NIS 2 strengthens EU powers

European Union Member States have until October this year to incorporate NIS 2 into their national laws, as it is the keystone of the European Cybersecurity Strategy. So how and why is this latest version of the NIS Directive different? And how does it fit in with other EU initiatives, like DORA and CER?

Expanded scope, more definition 

NIS 2 has expanded to bring more sectors within its scope and redefines the organisations it covers. It also reflects the huge changes in our digital landscape since NIS 1 back in 2018. 

Farewell, OES and DSP – hello, Essential and Important

The distinction between operators of essential services (OES) and digital service providers (DSP) has been ditched. Entities are now categorised as either “essential” or “important,” based on their size and industry. (Member States have discretion to identify smaller entities with high security risks for inclusion.) 

Essential entities are typically large companies in critical sectors, while important entities are medium-sized enterprises in critical sectors or large/medium-sized enterprises in other specified sectors. The level of supervision and sanctions differs; essential entities will be more tightly controlled and sanctioned than important entities. 

Exceptions exist, with certain entities automatically designated as “essential” regardless of size (e.g. providers of public electronic communications networks). Additionally, national authorities can designate entities as “essential” or “important” based on factors like the significance of their services to public safety or health. 

Overall, the system for determining scope is complex, with further specifications possible at the national level. It's important to note that these rules represent the minimum standards set by Europe, and individual Member States can implement additional or stricter measures as they see fit (Articles 2, 3 and 4 of the Directive). 

Key sectors affected include energy, water, healthcare, transport, waste management, postal services, manufacturing and digital infrastructure. Financial services are also affected, with some specific exceptions under the EU’s Digital Operational Resilience Act (DORA). 

Why now?

The NIS Directive, as the first EU cyber security law, aimed to enhance the resilience of network and information systems across the EU. In many respects it was successful, though it had limitations. These were laid bare during the coronavirus pandemic, which accelerated the move to online services in ways the drafters of the original NIS Directive did not anticipate. 

Worldwide, economies have become heavily reliant on digital solutions, leading to increased interconnectedness and interdependency across sectors and services. This heightened digital dependency has resulted in a rapidly evolving cyber security threat landscape, where disruptions in one entity or sector can have widespread and prolonged impacts across the internal market. 

To address these challenges, the European Commission consulted with stakeholders and identified issues such as inadequate cyber resilience among EU businesses, inconsistent resilience across Member States and sectors, a lack of common understanding of threats, and a need for a joint crisis response. 

One significant change in response to the pandemic is the expansion of the Directive's scope to include more specific elements in the health sector, for example medical research and development organisations. 

Tougher demands, stronger cooperation – and bigger penalties 

NIS 2 intends to build on the foundations laid by the previous NIS Directive. NIS 2 mandates Member States to adopt national cyber security strategies and designate national Computer Security Incident Response Teams (CSIRTs) and competent cyber security authorities. 

It also establishes a single point of contact for cross-border cooperation. The Directive continues frameworks for strategic cooperation and information exchange among Member States and promotes operational cooperation between national CSIRTs. It covers seven vital sectors reliant on ICT, requiring operators of essential services to conduct cyber security risk assessments and implement security measures. 

Digital service providers are also subject to security and notification requirements, with a ‘light-touch’ regulatory approach. The NIS 2 Directive broadens the scope of sectors and introduces size thresholds for entities required to report significant cyber security incidents to national authorities. 

It addresses supply chain cyber security, with provisions for individual companies and coordinated risk assessments at the European level. The directive enforces stricter supervisory measures and harmonises sanctions regimes across Member States. It enhances the role of the Cooperation Group and operational cooperation among members of the CSIRT network, by establishing a body for managing large-scale cyber security incidents – the splendidly named European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). 

NIS 2 also establishes a framework for “coordinated vulnerability disclosure” and creates an EU vulnerability database operated by the EU Agency for Cyber Security (ENISA). 

The new NIS Directive focuses on supervision and enforcement, establishing a coherent framework for competent authorities across Member States. 

Intersection with DORA and CER 

NIS 2 is closely associated with two other EU initiatives; the Digital Operational Resilience Act (DORA) for the financial sector, and the Critical Entities Resilience (CER) Directive. 

DORA

While the new NIS Directive encompasses credit institutions, trading venue operators, and central counterparties, DORA applies to these entities specifically for cyber security risk management and reporting obligations. Maintaining robust information exchange between the financial sector and other sectors under NIS 2 is crucial. 

Under DORA, the European Supervisory Authorities (ESAs) and national competent authorities for the financial sector can participate in discussions of the NIS Cooperation Group. Additionally, DORA authorities can consult and share information with Single Points of Contacts (SPOCs) and CSIRTs established under NIS 2, while also receiving details of major ICT-related incidents from DORA authorities. 

EU Member States are encouraged to include the financial sector in their cyber security strategies, and national CSIRTs may extend coverage to the financial sector in their operations. 

DORA takes full effect in January 2025. .

CER 

The scopes of NIS 2 and the CER Directive have been largely aligned to comprehensively address the physical and cyber resilience of critical entities. Entities identified as critical under the CER Directive will also have to meet the cyber security obligations of NIS 2. 

Moreover, national competent authorities mandated by both directives must regularly cooperate and exchange pertinent information on risks, cyber threats, and incidents, as well as non-cyber risks and threats. The Cooperation Group under NIS 2 will convene regularly, including at least once a year with the Critical Entities Resilience Group established under the CER Directive. 

Positive impacts and greater confidence 

A bit of negativity can creep in when discussing new regulations, which is perhaps inevitable when so much of the focus is on to-do lists and penalties. But there are reasons to be positive about NIS 2. Even if your organisation is not covered by the Directive, it could benefit from embracing its aims. 

If implemented properly, NIS 2’s required measures will improve the overall cyber security posture of an organisation by reducing the risk of attacks and data breaches.

Even the more stringent reporting requirements set out in NIS 2 are going to foster greater transparency – especially in the financial sector. That’s cause for optimism about the opportunities for better incident response and collaboration. 

When coupled with DORA, NIS 2 is part of a greater consistency in the approach to cyber security standards across the EU. This levels the playing field somewhat for financial entities in different Member States, and makes the culture of collaboration and transparency more achievable. 

Finally, it is worth mentioning that the Directive recognises that there is no ‘one-size-fits-all’ approach to cyber security. Specific requirements vary, depending on an organisation’s sector and size. 

Points to ponder 

Risk management: Companies will need to conduct regular risk assessments, identify and prioritise vulnerabilities, and put in place appropriate controls to mitigate those risks. This could involve investing in security tools, conducting penetration testing, and raising employee awareness. You may need to engage specialists or upgrade your existing capabilities. 

Incident reporting and response: Significant cyber incidents must be reported to authorities within 24 hours, and less significant ones within 72 hours. Timely and accurate reporting depends on robust incident response plans and processes. Tabletop exercises are a great way to be prepared should the unthinkable actually happen

NIS 2 fast facts 

• Longform title: Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) 
• Comes into effect October 2024 (adopted January 2023)
• Designed to enhance cyber security across vital sectors in the EU including: energy; transport; healthcare; waste management; postal services; drinking and wastewater; digital infrastructure; manufacturing; and financial services (DORA exceptions apply) 

 

Key features at a glance 

• Enhanced risk management requirements: Organisations must identify and assess cyber security risks, put in place appropriate mitigation measures, and conduct regular risk assessments 
• Mandatory incident reporting: Significant cyber incidents within 24 hours, less significant incidents within 72 hours
• Supply chain security: Organisations must manage security risks posed by third-party suppliers
• Stricter penalties for non-compliance: Fines of up to €10m or 2% of annual turnover
• Increased transparency: EU Member States must report on NIS 2 implementation and share information with other Member States and the European Commission