NIS2: a New Framework for Business Cybersecurity in the EU
17 October is the deadline for organisations to adopt and publish the measures needed to comply with NIS2, the new European cyber security directive. Here are the key points.
The NIS2 directive (Network Information Security and Information Systems) comes into force on 17 October. This new EU legislation is designed to raise cybersecurity standards across the region.
Experts in the field indicate that the entry into force of the NIS2 marks a turning point in the European regulatory landscape, raising the standards of data protection and critical systems.
This regulation replaces the first NIS directive, which was approved in 2016. Too long for a sector such as technology, which advances so quickly. And even more so after the leap we have made in terms of the digital transformation of society following the pandemic and with the boom in artificial intelligence.
Thus, NIS2 brings a revision and extension of the previous regulation, establishing a more robust and demanding framework to protect essential services and digital infrastructures, with the aim of reducing cyber risks.
Who is affected by NIS2?
One of the main novelties of NIS2 is that its scope is broader than under the previous directive. This extension seeks to cover a broader spectrum of sectors and entities, considering that cyberspace is increasingly interconnected and cyber threats are more sophisticated.
The scope of the directive depends on three factors: location, size and sector. Regarding the first point, it affects those organisations that offer services or carry out activities in any EU member state, as indicated by S2 Grupo.
Regarding size, it is limited to medium and large organisations, both public and private, following the EU classification criteria. According to it, ‘a medium-sized enterprise employs fewer than 250 employees, has a turnover not exceeding EUR 50 million and an annual balance sheet total not exceeding EUR 43 million’.
And with regard to sector, the NIS2 affects all organisations operating in 11 high criticality sectors and 7 other critical sectors. These sectors are considered critical because of their impact on both society and the economy.
The former include energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management and public administration, etc.
In addition, the directive identifies other sectors which, although not as critical as the above, may have a significant impact in the event of a cyber-attack, such as postal and courier services, waste management, chemical manufacturing and distribution, food production and distribution, manufacturing of other goods, research and, finally, digital service providers, such as DNS services, ecommerce platforms, search engines, cloud services, etc. Even if these providers are not directly involved in critical sectors, they may be targets of cyber attacks that could affect many users.
The deadline for each state to draw up the list of essential and important entities is 17 April 2025.
More stringent
The new rules impose more stringent obligations in terms of risk management, incident detection and response, and cooperation with competent authorities.
Firstly, it requires the implementation of a robust risk management system, including the identification, assessment and treatment of cyber threats.
It also sets out more detailed requirements for the detection, reporting and response to security incidents, including notification of competent authorities and collaboration in investigations.
Organisations are also required to develop business continuity plans to ensure that their services can be maintained in the event of a cyber incident. Companies are also obliged to assess their supply chain risks.
In order to adapt to the new obligations, organisations need to take a number of steps.
Assess risks. ‘Systematically and continuously assessing cyber threats will help to identify potential vulnerabilities. This involves analysing all digital assets to determine where these threats may occur. Risk management should be a dynamic process that adjusts to new technologies and attack tactics. In this way, companies will be able to prioritise the most critical areas and design effective mitigation strategies to safeguard their systems,’ Softtek said.
Check Point Software Technologies says that ‘the first step is to conduct a thorough inventory of the IT infrastructure, identifying assets, current security measures and potential vulnerabilities’. In addition, it recommends hiring specialised consultants to conduct a gap and risk analysis in accordance with ISO 27001 and develop a comprehensive security plan.
Secure the supply chain. Softtek reminds companies to ensure that their partners and suppliers meet the same cybersecurity standards. ‘It is necessary to undertake regular audits, follow security protocols and evaluate protection measures. By securing the supply chain, organisations not only protect their own systems, but also those of their customers and partners,’ the company stresses.
In addition, Check Point stresses that ‘companies must comprehensively protect their supply chains, both physical and digital’. ‘This means that all supply chains in and out of the company or facility must be examined for potential vulnerabilities and relevant areas must be additionally secured’.
General security. ‘Companies need to adopt a comprehensive cyber security strategy that not only protects critical assets, but also ensures the overall protection of the entire digital infrastructure. This means implementing robust security measures such as identity and access management and continuous threat monitoring. Cybersecurity must be a priority at all levels of the organisation to mitigate risks and protect the integrity of information and systems,’ Softtek said.
Similarly, Check Point emphasises the importance of security in the acquisition, development and maintenance of systems. ‘It is essential to secure access points to the IT infrastructure. It must also be ensured that outsiders cannot gain unauthorised access to communications, add data or steal data’.
For example, the company advises to ‘use next-generation firewalls to control access to the server, ensure that APIs used are authenticated, authorised and encrypted to prevent data leakage and install Identity and Access Management (IAM) and Zero Trust when it comes to access rights’.
Protect critical infrastructure. Softtek notes that companies operating such infrastructures have a duty to implement advanced security measures to protect against offensives that could have national or international repercussions. ‘This means applying encryption, multi-factor authentication and network segmentation to prevent attackers from gaining access to sensitive systems,’ he says.
In line with this, Check Point points out that data encryption ‘is key to protecting stored, processed and transmitted data’. ‘Companies must implement robust encryption policies and constantly update their methods to be prepared for new threats.
Monitoring and auditing. ‘There are various security tools and platforms with automation capabilities such as machine learning and artificial intelligence that help protect networks and systems. It is also important to engage security experts to select, implement and maintain the systems necessary for NIS2 to ensure continuous information and establish monitoring systems to detect and respond to unusual activity in real time,’ notes Check Point.
Softtek also advises to constantly monitor networks and systems and detect anomalies instantly. In this regard, it points out that there are solutions that can identify threats before they become serious attacks, allowing for quick action and mitigation of damage, as well as providing a complete view of the organisation’s security status and helping to prevent potential vulnerabilities. ‘This proactive approach is key to staying ahead of attackers in an ever-evolving cyber threat environment,’ he says.
Security incident management. Despite all efforts, it is still possible that an incident will occur, so you have to be prepared. ‘It is crucial to have a team in place to monitor and respond to security incidents. Penetration testing should be regular to assess attack readiness. It is suggested to contract Managed Security Services (MSS) from a highly secure Security Operations Centre (SOC),’ says Check Point.
Softtek also emphasises the ‘proactivity’ of incident management. ‘It involves having robust and well-defined response plans in place before a security breach occurs. In this way, organisations can react quickly, contain the threat and minimise the impact on operations. It’s not just about stopping the attack, but reducing downtime and preventing significant data loss, which can lead to a loss of customer confidence.
Risk training. ‘Basic cyber hygiene measures and hiring experts to provide regular IT security training and education to IT teams helps ensure that they are prepared for an emergency and can take preventative measures in advance,’ specifies Check Point.
In addition, Softtek notes that ‘everyone in the organisation should be aware of cyber risks and receive ongoing cybersecurity training. This includes educating staff on current threats, best practices to prevent attacks and procedures to follow in the event of an incident.
‘Fostering a security culture where every employee feels responsible for protecting digital assets will help reduce the likelihood of human error and improve responsiveness to potential events,’ the security company adds.
Cybersecurity on the board. Linked to the previous point, Check Point stresses that ‘cybersecurity is no longer just the playground of the CIO or CISO’, but that ‘the board and the rest of the executive team need to be able to trust that their cybersecurity structure is sufficiently resilient against the types of cyberattacks that are directed against them’.
Similarly, Softtek notes that senior management needs to be involved in the cybersecurity strategy to make protection a priority across the organisation. ‘The board of directors must be informed and engaged in key decisions that affect the security of the company, from resource allocation to policy setting. By embedding cyber security at the highest level of decision-making, the organisational culture around security is strengthened. This makes the response to any threat faster and more coordinated,’ he says.
Complying with regulations. Finally, Softtek reminds companies that they must adapt and keep up to date with legislative updates in order to adjust their policies and procedures to the cybersecurity regulatory environment, which is constantly evolving to face new digital threats. ‘Compliance helps to avoid sanctions and provides a solid foundation for creating an organisational culture of cybersecurity’.
Notification obligations
One of the highlights of the NIS2 is the notification obligation in the event of a cybersecurity ‘significant incident’. The regulation specifies that this is defined as an incident that ‘has caused or is likely to cause a serious disruption to the operation of services or financial loss to the entity concerned’, or that ‘has affected or is likely to affect other natural or legal persons causing them significant material or immaterial damage’.
In the event of such an incident, organisations are obliged to notify the CSIRT (incident response team) or the competent authority – to be defined in the transposition of the law in each member state.
Thus, companies must issue an early warning ‘without undue delay and in any case within 24 hours of becoming aware of the significant incident’.
This should indicate whether the significant incident is suspected to be caused by unlawful or malicious acts or could have a cross-border impact.
The NIS2 also requires notification of the significant incident ‘without undue delay and in any event within 72 hours of knowledge’, updating the early warning information and indicating an initial assessment of the incident, including its severity and impact, as well as indicators of compromise, if available.
If requested by the CSIRT or the competent authority, an interim report on the relevant status updates shall be provided.
Finally, no later than one month after the incident notification, a final report shall be issued, which shall include a detailed description of the incident, including its severity and impact; the type of threat or root cause that is likely to have triggered the incident; mitigation measures implemented and ongoing; and cross-border impact of the incident, if any.
If the incident is still ongoing at the time of submission of the final report, the regulation notes that ‘member states shall ensure that the entities concerned provide a progress report at that time and a final report within one month after the incident has been dealt with’.
Supervision and sanctions
The NIS2 also states that organisations may be subject to supervision to verify compliance with the obligations set out in the regulation. Such monitoring may be carried out both ex ante and ex post, on a regular and ad hoc basis.
‘In the case of significant institutions, supervision shall be ex post and ad hoc. Temporary suspension of activities could be applied in cases of severe risks to national or EU security,’ says S2 Group.
Supervisory actions include on-site inspections, security audits, security analyses, requests for information needed to assess the risk management measures taken, requests for access to data and information for monitoring purposes and requests for evidence of the implementation of cybersecurity policies, such as the results of audits, for example.
In the event of non-compliance, sanctions range from a warning or the adoption of specific instructions to ordering public disclosure of non-compliance, administrative fines, suspension and temporary bans, as detailed by S2 Grupo.
The fines provided for in the NIS2 are not negligible. For essential entities, a maximum of 10 million euros or up to 2% of total annual worldwide turnover is set, with the higher fine being imposed. And for significant entities, a maximum of 7 million euros or 1.4% of total annual worldwide turnover.
Each member state has until 17 January 2025 to communicate the applicable penalty regime.