Privacy HintsThe NIS2 Directive, which was introduced in 2020 and came into force on January 16, 2023, is an extension and broadening of the preceding EU cybersecurity directive, NIS. The European Commission put forward this directive to address and correct the shortcomings of the initial NIS directive.
The objective of NIS2 is to bolster the security of network and information systems across the EU. It does this by mandating that operators of vital infrastructure and essential services adopt suitable security measures and notify any incidents to the competent authorities.
In contrast to NIS, NIS2 broadens its security requirements across the EU and the range of organizations and sectors it covers. This is done to enhance supply chain security, streamline reporting duties, and impose stricter measures and penalties across Europe.
Essential and important entities registration
Entities that fall under the NIS2 Directive must be identified by the Member States by April 17, 2025. It is possible for these entities to self-register. As a result, these entities need to ascertain whether their services are within the NIS2 scope, identify the Member States where they offer these services, and register in each of these states before the deadline. The registration process necessitates that entities provide the following information at a minimum:
- Name, address, and registration number
- The NIS2 scope sector or sub-sector they belong to
- Updated contact information
- Their assigned IP addresses
- The Member States where they operate
The final registration procedure and the required information list will be established during the Directive’s legal transposition.
Improved cooperation (CSIRT platform)
A key component of the updated Directive is the aim to enhance collaboration among EU Member States in relation to cyber threats and incidents. The mandate will be given to the European Union Agency for Cybersecurity (ENISA) to create a database for disclosing vulnerabilities at the European level, which will aid in the exchange of information among the Member States.
Incident reporting
Under the established NIS1, each Member State is required to have a central contact point for Directive compliance and a coordinating CSIRT (Computer Security Incident Response Teams) for incident reporting or a competent authority. In the context of Belgium, this responsibility falls on the CCB (Centre for Cyber Security Belgium).
NIS2 introduces a new schedule for incident reporting. All incidents of significant impact must be reported by the essential and important entities promptly. An early warning, along with initial assumptions about the type of incident, should be communicated to the competent authority or CSIRT within 24 hours. A comprehensive notification report, which includes the assessment of the incident, its severity, impact, and indicators of compromise, must be submitted after 72 hours. A final report is required after 1 month.
The Directive advises Member States to streamline the incident reporting process by creating a single point of entry for incidents to lessen the administrative load, including for incidents that span multiple Member States.
The CSIRT, or the competent authority where applicable, is required to report incidents to ENISA every three months, using anonymized data. ENISA, in turn, will report on EU incidents every six months using this information. This reporting process is designed to aid organizations and Member States in learning from other incidents and represents a key change in the new NIS2 Directive.
Focus on key supply chains
Global events have underscored the necessity of maintaining stability in vital supply chains, leading to its prioritization in the NIS2 directive. The onus will be on individual businesses to manage cybersecurity threats within their supply chains and supplier relationships.
The new NIS2 Directive may indirectly affect numerous suppliers who are not directly covered by it, but provide goods or services to an entity that is. As a result, these suppliers might face a minimum cybersecurity maturity requirement imposed by their customer. The supervision of these suppliers in terms of NIS2 will not be carried out by national authorities, but by their customers. Therefore, even if your organization is not directly affected, it could still feel the impact depending on the services provided and the sector involved.
Accountability of the management
The NIS1 update introduces a significant feature: the new Directive mandates that the management of relevant organizations be held accountable. This means that management is required to shoulder the responsibility for their organization’s cybersecurity readiness. This involves carrying out risk evaluations and endorsing plans for risk mitigation, among other duties. To execute these tasks, it’s necessary for the management to undergo training in cybersecurity. The Directive goes a step further by recommending that not just management, but also staff members, receive training to gain a comprehensive understanding of cybersecurity.
Jurisdictional complexity
According to the NIS2 Directive, crucial and significant organizations are considered to be governed by the Member State in which they deliver their services.
In cases where an organization offers services across multiple Member States, it is subject to the jurisdiction of each of these states. For those organizations whose services are either provided or reliant on operations outside the EU, they are responsible for maintaining the uninterrupted provision of their EU services, even in the event of disturbances to their operations outside the EU.
Penalties
NIS1 had established penalties for non-adherence by OES and DSPs, whereas NIS2 imposes more severe penalties for non-adherence, which can reach up to 10% of an organization’s yearly revenue.
- For entities deemed essential: the administrative penalties can reach as high as €10,000,000 or a minimum of 2% of the global annual turnover from the preceding fiscal year of the parent company of the essential entity, depending on which value is greater.
- For entities classified as important: the administrative penalties can amount to €7,000,000 or at least 1.4% of the global annual turnover from the preceding fiscal year of the parent company of the important entity, depending on which value is greater.
How to prepare your organization for NIS2?
Anticipate and start preparing
Proactive readiness is a crucial factor in a company’s path to adherence. Securing the backing of senior leadership, the approval of stakeholders, and the necessary budget and resources is a process that requires patience. Expect potential setbacks and adhere to rigorous scheduling with firm deadlines. Furthermore, the establishment of certain new prerequisites, like the process for escalating incidents and reporting to the appropriate bodies, can be viewed as immediate victories and arranged beforehand.
Identify your organization’s critical processes
The initial step in the path to compliance involves pinpointing the key services, processes, and resources of the organization that deliver the vital service as outlined in NIS2. One way to accomplish this is through a comprehensive Business Impact Assessment across the organization, which emphasizes the organization’s crucial processes and their dependence on network and information systems. An essential component of this scoping task is establishing the business impact criteria that will determine whether a process, location, or resource falls within the scope.
Implement a risk and information security management system
Firms that fall under the purview of the NIS2 Directive are required to handle their cybersecurity risks. This necessitates the establishment of a system for managing risks and information security. The purpose of this system is to detect, address, and keep track of the firm’s cybersecurity risks, while also ensuring that responsibilities are allocated and crucial processes are in place. These include:
- Policies for security and risk management of information systems
- Procedures for dealing with and managing incidents
- Plans for business continuity and crisis management (including data backups and disaster recovery)
- Ensuring the security of the supply chain
- Security measures during the procurement, development, and maintenance of network and information systems, which includes handling and disclosing vulnerabilities
- Policies and procedures for evaluating the efficacy of measures for managing cybersecurity risks
- Use of encryption and multi-factor authentication
- Training and awareness programs for personnel
Initiate your IT supply chain security management process
Examine your IT vendors, particularly those that are essential for maintaining your operations. By identifying the vulnerabilities in your IT supply chain and the security gaps in your supplier’s systems, you can initiate the comprehensive process of addressing your contractual, operational, or technical shortcomings.
Promote a Cybersecurity-focused Environment
One of the most frequently mentioned, yet challenging to establish in many organizations, is the development of a cybersecurity-focused culture and a high level of information security awareness among employees. Staff members should understand their roles and responsibilities within the information security infrastructure. IT personnel should possess the necessary expertise to implement the required safeguards. Importantly, the organization’s leadership should recognize cybersecurity as a crucial factor for the organization’s survival in the digital age.
Pursue Relevant Advice and Support on Your Path
Our team of professionals has mastered NIS1 and is ready to guide and support you on your path to NIS2. EY is equipped to evaluate your preparedness, outline your compliance roadmap, determine your scope, establish and execute your risk and security management structures, secure your IT supply chain, and enhance your cybersecurity awareness initiative.
