NIS2 Directive Requirements: Understanding Its Scope and Ensuring Compliance

NIS2 Directive Requirements

The NIS2 Directive, an evolution of the EU’s commitment to a high common level of cybersecurity, marks a significant step towards enhancing the resilience and security of network and information systems across the Union. This comprehensive piece outlines the essence of the NIS2 Directive, its broadened scope, the entities it affects, and the imperative measures these entities must adopt to align with the Directive’s mandates.

The Essence of NIS2

The NIS2 Directive, officially known as Directive (EU) 2022/2555, replaces the pioneering NIS Directive to address the evolving and complex cybersecurity landscape. It aims to ensure a uniform level of cybersecurity across all Member States, focusing on vital sectors that, if compromised, could have significant repercussions on the internal market and the public welfare at large.

Expanded Scope: Who is Affected?

NIS2’s reach extends beyond its predecessor, covering a wider array of sectors and digital services, thereby affecting a larger pool of entities. These are categorized as either ‘essential’ or ‘important’ entities, with each category subjected to specific compliance obligations.

Essential Entities

These include sectors of high criticality such as:

• Energy: Including electricity, oil, gas, and hydrogen suppliers.
• Transport: Covering air, rail, water, and road transport.
• Health: Encompassing healthcare providers and manufacturers of critical medical devices.
• Digital Infrastructure: Internet exchange points, DNS service providers, TLD name registries, data centers, and cloud computing services.
• Public Administration: Entities at central and regional levels.
• Space: Operators of ground-based infrastructure supporting space-based services.

For example, a hospital managing patient data and providing essential healthcare services falls under the ‘essential’ category.

Important Entities

These cover sectors like:

• Postal and Courier Services
• Waste Management
• Chemical: Entities involved in the manufacture and distribution.
• Food: Companies engaged in production, processing, and distribution.
• Digital Providers: Including online marketplaces, search engines, and social networking services platforms.

A courier service ensuring the distribution of critical supplies exemplifies an ‘important’ entity.

Compliance Obligations and Deadlines

Entities identified under NIS2 are required to implement stringent cybersecurity measures tailored to the risks facing their network and information systems. These measures span risk management, incident handling, and reporting obligations, ensuring both the resilience of essential services and the protection of sensitive data.

Key Deadlines and Actions For Member States

1. Transposition into National Law: Member States are required to adopt and publish the measures necessary to comply with the Directive by 17 October 2024. This deadline allows Member States to tailor the Directive’s requirements to their national context and ensure that the necessary legal frameworks are in place .
2. Application of Measures: The measures adopted by Member States in transposition of the Directive are to be applied from 18 October 2024. This marks the date when the entities covered by the Directive need to have complied with the new requirements, ensuring a higher level of cybersecurity across the EU .
3. Review and Reporting: The European Commission is tasked with reviewing the functioning of the Directive and reporting its findings to the European Parliament and to the Council by 17 October 2027. This review will assess the effectiveness of the Directive in improving cybersecurity across the EU and may lead to further legislative proposals or amendments .

NIS2 Directive Requirements For Businesses

For entities within the scope of NIS2, proactive engagement with cybersecurity practices is no longer optional but a regulatory requirement. Entities must

• assess their cybersecurity posture
• identify gaps in compliance and
• implement the necessary technical and organizational measures to safeguard their operations and the services they provide.

The NIS2 Directive lays a significant emphasis on the responsibility of essential and important entities to ensure the security of their network and information systems. This involves a culture of risk management, tailored to the risks faced by these entities​​.

Cybersecurity Risk-Management Measures

Cybersecurity measures must:

• Take into account the entity’s dependence on network and information systems, including measures to prevent, detect, respond to, and recover from incidents, and to mitigate their impact​​.
• Be based on an all-hazards approach to protect from events such as theft, fire, flood, telecommunication or power failures, or unauthorized physical access​​.
• Include security of stored, transmitted, and processed data, and consider systemic analysis that includes the human factor for a complete security picture​​.
• Address physical and environmental security, human resources security, and have in place appropriate access control policies, in line with international standards like those in the ISO/IEC 27000 series​​.

Compliance and Certification

Entities may demonstrate compliance through the use of relevant European and international standards or by using certified ICT products, ICT services, and ICT processes, especially in the absence of appropriate European cybersecurity certification schemes​​.

Proportionality of Measures

The required cybersecurity measures should be proportional to the risks posed, considering the state-of-the-art, relevant standards, and the implementation costs. They should also be proportionate to the entity’s exposure to risks and the societal and economic impact an incident would have​​.

Supply Chain and Service Provider Risks

Entities must address risks from their supply chain and relationships with suppliers, such as data storage, processing services, or software editors. This includes assessing the quality, resilience of products, services, and cybersecurity practices of their suppliers and service providers​​.

Cyber Hygiene and Awareness

Entities are encouraged to adopt cyber hygiene practices like zero-trust principles, software updates, and identity and access management. They should also raise awareness about cyber threats and evaluate their cybersecurity capabilities, integrating enhancing technologies like artificial intelligence or machine learning when appropriate​​.

Supply Chain Security Assessments

The Cooperation Group, in collaboration with the Commission and ENISA, is tasked with conducting coordinated security risk assessments of critical supply chains. These assessments aim to identify sector-specific critical ICT services, systems, or products and their associated threats and vulnerabilities, alongside measures, mitigation plans, and best practices to counter supply chain risks​​.

The NIS2 Directive thus emphasizes a proactive, comprehensive approach to cybersecurity, demanding that essential and important entities not only safeguard their own systems but also consider the broader ecosystem in which they operate, including supply chains and academic and research collaborations. The directive’s requirements are designed to foster a resilient digital infrastructure across the EU, capable of withstanding and rapidly recovering from cyber incidents.

Conclusion

The NIS2 Directive represents a pivotal shift towards a more secure and resilient digital Europe. By broadening its scope and setting forth rigorous compliance requirements, NIS2 aims to fortify the cybersecurity framework across key sectors, ensuring that both essential and important entities are equipped to face the cyber challenges of today and tomorrow. Entities affected by this Directive must take timely action to comply with its provisions, contributing to the collective cyber resilience of the European Union.