NIS2 – what’s new?

The NIS, originally adopted in 2017, has already put certain measures on the table to improve the cybersecurity of European companies that are considered critical infrastructure.

The initial NIS directive (NIS1) only applied to organisations from sectors such as energy and utilities, banks and financial trading platforms, transport, and healthcare. The new directive, NIS2, significantly expands the number of sectors (and types within each sector) to which it applies, now including vital, essential, and key sectors and their criticality:

• Digital infrastructure
• B2B management of ICT Services
• Postal and courier services
• Waste management
• Manufacturing, production and distribution (of chemicals, food, medical devices, computing and electrical equipment, amongst others)
• Digital Providers
• Research

The NIS, originally adopted in 2017, has already put certain measures on the table to improve the cybersecurity of European companies that are considered critical infrastructure.

Improving cybersecurity is one of the key milestones set by the European Commission in recent years, hence the EU created the Network and Information Systems Directive (NIS). The goal of NIS is to establish a uniform level of security for both network and information systems.

For now, let’s focus on digital infrastructure (cloud services, telecommunications, data centres, DNS…) and B2B ICT Service management.

The digital infrastructure sector was already included in the first NIS directive. With the NIS2 directive, ICT service management B2B is new, so anything that falls under these categories is now seen as critical sectors and therefore must comply with the national legislation borne from the directive.

Within B2B ICT service management, this now covers MSPs or MSSPs as a defined sub-sector, including organisations such as those that provide (virtually) managed workstations or a Security Operations Centres (SOC).

What is now going to be particularly important for these organisations is, not only will their industry impose different requirements or conditions (like ISO or PCI DSS), but they will also have to comply with national government rules. While NIS2 is a European directive, it is up to national governments to make appropriate legislation that complies with the directive.

If legislation is valid in a specific sector with more stringent cybersecurity rules, then this will legislation becomes leading (lex specialis), but only on the requirements that are more stringent. A typical example of this is the Digital Operational Resilience Act (DORA) concerning the financial sector.

Requirements and actions to be taken by vital, essential, and key sectors following NIS 2 to manage and mitigate risks include (but are not limited to):

• Management responsibility for compliance with cybersecurity risk management measures
• Conducting a risk analysis and having an information systems security policy
• A process for preventing, noticing, handling and dealing with incidents
• A process for business continuity and crisis management
• Rigorous cyber security for the supply chain
• Taking information security into account when acquiring, developing and maintaining network and information systems. This includes addressing vulnerabilities and publications
• Policies and procedures to measure the effectiveness of measures taken

Looking at this summary, you will probably sense some familiarity and think “surely this is very similar to the requirements to obtain ISO 27001 certification?”, which is true. It’s a general expectation that companies who already have ISO 27001 certification will have less to do in order to meet the requirements imposed by the Government.

If you hold an ISO 27001 certificate (or similar), you are not quite where NIS 2 needs you to be… yet. This is because there are also requirements for incident and vulnerability reporting, which aren’t covered by ISO 27001, so most organisations will still have to set up and implement that part of the process.

How the NIS 2 directive will be set up, aside from the expected timescales, may vary from one EU member state to another. As it is still early days, little is known at the time of writing. There are certain member states, such as Belgium, where the necessary preliminary steps have already been taken thanks to The Centre for Cybersecurity Belgium (CCB), with a view to introduce a new law by 2024.

However, the adaptation of the directive in the local laws isn’t quite ready yet. But many initiatives have already been set up by various governments and, of course, there is always a lot more work that needs to be done!

This is only touching the surface. There’s so much more to talk about with NIS2 – the sub-areas of the directive, the connections it has to other standards and regulations… but hopefully this whets your appetite for now. Stay tuned for more!