Although cybersecurity is a unique responsibility in many respects for businesses across the globe, there are collective guidance and reporting standards. One of these is NIS 2: a decisive maneuver to elevate IT protections within the European Union. It’s built on the original Network and Information Systems (NIS) Directive from 2016, which laid down a framework for sharing resources, organizing protection, and telling the right authorities about major incidents when they arise.
NIS 2 is now mandatory for all EU member states. While the UK government chose not to follow suit by adopting the same framework, there are similar changes bound for organizations based in the UK and they will be enforced, too. If you’re new to NIS, you must get up to speed. Failure to comply with these stricter technical, operational, and incident reporting measures may result in a hefty fine, as well as exposed to the dangers always waiting to strike in cyberspace.
So, what does NIS 2 mean for you? What entities is it designed to safeguard? And how can you ensure compliance with a scalable security solution? We’ve got the answers below in this crash course in this important step toward organizational integrity.
What is NIS 2?
NIS 2 replaces the initial NIS Directive that the European Parliament brought into force in 2018. At the time, NIS was “the first EU horizontal framework addressing cybersecurity challenges and a true game changer for cybersecurity resilience and cooperation in Europe.” It intended to address supply chain security, streamline reporting requirements, and encourage vast cooperation between member states to research and enforce better protections.
On December 27, 2022, the NIS 2 Directive was published and activated 20 days later, giving EU member states 21 months to adopt it into their own national laws. Although it isn’t a specific legal mandate in and of itself, NIS 2 seeks to give informative, technical, and organizational support to patrol an agreed standard for digital security.
NIS legislation was drafted in conjunction with member governments and the European Agency for Network and Information Security (ENISA). A Cooperation Group was established to push plans forward and maintain universal adherence. With a firm strategy to coordinate, streamline, and disclose measures to prevent and report a major cyber incident, NIS’ intent was to give clarity on what should be done to stay safe and apply penalties for failing to do so.
The inaugural strategy had several key components for risk management in sectors described as more prone to severe cyberattacks than others. Understanding these principles offers a good basis for recognizing how NIS evolved since then. Briefly, the first framework focused on:
Identifying OES organizations
These are the important entities that must comply with NIS. They must take appropriate security measures to monitor their networks, deal with emerging threats, and prove risks and incident response. Operators of essential services (OES) typically include any business or not-for-profit working in health care, transport, energy, utilities, and critical infrastructure.
Adding RDSPs to the list
A relevant digital service provider (RDSP) runs an online marketplace, search engine, or cloud computing solution. To fall under this category, they can’t have fewer than 50 staff members or an annual turnover below €10 million. Both OES and RDSPs can hold vast amounts of sensitive data, which is why NIS applies to them.
Forming the CSIRT network
Each member state appointed one or several Computer Security Incident Response Teams (CSIRTs). These teams form a network “where members can cooperate, exchange information, and build trust.” The European Commission oversees them, seeking to strengthen global incident mitigation and help organizations deal with threats that can ripple through digital supply chains. Any organization can hire and train its own CSIRT division. However, NIS demands that countries nominate and approve groups that can consult on early warning signs, respond to an incident, and advise stakeholders on risks at the national or cross-border level. Here’s an updated list of state-backed CSIRTs.
Defining a single point of contact
This is the entity that brings everything together for OES and RDSPs. For instance, the single point of contact (SPOC) in the UK is the National Cyber Security Center (NCSC). Other nations have their particular SPOC to coordinate action with EU partners and liaise with CSRITs.
With the basics covered, it’s time to see how these cybersecurity risk management tactics work in practice — and how NIS 2 builds on earlier achievements
Differences between NIS and NIS 2
Like the original NIS Directive, NIS 2 requires competent authorities (CAs) to oversee directives, inspect relevant organizations, and issue fines for non-compliance. If we use the UK as an example again, the Information Commissioner’s Office (ICO) — an independent body founded to uphold information rights — is the designated CA. It can send enforcement notices, investigate whether an organization does enough to meet the standards, and apply a penalty of up to £17 million if those standards aren’t met. Since NIS isn’t an EU law, member states and their CAs decide how to progress with individual cases.
Whenever a security incident occurs and threatens data or an essential business process, you have to report it to your country’s CA. This involves showing how the incident progressed, the steps taken to mitigate it, and how it may have harmed business continuity or data protection. Both the original and updated NIS Directive carry this responsibility.
However, NIS 2 is bringing more organizations into the fold with increased cybersecurity measures. This is meant to clarify which businesses, not-for-profits, and nationally owned enterprises qualify for NIS regulation, as well as offers new advice for coordination and enforcement.
Here’s what the fresh framework adds.
More sectors fall under the NIS 2 Directive
Any organization deemed critical to the economy and EU society now is held to NIS standards. Member states also can identify other candidates that aren’t strictly large or medium businesses, but nevertheless carry a high-risk profile, especially for their supply chain partners in the digital infrastructure. Instead of the OES label, CAs and SPOCs use the term “essential” and “important entities” to describe organizations that should bolster their IT safeguards. Examples of sectors include:
- Food and agriculture
- Wastewater management
- Postal and courier services
- Space technology
- Pharmaceutical production
Clearer incident reporting
Entities now have a better sense of what they need to do for NIS compliance when an incident happens. Initially, they must send an early warning within 24 hours after they become aware of a breach or attack. Second, a fuller incident notification should be provided by no later than 72 hours, assessing the incident’s cause, severity, and impact. Then, a final report is due within a month following the incident, describing it in detail along with potential cross-border security risks. EU member states are establishing single, reliable portals for submitting these updates.
A risk management perspective
Simply notifying a CA isn’t enough anymore. NIS 2 suggests that risk management policies reduce your chance of an investigation or fine. These require an audit of what you currently do to limit risk and how to improve your strategy. Concrete objectives, teams, responsibilities, and monitoring tools will work in your favor for the NIS 2 Directive. They aren’t limited to important or essential entities, either. The European Commission and member states agreed to conduct periodical cybersecurity risk management assessments for the most important supply chains in their territories.
Achieving NIS 2 Compliance
There are several challenges to overcome to stay on the right side of the NIS 2 directive. You’d be forgiven for thinking the framework and its enforcement can be vague in some areas, open to the CA’s discretion when reviewing your cybersecurity status and the potential dangers at play. Yet, peering closer, we can consider what sets you up for compliance and how to get there.
Determine if you should apply for NIS 2
There’s no sense worrying about this legislation if it doesn’t hold much relevance for you. Obviously, the first factors to review are whether you’re located or incorporated in an EU member state and fit the immediate bill (e.g., you operate within one of the key sectors and are above the employee or turnover threshold). However, be aware that non-EU companies may still be subject to oversight. The NIS 2 Directive explains that any organization that isn’t located in the territory but offers services to it “shall designate a representative in the EU.” The representative should be under the jurisdiction of a single member state where your business is.
Host regular security awareness training
It’s hard to implement risk management if all your stakeholders are not aware of what they need to do and why it matters. Security awareness training, both internal and within your supply chain, is beneficial for organizations working to achieve NIS 2 compliance. Not only will it positively affect user behavior (prevent phishing, poor password habits, etc.) but it also will ensure you craft reports faster by describing exactly how your management structure supports digital security at every level.
Talk to your supply partners
How are other buyers, sellers, and services reacting to NIS 2? Their practices undoubtedly will influence yours. Discuss a closer, more collaborative information system for sharing security details or alerting each other to zero-day security threats. If you can, reinforce your business continuity plan with theirs to set up conditions and timeframes for data backups, endpoint restrictions, secondary hosts for DDoS attacks, and further strategies you both agree on.
Consider a managed detection and response service
Many companies face a huge issue in their IT strategy — how to find the appropriate security talent and resources. That’s why managed detection and response (MDR) is so effective. Services such as Fortra’s Alert Logic MDR scale with you. MDR lifts the burden of establishing, tracking, and reporting on security concerns wherever they arise in your network. Since NIS 2 asks for quality incident data and communication, there’s much to gain from analysts who put the pieces together for you. Explore Alert Logic MDR services for any environment and let us fortify your posture against the biggest threats in cyberspace.
How does NIS 2 apply to the UK?
Before we wrap-up, let’s examine an outlier for NIS 2: the United Kingdom. A lot has changed between 2016 and today. The Brexit vote took the UK out of mandatory EU regulation, and NIS is no exception. Consequently, the British government decided not to follow NIS 2 for its own evolving cybersecurity legislation.
However, the new NIS Directive inspired a major overhaul of existing UK standards. The UK government presented seven security measures for public consultation in January 2022. As of 2023, these resulted in specific updates to the NIS framework under which organizations operated. Some of the most important changes include:
- Holding managed service providers to the same standards by accounting for privileged access to their customers’ IT networks.
- Entities should notify the ICO of any incident that doesn’t utterly disrupt a business but may harm a service or provision in some way without stopping it altogether.
- Additionally, the ICO will take a more tailored, risk-based approach to digital regulation. This means looking for companies and public bodies that hold a fair amount of potential for disruption internally and externally, rather than being in a certain sector and size bracket.
- Along with the existing list of sectors, the UK can legislate more industries and markets when it sees fit. Manufacturers are the biggest candidates, especially if they make electrical vehicles, medical devices, and equipment used for data centers.
Regardless of whether the NIS 2 Directive applies to you or not, there’s every reason to take inspiration from the pressing need for tighter, more thorough security controls around the world. Fortra’s Alert Logic MDR assists in your NIS compliance or your general race for better protection. Our experts are on hand 24/7 to research, monitor, prevent, and explain any threat that may target you. Want to learn more? Schedule a MDR demo with us.