The NIS 2 Directive – your questions answered

Charlotte Graire, Senior Manager of Business Growth, answers the 5 Ws around the EU’s incoming NIS 2 Directive.

A new European cyber security regulation is arriving soon.

The second iteration of the Directive on Security of Network and Information Systems (NIS 2) is designed to strengthen Member States’ cyber security capabilities and reduce fragmentation at different levels across the internal market. Within this, it’ll directly address the limits identified in the first Directive.

The introduction of NIS 2 inevitably raises questions. Which sectors are affected? Why now (isn’t the original NIS Directive just five years old)? When will organisations have to start complying? And most importantly, what does this mean for your organisation?

Let’s take a closer look at all these questions – and more – with the aim of bringing some clarity to this complex regulatory change.

When is NIS 2 going to arrive?

The EU’s original NIS Directive entered into force in August 2016, providing a legal framework designed to enhance the overall cyber security posture of organisations in key sectors. Just four years later, the European Commission declared that the original Directive had “by now proven its limitations”. So, its revision was accelerated to Q4 2020, and the updated NIS 2 Directive was born!

As of December 2021, the EU council has agreed its position on NIS 2, meaning it’s now in the so-called “trilogue” phase. In layman’s terms, this involves informal meetings between representatives of the EU Parliament, the Council and the Commission. After this, all that’s left is for the Council presidency to gain approval from Parliament before a final version of the Directive can be agreed. Experts believe this will likely be by June 2022. Once it’s approved, Member States will have two years to transpose NIS 2 into their national laws.

Why do organisations need NIS 2?

After thoroughly evaluating how the original NIS Directive worked in practice, the European Commission made several conclusions. Firstly, that the Directive covered an insufficient number of sectors, and secondly, that it was too ambiguous.

The NIS Directive made it possible for Member States to adopt vastly different security and incident reporting requirements – creating significant complexity for companies operating across multiple jurisdictions. Plus, its supervision and enforcement regimes were deemed ineffective – as EU countries Member States didn’t systematically share information with each other.

It’s also worth noting that the original NIS Directive couldn’t have predicted the outbreak of a global pandemic less than four years later! The corresponding rise of remote working and adoption of cloud technologies has no doubt accelerated the need for an update.

What will change from NIS to NIS 2?

The updated requirements of the NIS 2 Directive can be broadly grouped into the following areas.

Risk Management: NIS 2 imposes a basic list of risk management requirements. These include risk analysis, information system security policies, incident handling procedures, business continuity and crisis management preparation, supply chain security, testing and auditing to assess the effectiveness of risk management measures, and the use of cryptography and encryption. What’s more, the new Directive obliges organisations to manage third party cyber security risks throughout their supply chains.

Reporting: The NIS 2 Directive expands reporting obligations to cover any incident with the potential to cause substantial operational or financial damage. It also introduces precise provisions on the process for incident reporting (including the timing and content of reports). In addition, the Directive requires EU countries to designate a Computer Security Incident Response Team to facilitate interactions between reporting entities, IT manufacturers and IT service providers.

Vulnerability disclosure: NIS 2 encourages so-called “coordinated vulnerability disclosure”. In short, this means ethical hackers can report vulnerabilities, so they can be diagnosed and remedied. To support this, a database of known vulnerabilities will be kept by the European Union Agency for Cyber Security (ENISA).

Penalties: So, what happens to rule breakers? According to NIS 2, organisations that fail to comply can be hit with a fine of €10 million, or 2% of their global annual turnover – whichever figure is higher. Organisations that persistently break the rules can also face suspended authorisations, or sanctions against their senior management team. It’s worth noting that an amendment to the legislation – Compromise Amendment 1 – specifically stipulates that NIS 2 “lays down supervision and enforcement obligations on Member States”. In this way, NIS 2 moves further away from a reactive approach, towards a proactive European cyber security model – laying the foundations for a strong Digital Europe.

Who is concerned by this update to the NIS Directive? 

Ten industry sectors fall under the scope of the NIS 2. They are:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• Public administration
• Space

All medium and large companies in these sectors fall under the Directive, with EU countries given the flexibility to identify which smaller organisations should be included.

What’s more, NIS 2 no longer distinguishes between operators of essential services and digital service providers. Instead, organisations are classified as either “essential” or “important”. Both categories must comply with the same cyber security reporting and management requirements. However, the way they are supervised and penalised differs, with “important” entities only investigated if evidence of non-compliance emerges.

Where will NIS 2 be applicable?

Just like the original NIS Directive, NIS 2 applies to all EU Member States. However, the new Directive will also apply to selected providers of digital infrastructure or services who don’t have a physical footprint in Europe, but offer services in the EU. This will affect DNS, cloud and data centre service providers, as well as TLD name registries, content delivery networks, online marketplaces, search engines and social networking platforms.

Still not clear what to do? At Airbus CyberSecurity, we have decades of experience in helping governments, defence organisations, critical national infrastructure and enterprises navigate complex cyber security regulations. Get in touch to learn how we can support your organisation.