NIS2: Strengthening the cybersecurity of the EU’s strategic sectors
Table of Contents
With society and the economy fully digitized, cybersecurity has become a major concern for public institutions in the European Union. This is being transferred to the EU regulatory framework through initiatives such as the CER directive, the DORA regulation, and the ECB’s TIBER-EU project, the latter two focused on the banking sector. Along these lines, the Council and the European Parliament have approved the NIS2 directive, an update of the first European standard on cybersecurity, approved in 2016, to implement a common security level across the EU and securitize its strategic sectors.
NIS2 will help harmonize cybersecurity strategies across the Union and improve information transfer channels and mechanisms between different countries and institutions.
Below, we will analyze the key aspects of NIS2 and how it will contribute to strengthening the cybersecurity of public and private entities operating in critical market sectors.
1. NIS, a pioneering initiative that has fallen short of the mark
The Network and Information Security (NIS) directive came into being more than five years ago, intending to ensure efficient and uniform protection against attacks throughout the European Union. This legal text focused on three basic issues:
- Strengthening countries’ capacities to protect themselves and respond to cyber-attacks. Obliging them to have, for example, a Computer Emergency Response Team (CSIRT).
- Encourage cross-border collaboration, including the implementation of the NIS Cooperation Group.
- Entrust states with the national supervision of operators in critical market sectors. Including, also, providers of critical digital services, such as Cloud or search engines.
This standard was a step forward in the harmonization of cybersecurity protocols and the strengthening of states’ capacities, but its implementation was difficult and its results were uneven, both in terms of sectors and different countries.
1.1. Uneven implementation
Thus, in several states, critical entities were not classified as such and were not obliged to implement the cybersecurity requirements established by the directive. Thus, there was the paradox that, for example, in one state almost all healthcare providers were covered by the obligations of the NIS, while in another, large hospitals were not included in the application of the directive.
If we add to these limitations the fact that, in these six years, digitalization has accelerated, reaching practically the entire European productive fabric, the need to refresh the measures put in place became evident. The Commission, therefore, launched a proposal to amend and extend the scope of the directive: NIS2, a new common regulatory framework to secure European public and private entities involved in critical sectors.
2. Sectors covered by NIS2 and entities that must apply the directive
Precisely two of the major changes in NIS2 compared to the original directive are the expansion of the number of critical sectors and the increase in the number of entities that will be obliged to apply the security requirements established in the standard.
2.1. 15 sectors covered: from health to space
In the original directive, the sectors considered critical and whose security should be strengthened were:
- Banking and financial market infrastructure
- Digital infrastructure
- Water supply
- Digital service providers
To these seven original sectors, of vital importance to our day-to-day lives such as energy or banking, the NIS2 has added eight more, including the public sector:
- Providers of electronic communications, networks, or services.
- Digital services such as social media platforms or data centers
- Wastewater and waste management
- Critical product manufacturing (pharmaceuticals, medical, chemical…)
- Postal and courier services
- Food and beverages
- Public administration
These 15 sectors covered by NIS2 bring together those areas that are crucial for the development of the economy, but also the daily life of all European citizens.
It is also stipulated that this new directive will not apply to entities whose activities form part of the defense, national security, public safety, law enforcement, and judiciary. The same will apply to the parliaments and central banks of EU member states.
2.2. Size-cap rule: inclusion of all medium-sized and large entities
As mentioned above, one of the main limitations of the NIS directive was the decision to give a wide margin of discretion to the states to establish the criteria based on which an organization was considered an operator of essential services (OES).
Therefore, NIS2 introduces the size-cap rule as a criterion for determining which entities are OES. This rule focuses on the size of the organizations. Thus, all organizations that are medium or large and operate in any of the critical sectors covered by the NIS2 directive will be obliged to comply with the security requirements established therein.
In this way, the aim is to further harmonize cybersecurity protocols and strategies and avoid significant differences in the internal market.
3. The keys to NIS2
In addition to the extension of the companies obliged to comply with the directive’s rulings and the inclusion of public administrations, NIS2 broadens the scope of the measures contained in the original directive to:
- Establish a common cybersecurity baseline.
- Increase the resilience of companies and institutions.
- Reduce inconsistencies in the market.
- Harmonize security requirements, incident notification policies, oversight mechanisms, and the capabilities of state authorities.
- Optimize information and knowledge transmission channels between states.
3.1. Cybersecurity Risk Management
The text will establish a list of seven key elements that all in-scope companies and institutions will be required to implement:
- Information systems security risk analysis and policies.
- Incident management. Including incident prevention, detection, response, and recovery.
- Business continuity and crisis management.
- Supply chain security. Including security aspects related to relationships with suppliers, such as those providing data processing services.
- Security in the acquisition, development, and maintenance of networks and information systems. Including vulnerability management and disclosure.
- Policies and procedures for evaluating the effectiveness of cybersecurity risk management measures. Such as security audits or pen-testing.
- Policy on the use of cryptography and encryption. Security of human resources, access control policies, and asset management must also be ensured.
3.2. Incident notification
In addition to the measures to be taken to secure the systems of entities in critical sectors, NIS 2 also stipulates a two-stage system for reporting cybersecurity incidents.
Thus, companies affected by such an incident will have 24 hours from the time they detect the incident to submit an initial report. This streamlines the notification obligation.
In the second phase, they will have to submit a final report, at the latest one month later, to obtain more precise data on the incident and contribute to a greater transfer of knowledge. This will help to prevent future cyber-attacks or problems.
3.3. Administrative sanctions
In addition to security measures and incident notifications, NIS2 establishes a series of sanctions for organizations that fail to implement the former and carry out the latter.
These sanctions include binding instructions, the obligation to implement the recommendations made by a security audit, and financial penalties, which can be up to 10 million euros or 2% of the turnover of the company in question, worldwide.
States will thus be able to effectively supervise that the measures included in NIS2 are complied with and, if this does not happen, they will have the possibility of using these administrative sanctions.
3.4. Improving communication and collective response mechanisms
Inter-state cooperation is at the very basis of the creation and functioning of the European Union. It should therefore come as no surprise that the new directive is committed to creating cooperation mechanisms in such a global and complex area as cybersecurity.
Intending to improve preparedness and response capabilities, NIS2 provides for:
- The adoption of measures to increase the level of trust between the various competent authorities concerning security and the fight against cyber-attacks.
- The sharing of more and better information on incidents and vulnerabilities.
- The development of standards and procedures for managing large-scale crises.
The objective pursued by NIS2 in this area is to improve how the EU prevents, manages, and responds to cybersecurity incidents. To this end, it stipulates the responsibilities of each actor involved, supports appropriate planning, and encourages greater collaboration within the Union.
The new directive also establishes an EU-wide crisis management framework, requiring states to:
- Adopt a crisis management plan
- Designate national authorities to be involved in incident response at the EU level.
3.5. European Cyber Crisis Liaison Organization Network (EU-CyCLONe)
In the same vein, NIS2 will serve to implement the Cyber Crisis Liaison Organization Network. This network’s mission is to support the coordinated management of incidents whose impact transcends state borders. This is becoming increasingly common as a result of digitalization.
In addition, this mechanism is designed to promote the agile and regular exchange of information between the various competent authorities.
The implementation of EU-CyCLONe will not mean the disappearance of the NIS Cooperation Group, created by the directive still in force. Rather, this collaboration tool will be reinforced in terms of decision-making and increased cooperation.
3.6. National cybersecurity strategy and management systematization
Beyond the commitment to these structures that strengthen interstate cooperation, NIS2 continues to require each country to have a national cybersecurity strategy. As well as the duty to establish the competent authorities in supervising that the directive is complied with at the national level.
States must also designate the CSIRT, the team in charge of managing notifications of security incidents and crises. And establish Single Points of Contact (SPOC), to centralize information and facilitate coordination with other EU states.
3.7. One more piece in the EU’s cybersecurity machinery
As indicated at the beginning of this article, NIS2 is part of the regulatory effort being made by the EU institutions, from the Commission to the ECB, to secure critical sectors of the European economy and society, and to develop a coherent and effective cybersecurity framework.
NIS2 is therefore fully consistent concerning three initiatives:
- The revision of the CER directive, on the resilience of critical entities, was proposed on a par with NIS2 but focused on combating physical threats to key sectors.
- The DORA regulation on digital operational resilience of financial institutions.
- A network code on cybersecurity with sector-specific rules, for cross-border electricity flows.
Given the concatenation of these projects, it is clear that the European Union will continue to devote time and resources to creating a common regulatory framework for cybersecurity to ensure that companies, institutions, and citizens are protected against malicious attacks and security incidents.
Therefore, companies must be prepared to face all the upcoming changes, comply with EU and state regulations, and have fully optimized security systems. This is especially true for companies operating in strategic or critical sectors.
4. Getting started with regulatory approval
It is therefore essential that all medium and large organizations in strategic sectors start working on the measures and incident notification systems that NIS2 makes mandatory, paying particular attention to the securitization of the supply chain.
In this regard, organizations must first perform a security audit of all their systems, software, and hardware. They must also hire cybersecurity services such as pentesting to detect all existing vulnerabilities and implement a security strategy to address them.
This strategy must also include mechanisms to prevent new risks and detect and respond to cyber-attacks. And implement measures to secure systems against both external and internal attackers, following the postulates of the Zero Trust philosophy.
Taking into account the importance of the agile and efficient transmission of information in the measures included in NIS2, efficient protocols must also be in place, in which each actor knows its role and which communication channels to use.
Finally, efforts must be made to train and raise awareness among all the organization’s employees, not just those involved in implementing the cybersecurity strategy.
4.1. Going further to get to the future sooner
The directive seeks to encourage the implementation of security programs that go beyond the requirements that form part of the NIS2 directive baseline.
At the speed at which the world, in general, is evolving, and the digitalization process in particular, cybersecurity will become increasingly relevant in our lives and the operation of companies and public institutions.
For this reason, security and the fight against cyber-attacks must form part of the business strategy, as another core element.
Those companies that make a serious commitment to securing their systems and safeguarding their information will be better positioned to face the future successfully. And to avoid cybersecurity crises that impact with extraordinary severity on the operation of the business and its reputation.
That’s why, at Tarlogic Security, we offer you a wide range of cybersecurity, cyberintelligence, and offensive security services and the experience accumulated by our professionals to detect risks and strengthen the protection of your business assets.
NIS2, TIBER-EU, and DORA demonstrate that the European Union is determined to strengthen its strategic sectors against attacks that can directly impact our lives and leave single market companies exposed.
This article is part of a series of articles about TIBER-EU
- TIBER-EU, time to close the cybersecurity overdraft
- TIBER-EU calls on cyber intelligence to arm banks
- Red Team, the soldiers of the TIBER-EU program
- DORA Regulation: Can your bank withstand a cyber-attack?
- NIS2: Strengthening the cybersecurity of the EU’s strategic sectors
- Dear CEO: Ignoring cybersecurity will cost you dearly