Explainers & Guides
What are Third Party Risk Management Tools & Which Is Right For Me?
Back in 2016, following increased concern over the threat of cyberattacks, the EU launched the first piece of EU-wide cybersecurity legislation – the Network and Information Systems (NIS) Directive. The directive aimed to increase member states’ cybersecurity capabilities, increase collaboration on cybersecurity, and encourage member states to ‘supervise’ cybersecurity across their Critical National Infrastructure (CNI), including healthcare, transport, and energy.
Fast forward to 2022, however, and the NIS Directive has begun to show its age. The COVID-19 pandemic, in particular, saw a huge increase in people’s reliance on digital technology, which was matched accordingly by a significant increase in cyberattacks. These increased attacks on CNI, as well as gaps in the original NIS legislation and inconsistency in how NIS has been implemented by member states, revealed the limitations of the previous model – and the urgent need to adopt a new one.
Thus, NIS2 was drafted to increase cyber security resilience across EU member states’ CNI. Provisionally agreed to in May 2022, the legislation is expected to be formally adopted later this year, after which member states have 21 months to integrate it into their national law (i.e. mid-late 2024).
But what is this new legislation, and how does it differ from what came before? This blog will walk you through the key differences of NIS2 from its previous iteration and, most importantly, what you and your business need to do to prepare for its adoption ahead of its 2024 implementation.
There are always issues when theory meets practice, and the NIS Directive was no exception.
NIS aimed at creating one cybersecurity standard across the EU, making it easier for member states to collaborate with one another and fight threats together. In reality, however, there has often been serious inconsistency in how the NIS Directive was implemented in different countries. The NIS instructed member states to supervise their CNI’s cybersecurity, but failed to consider the gulf between each state’s capability. A country like Germany, with plenty of resources and expertise in cybersecurity, is far more equipped to ‘supervise’ than a smaller member state.
Similarly, security and incident reporting requirements were left to each member state to decide. This inevitably led to inconsistency, creating particular difficulties for organisations which were operating across multiple countries, each with its different rules for companies to follow.
Inconsistency was also found in the information sharing between countries. The NIS Directive sought to improve collaboration, but as the NIS2 briefing reveals, states have often failed to share information systematically with one another. Nor have private companies demonstrated the cooperation hoped for by the NIS Directive.
But, more than anything else, the world is a different place than it was in 2016. Although the landmark NIS Directive made important steps in improving cybersecurity across the EU, the technological landscape, as we know, moves fast. 2016 may only have been 6 years ago, but in that time, we’ve seen an unprecedented global pandemic, a significant acceleration of digitisation, a disturbing rise in cyberattacks, and the emergence of new technologies, such as 5G.
One development has been the vast increase in attacks on supply chains, such as the SolarWinds hack. The ENISA warn of the impending danger of cyberattacks on the supply chain, predicting attacks on the IT and communications sector in particular.
Ciaran Martin, Head of the National Cyber Security Centre, ominously declared in 2018 that a major cyberattack on UK was a question of ‘when, not if’. As of 2022, that time appears to be closer than ever as a result of Russia’s war of aggression against Ukraine, with 72% of UK CNI organisations reporting a rise in cyberattacks since the beginning of the conflict. Considering the significant threat these attacks bring, creating the potential for economic, social, and even physical damage, addressing them is of paramount importance.
This new global context thus means a new response is needed, suited for the challenges of the present day. That response is NIS2.
NIS2 continues the original NIS Directive’s mission to ensure a high common level of cybersecurity across the EU. Just one weak link can create a vulnerability that hostile agents can exploit, so it is crucial the entire EU abides by the same standards.
NIS2 differs, however, by aiming to address the issues with the previous NIS legislation and tightening up the rules. Most importantly, this concerns the inconsistent way in which the original NIS Directive was implemented, as this complicated collaboration between different countries, as well as undermining the overall effectiveness of EU cybersecurity.
NIS2 makes important steps to reduce the inconsistency which plagued the NIS Directive. This includes removing the ability for member states to set their own requirements for security in some cases, which led to uneven regulation across the continent. Instead, all requirements will be dictated by the EU, creating a fixed standard across the union.
These require that organisations must ensure the following measures are in place to manage cybersecurity risks:
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2020%3A823%3AFIN (Article 18, Paragraph 2)
In addition, NIS2 imposes a new approach to incident reporting: companies must submit an initial report within 24 hours of becoming aware of an incident, and a final report within one month.
Although the NIS Directive aimed at collaboration, inconsistencies between countries undermined the extent to which this was possible as each member state worked in a slightly different way.
To confront this, NIS2 aims to increase collaboration by:
a) increasing trust between authorities;
b) encouraging more data sharing between authorities;
c) requiring authorities to participate in incident response at the EU level (rather than national);
d) establishing an EU-Cyber Crisis Liaison Organisation Network (EU CyCLONe), a central body which coordinates and manages responses to EU-wide cyber incidents.
By centralising control of cybersecurity at the EU level, and with everyone following the same cybersecurity standards, NIS2 hopes to simplify the previously uncoordinated system. It is hoped this will open the way to collaborative data sharing and more efficient responses to any problems that may arise.
The scope of NIS2 is much wider than the previous legislation, with more businesses and organisations coming under the remit.
NIS2 applies to the same industries as the original NIS Directive, as well as medium and large organisations (defined by the EU as those which employ more than 50 people and whose annual turnover exceeds €10 million) in the newly-added following industries:
Smaller organisations who are also critical to the member state’s functioning are also included in this remit due to the potential problems that could arise if they were hit by a cyberattack.
NIS2 focuses on operators of essential services (OESs) – the businesses and organisations responsible for maintaining a country’s CNI. The original NIS Directive created serious inconsistencies in how member states identified these operators, partially as a result of distinguishing between OESs and Digital Service Providers (DSPs). These had separate security requirements under the NIS Directive, increasing confusion and inconsistency, particularly as some countries identified OESs and DSPs differently. This was exacerbated even further by the NIS directive not defining what threshold a DSP security incident needed to surpass to require reporting to a national authority, creating different standards across the EU as member states set their own, different, rules.
NIS2 addresses this confusion by removing the distinction between OESs and DSPs entirely, applying the same rules across the board. Previous businesses which were counted as DSPs may therefore need to update their security protocols to be in line with the general standard. At the same time, NIS2 explicitly expands the scope of which businesses it applies to, such as addressing the cybersecurity of the ICT supply chain, as seen in the following infographic:
Source: European Commission, 2021
However, it’s worth noting that size matters. A new factor in NIS2 is the introduction of a size-cap on which organisations are covered by the requirements. Medium and large organisations are covered under the new rules, but small organisations (defined by the EU as those with under 50 employees and annual turnover less than €10 million) are generally exempt – provided that the organisation in question is not critically important for the member state’s functioning or would lead to major disruption. If your business falls within one of these new sectors, you may want to consider the size of your organisation (both now and what it will be in 2024) before acting.
Of course, as of Brexit, the UK is no longer part of the EU, and therefore NIS2, as a piece of EU legislation, doesn’t directly apply. However, this doesn’t mean your business will be exempt. Organisations which work in the EU now must also abide by NIS2, as maintaining the same security standard across the continent is essential for a robust system.
It is also highly likely UK regulators will soon follow the EU’s lead and adopt similar laws, as the country faces the same challenges of new technology and increased cyberattacks. The importance of secure CNI is a vital global issue, and the UK is likely to address this sooner rather than later. While it may not be as soon as 2024, there are no guarantees, and it is better for your business to be well-prepared than caught short later down the line.
Arguably most important for organisations is the stricter enforcement requirements which NIS2 introduces. As cybersecurity becomes such a key issue, the EU is pushing for urgent action across its member states to ensure resilience. This comes with significant sanctions for those organisations which do not follow the rules. These range from your organisation being security audited and ordered to follow their recommendations, to fines of €10 million or 2% of the organisation’s total worldwide turnover – whichever of these numbers are higher.
These fines are the same as those for GDPR violations, and NIS2 should be understood in similar terms. Just as GDPR created a new standard for data protection that transformed how organisations deal with data, NIS2 is a huge development in cybersecurity which needs to be treated with the same seriousness. Simply: it cannot be ignored.
At its heart, NIS2 aims to improve cybersecurity resilience across CNIs, and to ensure a common level of cybersecurity across countries. The directive emphasises that cybersecurity must be a collective effort, with EU member states all reliant upon one another to ensure the security of the entire network. To that end, information sharing and collaboration are key in order to create a cohesive and strong system capable of withstanding evolving threats.
In preparing for NIS2 (or the subsequent UK laws), your business should embody these values through the following steps:
NIS2 marks an important step in the evolution of cybersecurity. Building on the NIS Directive’s foundations, NIS2 makes vital changes in reducing inconsistency and supporting more collaboration between EU member states. Whether it completely solves these problems – or inadvertently creates some new, unforeseen ones – is yet to be seen, but its prioritisation of CNI cybersecurity is greatly encouraging in an age of increased cyberattacks.
Although adapting your organisation for NIS2 or the subsequent UK legislation may seem daunting, following the steps in this article will put you in a strong position for 2024 and beyond. Map your supply chain network, build and maintain connections with peers and others in the industry, prioritise strong communication, and continue working on your cybersecurity resilience – not just for NIS2, but to secure your organisation from any potential threats. In doing so, you future-proof your business and guarantee a smooth path forward.
The NIS Directive: The Network and Information Systems Directive, aimed at creating a base standard for cybersecurity across the EU.
NIS2: An updated version of the NIS Directive which aims to tackle some of the issues stemming from the original, such as inconsistency in application.
EU CyCLONe: EU-Cyber Crisis Liaison Organisation Network, a joint cyber unit which aims to ensure collaborative, rapid responses from member states to major cyber crises.
CNI: Critical National Infrastructure (e.g. communications, defence, energy).
GDPR: General Data Protection Regulation, a regulation on data protection and privacy.
OES: Operators of Essential Services (e.g. transport networks, energy companies, healthcare).
DSP: Digital Service Providers (e.g. search engines, cloud services, online markets).
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
