After shocking ransomware and phishing threats in the last few years, the EU’s NIS Directive (Network and Information Security Directive), has been updated to NIS 2, to help bolster cyber-resilience and take companies out of the continuous cycle of cyber-attacks.
According to research from the National Data Protection Survey, 2020 saw more than half of Irish companies suffering a data breach. This is reflected in Ireland’s Data Protection Commission (DPC) receipt of 6,802 data breach notifications in 2021, placing Ireland in the unenviable position of the country with the second-highest level of notifications per capita across Europe.
By following NIS 2 guidance, a cyber-resilient company is achievable. Here are some of the details of NIS 2 and how to use it to keep your company cyber-safe and compliant.
What is new in the NIS 2 Directive?
Laws and directives are often updated to reflect changes in the environment, the expectations of citizens and consumers, etc.
The original EU Network and Information Systems Directive, (EU) 2016/1148 (the NIS Directive) was proposed in 2016 with implementation by 2018, it is, therefore, a relatively new regulation. NIS Article 23, intrinsic in the directive, however, set a requirement to ensure that the directive is reviewed regularly. The EU also developed a new EU cybersecurity strategy for 2020-2025 that requires the NIS is reviewed. These review expectations, along with escalating cyber-attacks, digital transformation, disruption from the pandemic, and remote work, have resulted in the updated directive, NIS 2.
Who does the NIS 2 Directive affect?
NIS 2 modifies and expands those organisations that come under the umbrella of the directive. In the original NIS Directive, covered entities were defined as “operators of essential services” (OESes) and “digital services providers” (DSPs). The scope of coverage is now generalised to ‘essential’ or ‘important’ entities, the definition is dependent on the organisation’s criticality in terms of the economy and society. Eight key industry sectors are covered by NIS 2 including postal and courier services, data centers, food, and waste management.
The full list can be found in the NIS2 Annex I and II (PDF download link).
Is the GDPR the same as the NIS 2 Directive?
The two regulations address different things: the GDPR is focused on EU citizen data privacy and how organisations handle and process personal data, whereas the NIS 2 is focused on cyber-risk mitigation using a risk management approach. However, the two are linked as security breaches lead to privacy exposure. By complying with the NIS 2 Directive, a company will also cover some of the data protection requirements of the GDPR, e.g., data encryption measures.
What are the changes in NIS 2?
Size of companies included in scope
A size cap now increases coverage to all medium and large companies across the covered sectors. Small and micro-organisations are generally exempt but could potentially be brought under the directive as flexibility is built in to include small companies that are seen as a high risk.
A risk-based approach to security underpins the new security obligations of the NIS 2 Directive. This approach is in line with other regulations such as GDPR. Incident response and crisis and risk management techniques play a key role in compliance with NIS 2 and should be a basis for implementing the security measures outlined in the directive. Included security measures are:
- Risk analysis and information system security policies
- Business continuity and crisis management
- Vulnerability handling and disclosure
- Cyber security testing and auditing
- Effective use of encryption
- Multi-factor authentication
- Secured voice, video, and text communications,
- Secured emergency communications systems
The ‘important’ or ‘essential’ entity classification assigned to a company under the directive, affects the level of requirement for cybersecurity risk management and reporting obligations under NIS 2.
Management of third-party risks in the supply chain
The supply chain is a focus of cyber-attacks. This was evidenced in a 2021 survey from BlueVoyant that interviewed 1,200 CIOs, CISOs, and Chief Procurement Officers on supply chain cybersecurity issues. The results showed that 97% of companies had been “negatively impacted” by a cybersecurity breach originating at a supply chain vendor. NIS 2 takes this cybersecurity risk into account by requiring stringent risk management of the supply chain.
Reporting measures are streamlined but expanded to include notification of any significant threats that could result in a substantial incident. Reports must be made to competent authorities (assigned by each member state) or the CSIRT (computer security incident response team). Incidents that could adversely affect services must be reported to customers of that service. Reporting must be done, “without undue delay”. Typically, this means an initial notification to the authorities within 24 hours of an incident but can be extended to 72 hours under certain circumstances.
Company management will be held accountable for compliance with cybersecurity risk-management measures. Risk is no longer the sole responsibility of the IT function, it’s the organisation and board as a whole.
Broader implications of the NIS2 Directive on Irish Businesses
Irish companies must establish the classification within the NIS 2 Directive that they fall under, i.e., are they an essential or important entity? In some cases, a company may find itself in a hybrid situation, providing both essential and important operations.
Extraterritorial reach affects any entity that operates within the EU, so a manufacturer with a plant in Ireland will fall under the NIS 2 remit, even if they operate plants elsewhere. NIS 2 uses similar language to the GDPR on the offering of services that come under the remit of the extraterritorial reach of the directive. The extended security obligations of the NIS 2 Directive will affect all covered entities in Ireland, meaning that those companies must prepare for compliance. Any Irish company that is required to comply with NIS 2 should prepare the groundwork by developing its cyber-fitness using a risk-based analysis and implementation.
What can you do to get cyber-fit for the NIS 2 Directive?
There is a robust ethos of risk analysis and preparation baked into the NIS 2 Directive. A risk-based and holistic approach to cybersecurity threat mitigation is the foundation stone of NIS 2, and as such, a solid cyber-fitness strategy must be established for compliance. But what does this mean in practice?
A modern approach to cybersecurity requires a strategic and pragmatic set of measures. This begins with an ethos built upon a tripartite: people, process, and technology. This tripartite reflects the way that cybercriminals and other cyber-threats (including accidental data exposure) take hold to become security incidents. The threat landscape is complicated by the digitisation of services, remote working, and other factors such as exploitation of poor security behaviours. A 360-degree view of cybersecurity takes this complicated landscape into account.
A solid cyber strategy encompasses:
People: including security awareness training and security certification to help in upskilling of staff.
Process: includes IT audit, governance systems, and data management systems
Technology: best fit technologies are determined from the overall security strategy based on people and process; measures typically include robust authentication measures, encryption, and endpoint security.
In cyber-security risk mitigation, the whole is greater than the sum of the parts; expert security services use the ethos of people, process, and technology to establish a baseline of cyber fitness for your organisation. This baseline is continually assessed to ensure it meets the needs of changing technology and the cyber-security landscape.
Time for you to get ready!
NIS 2 is a positive move from the EU to harmonise cybersecurity efforts across European states. But the directive is stringent in its requirements. A program of cyber-fitness that brings together people, process, and technology, ensures that a company is prepared for not only continued cyber-attacks but also will be able to meet the remit of the NIS 2 Directive.
If your organisation is a covered entity and fails to build and maintain cyber-fitness the result will be fines and penalties. NIS 2 has set fines at €10 million or 2% of total turnover worldwide, whichever is greater. These fines kick in for cases of non-compliance with risk management measures or the reporting obligations.
Worst case scenario for a non-compliant company could result in a combination of breach notification costs + GDPR fines + NIS 2 fines + bad publicity + loss of service availability: the result could be catastrophic.
Regulators have extended the period for Member States to transpose NIS 2 into national law to two years. This means that NIS 2 will likely come into force sometime before mid-2023. It takes time to become cyber-ready for NIS 2, so the time is now to establish your company’s cyber-fitness in readiness for this important directive.
A strong cybersecurity strategy is key to your readiness for the new NIS 2 directive. Enterprise Defence are award winning experts in developing effective cyber strategies that will help transform your cyber confidence. Get in touch today to see how we can help your organisation.