NIS stands for “Network and Information Security”, an EU directive that requires EU member states to identify entities that provide essential services, and introduces new cybersecurity measures for these identified entities.
Less than 5 years after its publication, the original NIS had proven to be flawed. The NIS2 is the revised version of the NIS that was adopted by the EU on 28th November 2022. There’s now a 2-year period during which all member states must implement the NIS2 directive’s measures into their national legislation.
What is NIS2?
The NIS was introduced in 2016 as the European Union’s first cybersecurity directive. It aimed to protect Europe’s organizations and citizens by making sure all “essential” sectors in all member states were taking the necessary steps to prevent cyber-attacks
The problem with the NIS was that each member state’s interpretation of the relatively vague terms of the directive resulted in a varying level of implementation across the EU. What was considered essential in one country was not being recognized in another, and so on.
Armed with experience from the first NIS attempt, EU representatives went back to the drawing board and came out with an improved version at the end of November 2022: the NIS2.
It de-mystifies the directive’s intentions and allows much less individual interpretation – it is detailed in its scope and more clear-cut in its requirements, leaving a lot less room for any inconsistencies across countries. And just to be extra diligent, sanctions and fines have been prescribed as well.
EU member states have until September 2024 to implement NIS2 requirements into their national legislation.
What is the purpose of NIS2?
The goal of NIS2 is to create a standard level of protection across the EU by implementing cybersecurity requirements and measures in all EU member states.
It lists affected sectors, identifies security requirements, unifies reporting obligations, and introduces enforcement measures and sanctions.
All this is meant to protect the critical infrastructure and the citizens of the EU from cyber-attacks.
What is the scope of NIS2?
One area that the NIS2 has improved upon significantly compared to the NIS is the scope. It’s now much more specific in listing which sectors are affected by NIS2 – no more creative license on the part of member states.
Notice that providers of digital infrastructure or services are also included in the NIS2’s scope. This means that even organizations that don’t necessarily physically reside in the EU can also be affected if they are providing essential or important services in the EU – cloud services, DNS services, social media networks, search engines, etc., should all take notice.
NIS2 will set the baseline for cybersecurity risk management in these industries and sectors:
- Banking and financial market infrastructure
- Water supply
- Public administration (central and regional levels)
- Waste management
- Postal and courier services
- Manufacturing of medical devices
- Chemical and pharmaceutical production
- Digital infrastructure and digital service providers
All medium-sized and large organizations operating within these sectors fall under the NIS2’s scope.
Essential vs. important entities in NIS2
Entities that fall under the NIS2 framework are divided into two categories: ‘essential’ and ‘important’.
The main differentiation is that a disruption of services in the essential group would be expected to have serious consequences for the country’s economy or society as a whole. Sectors such as healthcare, energy, or transportation are included in this category.
Both types of entities must still comply with the same security measures. Those filed under ‘essential’ are, however, under proactive supervision. ‘Important’ entities will only be monitored after an incident of non-compliance is reported.
What changes will NIS2 bring?
Besides providing a wider and more detailed scope (see above), NIS2 will bring about the following changes/updates (compared to the original NIS):
NIS2 security requirements
NIS2 set out a framework of strengthened security requirements. The option to tailor adherence to these requirements was eliminated – too much flexibility under the original NIS led to vulnerabilities. No more of that under the NIS2. It clearly specifies the rules everyone must follow.
It requires these areas to be addressed:
- risk assessment and management
- cybersecurity training
- security policies
- crisis management
- supply chain security
- vulnerability and incident handling and reporting
- data encryption
A more elaborate list of measures regarding the enforcement of the NIS2 is also part of the new directive. Fines and sanctions have been prescribed, with binding instructions on when and how to use them.
Again, there should be no grey areas that leave interpretation up in the air.
Incident reporting will now be mandatory. Exact processes have been set out in NIS2, including the content and scheduling of these reports.
Under NIS2, all opt-out opportunities have been deleted.
All incidents of cybersecurity breaches will now have to be reported, whether or not the attack had any implications for the entity’s operations. This will allow authorities to monitor and respond better to potential threats.
Under the new incident response plan, the directive sets out a two-stage approach. An initial report must be submitted within 24 hours of the cybersecurity issue, and a more detailed follow-up report will be expected within a month.
Each member state will also need to designate a national Computer Security Incident Response Team.
The NIS2 directive recognizes the significance of coordination and communication between EU member states – the goal is, after all, to shield the European Union from breaches in relative unity.
Not only will each member state have a national authority dedicated to cybersecurity, the European Cyber Crisis Liaison Organisation Network will be established to manage EU-wide incidents.
This will create a system of cooperation between all of the EU’s member states and the protection of data will be a common effort.
How can Safetica help you protect data?
With Safetica, you can quickly run a data audit and identify what types of data are used in your organization.
Sensitive Data Overview
Safetica provides an overview of the information flows and sensitive data storage, helps you to monitor user operations, and provides you with reports on how data is processed.
Data Classification and Security Policies
With Safetica, you can easily classify data so you can apply DLP policies and enforce desired behaviors when users interact with sensitive information.
Safetica helps you to encrypt your data. Encryption is centrally managed in the Safetica management console.
Data Leakage Notification
In case of a security incident, Safetica’s real-time email alert system notifies the appropriate personnel. It provides details, so you can take follow-up actions and minimize the impact of data leakage.
With Safetica and its DLP policies, you can make sure that you are compliant not only with NIS2 but also with other regulations, such as GDPR, ISO 27001, PCI DSS, CMMC, and more.