proper department (for more information, see the NCSC vulnerability disclosure toolkit). Likewise, when your organisation identifies a vulnerability, disclose this to others in order to support the fight against cybercrime and ensure it is not exploited elsewhere.
Policies and procedures to assess the effectiveness of the organisation’s cybersecurity risk management: the threat of cyberattacks is ever-present and ever-changing. Implement policies to frequently review your cybersecurity, categorising what the biggest threats are to your network and how you are mitigating these. Good data collection is vital in assessing how protected you are, be sure to consider every detail. Just because you stopped an attack before doesn’t mean you’re going to stop it next time, so be mindful of your risk analysis and adapt accordingly.
In addition, NIS2 imposes a new approach to incident reporting: companies must submit an initial report within 24 hours of becoming aware of an incident, and a final report within one month.
Although the NIS Directive aimed at collaboration, inconsistencies between countries undermined the extent to which this was possible as each member state worked in a slightly different way.
To confront this, NIS2 aims to increase collaboration by:
a) increasing trust between authorities;
b) encouraging more data sharing between authorities;
c) requiring authorities to participate in incident response at the EU level (rather than national);
d) establishing an EU-Cyber Crisis Liaison Organisation Network (EU CyCLONe), a central body which coordinates and manages responses to EU-wide cyber incidents.
By centralising control of cybersecurity at the EU level, and with everyone following the same cybersecurity standards, NIS2 hopes to simplify the previously uncoordinated system. It is hoped this will open the way to collaborative data sharing and more efficient responses to any problems that may arise.
Does NIS 2 apply to my business?
The scope of NIS2 is much wider than the previous legislation, with more businesses and organisations coming under the remit.
The short version:
NIS2 applies to the same industries as the original NIS Directive, as well as medium and large organisations (defined by the EU as those which employ more than 50 people and whose annual turnover exceeds €10 million) in the newly-added following industries:
Critical product manufacturing (i.e. medicine)
Smaller organisations who are also critical to the member state’s functioning are also included in this remit due to the potential problems that could arise if they were hit by a cyberattack.
The long version:
NIS2 focuses on operators of essential services (OESs) – the businesses and organisations responsible for maintaining a country’s CNI. The original NIS Directive created serious inconsistencies in how member states identified these operators, partially as a result of distinguishing between OESs and Digital Service Providers (DSPs). These had separate security requirements under the NIS Directive, increasing confusion and inconsistency, particularly as some countries identified OESs and DSPs differently. This was exacerbated even further by the NIS directive not defining what threshold a DSP security incident needed to surpass to require reporting to a national authority, creating different standards across the EU as member states set their own, different, rules.
NIS2 addresses this confusion by removing the distinction between OESs and DSPs entirely, applying the same rules across the board. Previous businesses which were counted as DSPs may therefore need to update their security protocols to be in line with the general standard. At the same time, NIS2 explicitly expands the scope of which businesses it applies to, such as addressing the cybersecurity of the ICT supply chain, as seen in the following infographic:
However, it’s worth noting that size matters. A new factor in NIS2 is the introduction of a size-cap on which organisations are covered by the requirements. Medium and large organisations are covered under the new rules, but small organisations (defined by the EU as those with under 50 employees and annual turnover less than €10 million) are generally exempt – provided that the organisation in question is not critically important for the member state’s functioning or would lead to major disruption. If your business falls within one of these new sectors, you may want to consider the size of your organisation (both now and what it will be in 2024) before acting.
Do I need to worry about NIS2 if I am in the UK?
Of course, as of Brexit, the UK is no longer part of the EU, and therefore NIS2, as a piece of EU legislation, doesn’t directly apply. However, this doesn’t mean your business will be exempt. Organisations which work in the EU now must also abide by NIS2, as maintaining the same security standard across the continent is essential for a robust system.
It is also highly likely UK regulators will soon follow the EU’s lead and adopt similar laws, as the country faces the same challenges of new technology and increased cyberattacks. The importance of secure CNI is a vital global issue, and the UK is likely to address this sooner rather than later. While it may not be as soon as 2024, there are no guarantees, and it is better for your business to be well-prepared than caught short later down the line.
Are there sanctions if I don't follow the NIS 2 directive?
Arguably most important for organisations is the stricter enforcement requirements which NIS2 introduces. As cybersecurity becomes such a key issue, the EU is pushing for urgent action across its member states to ensure resilience. This comes with significant sanctions for those organisations which do not follow the rules. These range from your organisation being security audited and ordered to follow their recommendations, to fines of €10 million or 2% of the organisation’s total worldwide turnover – whichever of these numbers are higher.
These fines are the same as those for GDPR violations, and NIS2 should be understood in similar terms. Just as GDPR created a new standard for data protection that transformed how organisations deal with data, NIS2 is a huge development in cybersecurity which needs to be treated with the same seriousness. Simply: it cannot be ignored.
What do I need to do to prepare for NIS2?
At its heart, NIS2 aims to improve cybersecurity resilience across CNIs, and to ensure a common level of cybersecurity across countries. The directive emphasises that cybersecurity must be a collective effort, with EU member states all reliant upon one another to ensure the security of the entire network. To that end, information sharing and collaboration are key in order to create a cohesive and strong system capable of withstanding evolving threats.
In preparing for NIS2 (or the subsequent UK laws), your business should embody these values through the following steps:
If you haven’t already, begin building critical relationships within the cybersecurity industry, whether it be with peers, suppliers, or national groups. Better intelligence means better preparation, so work with your network to facilitate better information sharing.
This especially applies to your supply chain, which for too long has been overlooked by companies as a potential vulnerability. Make sure you have a good grasp on all the links in your network, and the state of their cybersecurity, so malevolent actors have no easy targets.
Ensure, and maintain, strong communication with your suppliers. NIS2’s focus on defending the entire network through a common standard and collaboration applies just as well to your business. By working closely with your suppliers to increase cyber security and awareness of any potential vulnerabilities, you can help mitigate any nasty surprises that might be lurking in the future.
In the meantime, continue working on improving your organisation’s cybersecurity resilience. This means tightening up those seven areas identified by the EU (Risk analysis and information system security policies; incident prevention, detection, and response; supply chain security, etc.). By doing so now, you can avoid a frantic rush in 2024, ensure you’re on the right side of any sanctions, and, most importantly of all, guarantee the security of your business.
NIS2 marks an important step in the evolution of cybersecurity. Building on the NIS Directive’s foundations, NIS2 makes vital changes in reducing inconsistency and supporting more collaboration between EU member states. Whether it completely solves these problems – or inadvertently creates some new, unforeseen ones – is yet to be seen, but its prioritisation of CNI cybersecurity is greatly encouraging in an age of increased cyberattacks.
Although adapting your organisation for NIS2 or the subsequent UK legislation may seem daunting, following the steps in this article will put you in a strong position for 2024 and beyond. Map your supply chain network, build and maintain connections with peers and others in the industry, prioritise strong communication, and continue working on your cybersecurity resilience – not just for NIS2, but to secure your organisation from any potential threats. In doing so, you future-proof your business and guarantee a smooth path forward.
The NIS Directive: The Network and Information Systems Directive, aimed at creating a base standard for cybersecurity across the EU.
NIS2: An updated version of the NIS Directive which aims to tackle some of the issues stemming from the original, such as inconsistency in application.
EU CyCLONe: EU-Cyber Crisis Liaison Organisation Network, a joint cyber unit which aims to ensure collaborative, rapid responses from member states to major cyber crises.
CNI: Critical National Infrastructure (e.g. communications, defence, energy).
GDPR: General Data Protection Regulation, a regulation on data protection and privacy.
OES: Operators of Essential Services (e.g. transport networks, energy companies, healthcare).
DSP: Digital Service Providers (e.g. search engines, cloud services, online markets).
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.