The objective of the NIS2 directive is to address the disparities in cybersecurity obligations among member states and foster cooperation. Aligned with the European digital single market strategy, it expands its reach to encompass a broader range of sectors and sub-sectors, as well as all entities under certain conditions, irrespective of their size. The directive introduces several measures such as compliance audits, incident notifications, and detailed technical and organisational requirements for risk management. Additionally, it establishes minimum sanction standards and introduces EU Cyclone and EU civil security bodies to facilitate cross-border coordination on cybersecurity. The content stresses the importance of organisations understanding their sector and category within the NIS2 framework, initiating preparations promptly, and assessing their compliance and maturity levels. Various methodologies, processes, and tools are mentioned to aid in achieving compliance objectives and enhancing overall resilience.
NIS2 Ensure compliance with the directive SRI1/NIS2 was the topic of discussion in our recent webinar hosted by Devoteam. Cassandre Laguette, a consultant in governance risk and compliance from Cyber Trust, and Quentin SGARD from Cyber Trust spoke at Devoteam on How will NIS2/SRI2 have lasting impacts on the way of seeking and managing cyber security in Europe.
The Impact of Cyber Attacks on European States, Activists, and SMEs
All of us know that cyberspace has become a crucial Vector for cyber offensive operations for many states and not State players in Europe as well as for activists and criminals. The Nissan directory was adopted in 2016 in this way. In the context of the increasing tension in cyberspace, this one was the first piece of legislation on cyber security in Europe. Since then, many severe attacks have occurred on European territory and in different countries abroad, targeting unsure government entities such as hospitals or state organisations with the aim of political, geopolitical, and repetition destabilisation. This is visible in the Russo-Cranium conflicts, where the increase in severe attacks targeting critical infrastructure such as PR plans has become increasingly frequent.
And in fact, more and more sectors or activities end up impacted by cyber-attacks and, in turn, influence the proper functioning and safety of our society and economics. The multiplication of cyber attacks in Europe has also not spared smaller entities. Here in France, the cyber security Authority ANSI has estimated that around 52 percent of ransomware attacks in 2021 and 2022 were aimed against small and medium-sized entities SMEs.
In this context, with the increase in cyberattacks and targets, member states add to significantly expand their list of organisation sanctions and obligations in the scope of the previous text Nissan and through the different shares different Scandal and big cyber attacks news more and more differences between National application became apparent to living in the other European countries with an uneven and ineffective protection system and very very poor cooperation.
This is where this NIS2 comes into play; it was always the EU legislator’s intent to have NIS1 revised after a few years. This is actually in the text of this one to consider any changes or developments in Technologies and context because NIS1 was always more of a trial run.
NIS2 Directive: Securing Networks and Information Systems in Europe
NIS2 Falls within the European digital single market strategy for 2030, specifically the digital security and cooperation program. This program aims to identify the challenges of securing networks and information systems in Europe. Its goal is to place the prevention of cyber threats and member State Corporations as pillars of the EU transition to a digital tomorrow.
Why did NIS1 grant complete freedom to different states in the European Union regarding cybersecurity obligations? The NIS2 directive aims to address the noticeable discrepancies between member states in applying NIS1. It is crucial to understand that NIS2 is part of a dense legislative framework. It needs to be reconciled with other referred texts and sectoral regulations that complement NIS2. These specific regulations, guided by the principle of Lex Specialists, prevail over the general rule. For instance, if there is a specific regulation for the financial sector, it takes precedence over the text of NIS2. Additionally, NIS2 should be considered in the context of other EU texts that cover various aspects of the digital action strategy, not solely information system security. These texts often apply to entities covered by NIS2 and contribute to their overall resilience and compliance measures. It is essential to conduct an analysis of the applicable regulations in your sector of activity to optimise your compliance program. Furthermore, it’s important to note that broader regulations such as GDPR may apply to your organisation, complementing the requirements of NIS2.
Improvements and Novelties of NIS2: Sectoral Scope, Compliance Measures, and Sanctions
So now, if we look at the improvements and novelties of NIS2, you can see that the sectoral scope of NIS1 included 30 types of entities. On the other hand, NIS2 has many more sectors and sub-sectors, with a total of 67 types of entities. Furthermore, NIS2 now includes all entities, regardless of their size, under certain conditions in response to the increasing number of cyber attacks against SMEs mentioned earlier. These compliance measures now also apply to all entities in their supply chain.
A surprising measure in the next initial directive is the accent on X and compliance audits. This means that audits are performed to preview the application of your information system’s measures by national cybersecurity authorities. The text sets very short deadlines for incident notifications to the authorities: 24 hours for the first one, 70 hours for a more detailed report, and one month for former reports. It is also worth noting that the directive provides detailed technical and organisational measures related to risk management. The commission will publish more detailed information about what constitutes an important incident; currently, we do not have a clear definition of what qualifies as an important incident. It adds to the list of security measures before the transportation deadline in October 2024. In this regard, the commission demonstrates its full involvement in the process, but we already have a clear idea of what a very impactful incident could be and what a very important incident means.
As you can see, NIS1 left complete freedom to states when it came to sanctions, which increased the discrepancies between member states. NIS2 rectifies this by setting up clear sanction minimums. Remember that sanctions will also depend on the category of entity we’re talking about in NIS2. As we will see in just a minute, NIS2 differentiates between essential and important entities. This differentiation is mainly based on their size, but there are also other criteria in play.
And last but not least, maybe not the most interesting piece of this discussion, one of the goals of the NIS2 directive is to encourage member state cooperation. It has therefore created the EU Cyclone organisation and EU civil security body to prepare and manage cross-border cybersecurity crises in Europe.
NIS2 Scope Expansion: Implications, Compliance, and Preparation
NIS2 is known for its wide scope expansion into many sectors that were not mentioned in NIS1. However, some of these sectors were identified during the transposition process of NIS1 by member states. As mentioned before, there were significant discrepancies in this process, leading to uneven implementation across member states. This is why NIS2 includes many more sectors and sub-sectors, confirming the selection process made by certain member states.
The scope of NIS1 already included public or private entities above a certain size, excluding some SMEs referred to as operators of essential services (OES) and digital service providers (DSPs).
In NIS2, the differentiation between operators of essential services and digital service providers has been completely abandoned. Instead, digital service providers are included based on their criticality in one of the sectors listed in Annex 1 and other critical sector lists in Annex 2. In the slide, you can see that there are new sectors, and all operators of essential services from NIS1 are covered in the sector of criticality, along with four new sectors. The critical sectors include new sectors that were not included in NIS1, except for online marketplaces and search engines.
Apart from the sectoral expansion, the biggest novelty of NIS2 in terms of its scope is that SMEs are now included under certain criteria. Additionally, in each sector, operators are required to verify compliance of their supply chain.
This means that even if your organisation does not fit into one of the types of entities listed in Annexes 1 and 2, if your customers or prospects are on this list, they may require you to comply with NIS2. In any case, it is wise to maintain customer trust and stay competitive by demonstrating compliance both before the transposition and from the start.
At Devoteam, we have developed a method to prepare for NIS2, which has already been successfully followed by our customers. The first step of this method is understanding the sector and category to which your organisation’s entities belong. This is crucial to grasp how NIS2 will impact your business.
When to Start Preparing for NIS2: Key Considerations and Recommendations
The short answer to this question is that you should start as soon as possible. Waiting for the transposition would be a mistake. The final version of the directive was adopted last December, and although national transpositions may introduce some specificities, the text is precise enough to serve as a basis for the necessary evaluations for proper preparation.
Member states have until October 2024 to complete the transposition and ensure their organisations are impacted by NIS2. This means there is less than a year and a half to conduct preparation evaluations, establish a connection plan, and implement appropriate actions. Sometimes, this requires a complete review of governance and adherence to the law to establish an effective incident reporting mechanism.
Therefore, it is not only possible but strongly recommended to focus on regression and compliance with NIS2 at this stage. This will help identify any existing gaps and understand the schedule and costs involved in the remediation plans.
The question, therefore, is not when to prepare, but how to prepare effectively.
Understanding the Impact of NIS2: Categories, Obligations, and Preparation
Keep in mind that if your organisation is a large group or a conglomerate of entities, it is very likely that these entities do not all have the same activities and can find themselves in different categories of NIS2, which would impact them differently. Now, this list of sectors on the screen is informative, but what does it mean? Are there differences between essential, high criticality, and critical sectors? This is where NIS2 becomes more complex. The difference in treatment between entities does not lie in the separation between Annexes 1 and 2. Instead, these two Annexes separate entities into essential and important categories based on certain criteria. Entities from Annex 1 and 2 can end up in either category.
For NIS2, the entities of concern are those listed in Annexes 1 and 2, exceeding the threshold for medium-sized enterprises under EU law, which are of medium size or larger, providers of public education networks, privacy-publishing-clearinghouses, communication service providers, top private domain name registries, DNS service providers, and certain local public administrations (not national-level entities) identified by member states during transposition. It is important to note that important entities encompass all entities mentioned in Annexes 1 or 2 that are not considered essential.
So, what are the differences between essential entities and important entities? Well, there are very few. The obligations are the same. The only changes relate to administrative fines and the controls imposed by national authorities.
When it comes to other methodologies, the NIS2 directive influences security and organisational requirements. These range from internal control to access management, vulnerability and link management, and incident reporting. Implementing a variety of processes, policies, and documentation is necessary. A strategy to assist you in industrial preparation is to first understand your organisation’s maturity in terms of government protection, incident management, and crisis management.
Such a preparatory analysis offers additional advantages. In some cases, the initial compliance analysis we conducted for our customers revealed critical security risks and organisational deficiencies, which were then addressed, thus enhancing the organisation’s resilience regardless of NIS2 preparation.
These are the main aspects we address in our micro audit methodology to help you understand your global maturity level and the context of NIS2. This will enable you to develop an action plan to ensure compliance by the transposition deadline. Additionally, we offer tools and solutions to help you assess your materiality level and ensure compliance with NIS2.