On November 28, 2022, NIS2 officially replaced the European Union’s Network and Information Security (NIS) Directive, heralding significant compliance changes for many EU businesses. This long-anticipated revamp aims to enhance critical infrastructure resilience and align cybersecurity efforts across the EU.
Read on to learn how and why EU cybersecurity regulations are changing, and if your organization is covered under NIS2.
NIS vs. NIS2: What’s Changed
The original NIS Directive was the first EU-wide piece of cybersecurity legislation. First adopted in 2016, the Directive represented a major step forward. Yet over the years, it proved difficult to implement consistently. NIS2 encompasses six major changes to address these challenges and respond to growing threats posed by digitalisation, including:
1. A broader scope. The list of industries covered by NIS2 is much longer than before, meaning a lot more EU businesses must take note. Additionally, NIS2 provides greater detail on which entities within these sectors are subject to requirements. Any entity with more than 250 employees and an annual turnover of more than EUR 50 million and/or an annual balance sheet above EUR 43 million is covered. And in certain circumstances, entities must comply irrespective of company size, such as public electronic communications network providers.
It’s now up to each Member State to classify these entities as “essential” (e.g., critical infrastructure operators, certain manufacturers) or “important” (e.g., digital services providers, managed services providers). While both groups must meet the same requirements, “essential” entities will face stricter supervision and enforcement.
2. Strengthened security requirements. NIS2 introduces a set of baseline cybersecurity measures that each covered entity must address. These include risk analysis and information system security policies, incident response, business continuity and crisis management, supply chain security, assessment of effectiveness of risk management measures, and encryption and vulnerability disclosure.
3. Enhanced collaboration. NIS2 rules aim to increase trust, information sharing and coordinated management of large-scale cybersecurity incidents at the EU level. The European Cyber Crisis Liaison Organization Network (EU CyCLONe) was established to specifically support these efforts.
4. Faster incident reporting timelines. NIS2 clarifies obligations with more precise provisions on the disclosure process, content and timeline. Notably, impacted companies must submit an initial report to authorities within 24 hours of learning of an incident and a final update within one month’s time.
5. Steeper penalties for non-compliance. Non-compliance fines could reach up to two percent of annual turnover or EUR 10 million, whichever is higher.
6. “Management body” oversight and accountability. For the first time, NIS2 specifically places an obligation on “management bodies” (including C-Suite members) for implementing and complying with heightened security measures and alludes to potential consequences for failure to do so.
Expanded NIS2 Guidance Addresses Current Risks and Future Challenges
NIS2 guidance reflects a rapidly changing threat landscape that looks nothing like it did back in 2016. For instance, many utilities and manufacturers are now converging operational technology (OT) networks and information technology (IT) networks to simplify operations and reduce costs.
Historically, OT and IT networks operated independently. Industrial control traffic flowed over a dedicated OT network using industry-specific supervisory control and data acquisition (SCADA), energy management system (EMS) and manufacturing execution system (MES) protocols. Business application traffic flowed over a separate enterprise IP network that connected to the public internet. If an external threat actor managed to breach the enterprise network, they had no way to access the OT network. Increased network convergence eliminates “air gaps” between the two environments, providing a pathway for external threat actors to access industrial control systems and wreak havoc.
Critical infrastructure operators are also shifting away from proprietary hardware and special-purpose software toward standards-based OT — think Linux-based commodity servers and commercial-off-the-shelf software that are much easier to work with. Unfortunately, this also makes systems more vulnerable to software supply chain attacks, as the infamous SolarWinds breach showed the world.
The NIS2 Commission notes, “Now any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the whole internal market.”
The risks brought on by digitalisation are many. It’s now common for OT and Internet of Things (IoT) endpoints to connect over the internet, while applications are often deployed in the cloud — far beyond the secure confines of the enterprise network border. What’s more, many workers have gone remote for good, and system administrators (both employees and third parties) routinely manage critical infrastructure from remote locations.
For all these reasons and more, the need for a consistent point of security control beyond the perimeter is critical for defending critical infrastructure against devastating cyberattacks. NIS2 architects recognize this, and advocate for a Zero Trust cybersecurity model that assumes all human and machine identities are implicitly untrusted and must be authenticated and authorized regardless of their location.
Now that NIS2 has been officially adopted, it will enter into force by the end of 2023. Member States have until September 2024 to transpose the Directive into their own national laws, at which time many EU businesses will need to comply with country-specific requirements.
In part two of this NIS2 post, we’ll explore Identity Security best practices that can help critical infrastructure operators, service providers and suppliers prepare for upcoming NIS2 compliance requirements, while strengthening cybersecurity and reducing risk.