We offer comprehensive data security solutions that help organizations to act in accordance with and be accountable towards the NIS2 directive – CipherTrust Manager!
The NIS Directive (EU 2016/1148) was the first piece of EU-wide legislation on cybersecurity. Its revision, NIS2, is currently under negotiation and is expected to enter into force in 2024. But what is NIS2 about and what preparations are needed from organizations?
For operators of critical industrial infrastructure, the legislation presents an opportunity to assess capabilities and operations against strengthened cybersecurity requirements. But for organizations that haven’t upgraded their cyber capabilities, it’s also a wake-up call on the need to better address cyber security threats to their infrastructure and ensure that their operations comply with the NIS2 legislation.
The following sectors will be under the scope of the NIS2 regulation:
- Essential entities: energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure; public administration; space
- Important entities: postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers
What are the changes in NIS2 Directive?
NIS2 encompasses three changes when compared to NIS:
1. Expanded applicability
Under the current Directive, operators of essential services (such as banks, healthcare providers, and providers of drinking water and energy) and digital service providers (including cloud service providers and online marketplaces) are already required to improve their digital security and report cyber incidents.
NIS2 broadens the scope of NIS by adding new industries, such as telecommunications, postal services, social media platforms, and public administration, which includes state and provincial government agencies.
Entities under the purview of NIS2 will be divided into two categories: essential entities and important entities, with distinctions made based on the importance of the connected sectors. Important entities are primarily medium- to large-sized entities, for which a hypothetical disruption of services would not have severe societal or economic repercussions.
NIS2 will also apply to subcontractors and service providers with access to vital infrastructure, who were left out of the original version of the regulation because vulnerabilities in a provider's infrastructure could compromise the security of the critical organization for which it operates. In the energy sector, for instance, security precautions will no longer be limited to electricity producers, transporters, and distributors. All subcontractors for essential infrastructure will be affected.
2. Strengthened security requirements
NIS2 includes a list of seven elements that all companies must address or implement as part of the security measures they take:
- Risk analysis and information system security policies.
- Incident handling (prevention, detection, and response to incidents).
- Business continuity and crisis management.
- Supply chain security.
- Security in network and information systems.
- Policies and procedures for cybersecurity risk management measures.
- The use of cryptography and encryption.
The proposal suggests a two-step process for incident reporting. Affected businesses are required to file an initial report within 24 hours of discovering an event, followed by a final report within one month.
In the supervision and implementation of these measures, management bodies will play a key and active role. Regarding enforcement, NIS2 specifies a minimum list of administrative sanctions that may be imposed on businesses that violate the regulation governing cybersecurity risk management or their reporting duties under the Directive. These sanctions include:
- Fines up to 10 million EUR or 2% of the total global annual turnover
- Management liability
- Temporary bans against managers
- Designation of a monitoring officer
3. Improved cooperation
NIS2 comprises provisions for measures to strengthen the level of confidence between responsible authorities, information sharing between competent authorities, and crisis response protocols.
In addition, the EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe) was developed to facilitate the coordinated management of cyber crises across the EU. In addition, the amended Directive would establish an EU crisis management framework, requiring Member States to prepare a plan and designate national competent entities accountable for reacting to cyber events and crises at the EU level.
What does that mean?
NIS2 holds organizations directly responsible. When outsourcing their Information Communications Technology (ICT) activities, for instance, to process and store data in the cloud, organizations must apply additional “technical and organizational measures” to be able to indeed take their share of responsibility and thus compensate for the loss of control (outsourcing).
Why Cryptography and Encryption?
Implementing cryptography and encryption is a way for an organization to enforce technical and organizational measures: encrypted data can no longer be accessed without additional information (a cryptographic key) and thus give organizations control over their cloud-based assets.
The NIS2 directive aims to establish the minimum standards for cyber risk management and reporting obligations through a broader application than the present NIS Directive by including additional industries and both medium and large organizations.
With more security measures required to be implemented to strengthen cybersecurity for key information and communication technologies, the affected organizations will also have the obligation to submit an initial notification within 24 hours to the relevant competent authority in case of any significant cyber threat. Failure to comply may result in EU member states conducting coordinated risk assessments of essential supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity and resulting in fines and sanctions.
How can we help?
Protect transaction and personal data at rest with CipherTrust Manager. It can enable organizations to centrally manage encryption keys and deliver a variety of encryption, tokenization, and data masking solutions to protect transaction and personal data in files, folders, applications, and databases on-premises, in the cloud, and across hybrid environments.