The EU’s updated Network and Information Security Directive (NIS2) is placing an obligation on more cybersecurity professionals to ensure their organisations comply with the new rules.

NIS2 expands the scope of the previous directive to cover 18 different sectors, including manufacturing digital service providers and healthcare. The objective is to promote best practice and improve cybersecurity resilience in both traditional components of the national infrastructure (e.g. power distribution and transportation) and wider industry.

Risk Management

The rules – which come into effect on 18 October – aim to harmonise approaches to incident notifications, risk management, and information sharing across the European block. The directive also emphasises the importance of securing the supply chain, third party services and software – an increasing source of security issues and breaches.

If there is a cybersecurity breach, organisations have 24 hours to report it once they become aware of it, before following up with a fuller post-mortem once the dust has settled. There’s also a requirement to conduct regular cybersecurity audits and assessments.

The mandates cover multi-factor authentication, regular patch management, and the enforcement of acceptable use policies and least privilege. Maximum penalties for non-compliance include fines of up to €10m or two percent of a firm’s total annual worldwide turnover (revenue).

Upgrade

Compared with NIS (introduced in 2018), NIS2 will impact more organisations in more sectors and extend to mid-market entities.

Del Heppenstall, head of cyber at KPMG UK, told SC UK: "NIS2 represents a significant step forward in the EU's efforts to improve cybersecurity. Where the original directive didn't do enough to improve the cyber resilience of businesses, the more stringent technical controls and financial penalties are designed to improved this.”

Michael Covington, VP of strategy at Jamf, added: “The new directive has been introduced to address the digital threats and challenges that have arisen since the first directive was implemented in 2016. It looks to address the gaps seen in NIS, including the lack of clarity on how EU member states should implement the practices into their national laws, and the categorisation of companies that fell under its scope.”

Europe-Wide

Each EU member state is expected to enact or adjust its national legislation to fulfil the general goals and objectives imposed by the directive, creating a complex patchwork of national cybersecurity laws.

UK companies that offer in-scope products and services in the EU will also need to comply. Trevor Dearing, director of critical infrastructure at Illumio, explains: “Whilst UK companies are not directly subject to NIS2, the directive may inadvertently affect them. The scope of NIS2 also includes providers of essential services, which means UK service providers working with EU operators of essential services will be held accountable for their cybersecurity practices.”

Organisations within scope of the revised rules are expected to have a long-term cybersecurity strategy based on risk-based and threat-aware policies and procedures.

Dr Ilia Kolochenko, chief exec at ImmuniWeb, told SC UK that “most of the newly introduced technical requirements are well-known best practices that have, however, been widely ignored by some sectors or smaller businesses.”

Dr Kolochenko added: “Of note, NIS2 emphasises that cybersecurity is not a set of ad hoc tasks or spontaneous annual exercises, but a well-thought-out, risk-based and continuous process that involves cybersecurity professionals, business teams and board members.”

Roadmap

For larger organisations, rolling out an information security management system and implementing ISO 27000 offers a clear route towards compliance.

ISO 27000 series is considered the best practice to become NIS2 compliant, but might be too complex and time consuming for SME in practice. “The NCSC’s Cyber Essentials in the UK or the DIN SPEC 27076 in Germany offer alternative routes,” according to Dr Martin J. Kraemer, security awareness advocate at KnowBe4.

Organisations under NIS2 are also responsible for the security of their supply chain. “It makes sense for organisations not legally required to still follow the directive as a means to be ready for business,” Dr Kraemer added.

Brian Honan, chief executive of BH Consulting, said his security consultancy is taking on a great deal of work in helping firms prepare for compliance with the directive.

“The directive will require those organisations to ensure their cybersecurity controls are adequate for the level of risk those organisations face,” Honan said. “It also brings in a regulatory regime that places great responsibility and accountability onto the board and senior management.”

The biggest impact will be on vendors in the supply chain of regulated entities, Honan predicted. “Many businesses who are not directly impacted by the EU NIS2 directive but who supply services to those entities regulated by the direct will be required to prove to that they have appropriate cybersecurity controls in place,” Honan explained.

GDPR is, by contrast, a regulation and not a directives, and therefore automatically became law in all EU member states without national nuances or variations.

John Leyden Journalist