The Network and Information Systems (NIS) Directive of the European Union is one such law; it just underwent a major update, moving from NIS to NIS 2. Through the introduction of stricter regulations and standards for specific entities, this Directive seeks to strengthen cybersecurity throughout the European Union. An extensive explanation of the NIS 2 Directive, its ramifications, and how companies can handle and adhere to these new regulations is given in this blog.

Overview of the NIS 2 Regulation

Directive (EU) 2022/2555, also referred to as the NIS 2 Directive, is a piece of legislation that was started by the European Union (EU). It was created to improve cybersecurity throughout the European Union by making certain that key and crucial organizations put in place the proper organizational, operational, and technical safeguards against cybersecurity threats.

The Directive also addresses preventing mishaps or minimizing their effects on service receivers and other services. It highlights an all-hazards approach and the necessity of thorough risk management procedures.

The Official Name and Proper Usage of the NIS 2 Directive

The full title of the NIS 2 Directive is "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)."

Given that NIS 2 is the term that appears in the EU Official Journal, it is notable that this is the correct designation. Nonetheless, official documents have also made use of the term NIS2.

The NIS 2 Directive's Schedule and Deadlines

In December 2022, the NIS 2 Directive was formally published as Directive (EU) 2022/2555 in the European Union's Official Journal. Member states shall, by October 17, 2024, adopt and publish the appropriate measures to comply with the NIS 2 Directive; the measures shall take effect on October 18, 2024.

Directive (EU) 2016/1148, often known as the NIS Directive, which preceded the NIS 2 Directive, will be abolished on October 18, 2024. In addition, the EU-CyCLONe must report to the European Parliament and the Council on its activity by July 17, 2024, and then every 18 months after that.

Organizations Included under the NIS 2 Directive

The industries and organizations covered by the original NIS Directive are now included in the NIS 2 Directive's scope. The recently enacted legislation implements a size-cap regulation, which suggests that all medium-sized and big organizations that operate in the industries or offer services covered by the Directive would be subject to its provisions. In certain situations, the Directive also pertains to certain crucial and significant entities, regardless of their size.

Crucial Components

Operators in industries such as energy, transportation, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure are examples of essential organizations. They also comprise companies that offer specific digital services, like cloud computing, internet search engines, and marketplaces.

Significant Organizations

The manufacturing of certain essential products, wastewater and waste management, chemicals, food, postal and courier services, and digital providers like social networking platforms, public electronic communications networks, and domain name registration services are examples of industries with significant businesses.

Organizations in Public Administration

Central and regional public administration agencies are also subject to the NIS 2 Directive. It is important to remember, nonetheless, that organizations engaged in operations related to public safety, law enforcement, defense or national security, or the judiciary are not covered by the Directive.

Principal Duties Under NIS 2 Directive

The NIS 2 Directive lays out several important requirements for organizations that fall under its purview. These responsibilities mostly concern incident reporting, cybersecurity risk management, and training.

Control of Risk

To control the risks to their network and information systems, entities must implement organizational, operational, and technical controls that are suitable and proportionate. Based on an all-hazards approach, these measures should include, among other things, policies on supply chain security, business continuity, risk analysis, incident handling, and the usage of multi-factor authentication or continuous authentication solutions.

Reporting of Incidents

Any significant event or cyber threat that may result in a considerable incident must be reported by entities to Computer Security Event Response Teams (CSIRTs) or the appropriate responsible authorities. Initial notification of the occurrence must be given within 24 hours of becoming aware of it, and there are also intermediate and final reporting requirements.

Management Bodies' Responsibilities

The management bodies of vital entities are subject to direct requirements under the NIS 2 Directive. They must authorize and oversee the application of cybersecurity risk management strategies. To acquire the necessary information and abilities to recognize hazards and evaluate cybersecurity risk management procedures, they must also complete training.

Measures for Compliance and Enforcement

Stricter enforcement measures, such as the ability to demand data and documentation and perform safety evaluations and inspections, are brought about by the NIS 2 Directive. Member States are granted the authority to establish effective, reasonable, and deterrent sanctions for violations of the Directive, with the potential for severe penalties for noncompliance. Administrative fines of up to €10 million or 2% of the total worldwide turnover, whichever is higher, may be imposed for specific violations.

Non-EU Entities' Compliance

An organization not based in the EU but providing services there needs to appoint a representative. If the entity does not have a representative, every Member State where the entity offers services has the authority to prosecute the entity for violating the Directive.

Connections Between Other Regulations and the NIS 2 Directive

There are other laws controlling cybersecurity in the EU besides the NIS 2 Directive. Other industry-specific Union laws mandate that organizations implement cybersecurity risk-management strategies or report notable events. The applicable provisions of the NIS 2 Directive will not apply to such companies if these requirements are equal to the duties outlined in the directive.

Cross-referencing the DORA Regulation

For example, in regards to the NIS 2 Directive concerning financial firms, the Digital Operational Resilience Act (DORA) is regarded as a sector-specific Union legal act. As a result, the NIS 2 Directive's information and communication technology risk management provisions will be superseded by those included in DORA. Therefore, Member States should refrain from imposing on financial firms covered by DORA the requirements of the NIS 2 Directive on cybersecurity risk management and reporting duties.

Getting Ready for Compliance with NIS 2 Directive

Following the NIS 2 Directive necessitates taking preventative measures. Organizations must begin assessing their existing cybersecurity procedures, find any weaknesses, and take action to improve their cybersecurity posture.

A Security Approach Based on Risk

One of the main requirements of the NIS 2 Directive is that organizations should implement a risk-based approach to security. This entails carrying out routine risk assessments to spot possible dangers or weaknesses and putting rules and regulations in place to thwart any threats that are found.

Put Multi-Factor Authentication into Practice

Adding multi-factor authentication can give user authentication an extra degree of protection. To access a system or resource, users must supply two or more authentication elements, like a password and username.

File Sharing That Is Secure

By putting in place a secure file-sharing solution, you can prevent unwanted parties from accessing private information. This can involve using technologies to keep an eye on which employees are sharing files and access control policies to grant access to the data only to those who are permitted.

Encryption from End to End

Encrypting sensitive data from beginning to finish is essential when storing or sending it across a network. To do this, data must be scrambled and rendered unintelligible until it is unlocked with the appropriate key. AES-256 encryption is one of the many encryption methods that can be employed.

Programs for Training and Awareness

Last but not least, thorough security awareness and training programs are essential to guaranteeing that employees understand appropriate cybersecurity procedures and can identify and steer clear of possible dangers. Training on social engineering techniques, phishing schemes, and making secure passwords are a few examples.

Final Thoughts

An important improvement to the cybersecurity environment in the European Union is the NIS 2 Directive. It expands the range of industries and organizations it covers, tightens security regulations, and imposes more severe sanctions for noncompliance. All entities must comprehend these new criteria and take the required actions to ensure compliance, regardless of whether they are explicitly covered by the Directive. It is also important to remember that the NIS 2 Directive is only one component of the EU's cybersecurity regulatory framework; organizations must also be aware of other sector-specific laws.

Checkout our upcoming MasterClasses covering niche topics in all industries

By Sasly Ahmeth, Social Media Executive & IT Support, GLC Europe, Colombo Office, Sri Lanka.