NIS 2 - what, who, where and when?
October 17th, 2024 marks the day that the EU’s cyber security legislation: NIS2 becomes effective. EU member states will have to publish and adopt the measures to comply with this directive. With the 1 year countdown beginning (October 17th, 2023), what is this updated legislation? What do organisations have to consider? Well let’s have a look.
The current NIS Directive Overview
The EU’s NIS Directive (Network and information systems directive) is the first EU-wide cyber security legislation. The aim of this legislation is to achieve a consistent level of network and information system security across the EU member state's critical infrastructure. This directive came into force in 2016 across the EU, and in UK law in 2018 as ‘The Network and Information Systems Regulations 2018’.
NIS applies to operators of essential services (OES) and relevant digital service providers (RDSPs). These include sectors such as energy, transport, water and healthcare, online marketplaces, search engines and cloud computing services.
NIS does not apply for small businesses, consisting of fewer than 50 employees and annual turnover of below €10 million.
The NIS Directive requires these operators to take appropriate security measures and report incidents that significantly impact the continuity of the services they provide. Digital service providers are also required to notify the authorities of incidents that significantly impact the availability of their services.
NIS2 is simply the second edition of the directive. NIS2 aims to get the EU up to speed and establish a higher level of cyber security and resilience within organisations of the EU. EU member states will have to incorporate NIS2 into their legislation by October 17th, 2024. A full timeline can be found here.
Organisations falling under this directive must ensure compliance by taking various measures, such as identifying and managing risks, assessing their security status, securing privileged access, implementing defences against ransomware, formalising incident response plans, educating their workforce and so on.
The old NIS directive allowed member states to determine which organisations would meet the criteria of operators of essential services (OES), however, NIS2 introduces a size-cap rule. This means that all medium and large organisations operating within sectors or providing services covered by the directive fall in scope.
NIS2 will apply to organisations classed as “essential” or “important”, with more than 50 employees where annual turnover exceeds €10 million, alongside organisations in the original NIS directive. It will apply to all UK-based OES organisations which operate within the EU.
Several existing cyber security and information security frameworks align well with these requirements, ISO 27001 being one of them. This is due to the Information security management system (ISMS) within ISO 27001 showcasing evidence of managing risks associated with information security threats within the organisation, according to isms.online. By aligning NIS2 with ISO 27001, organisations can utilise their existing ISO 27001 certification to fulfil NIS2 obligations, saving both time and resources.
Ultimately, adherence to both NIS2 and ISO 27001 can aid organisations in reducing cyber security threats, safeguarding their information assets, and upholding the trust of their customers and stakeholders.
What’s been updated
NIS2 has been designed with three objectives:
Increase cyber resilience in a growing number of OES sectors across the EU
The ICO define these as services critical to national infrastructure (e.g. water, energy, transport) or important to economy and wider society like health services and digital infrastructure
Lower inconsistencies in levels of resilience in sectors already covered by NIS
Improve information-sharing and setting new rules for incident response, enhancing trust between regulators
What are the minimum requirements
NIS2 Article 21 indicates that EU member states must ensure that organisations that fall in scope take appropriate and proportionate technical, operational and organisational measures to manage risks related to the security of network and information systems. Also taking into account the best practices and where applicable, relevant European and international standards, as well as the cost of implementation.
Proportionality of measures should be taken into account, based on the organisation’s exposure to risk, their size, the likelihood of occurrence of incidents and the severity, including societal and economic impacts.
The measures should be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of these systems from incidents, which considers at minimum the following:
Policies on risk analysis and information system security
Business continuity, such as backup management and disaster recovery, and crisis management
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cyber security risk-management measures
Basic cyber hygiene practices and cyber security training
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Human resources security, access control policies and asset management
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
The organisation’s perspective
Organisations that fall within the scope of NIS2 will have to consider the measures mentioned above, in order to achieve compliance. We can assume that further guidance from the EU and its member states will be released as we get closer to the date when NIS2 becomes effective. Organisations that have current frameworks, such as ISO 27001, in place should be hitting the majority of these requirements. The Information security management system (ISMS) provides evidence of these measures being addressed.
Organisations that do not have these security measures in place should begin now building out security programs, future-proofing themselves.