Navigating the evolving landscape of network and information security is a pivotal concern in the current era. As technology becomes more complex, the need for comprehensive policies and regulations to safeguard critical infrastructure and digital services becomes ever more apparent. One such initiative set to drastically alter the cyber landscape is the NIS2 Directive.
Contents:
What is the NIS2 Directive for cybersecurity?
The NIS2 Directive, or Network and Information Security Directive 2, is EU-wide legislation on cybersecurity. It was introduced as a robust step forward to heighten the overall level of cybersecurity within the European Union. The NIS2 Directive came into force in 2023 with the goal to modernize the existing legal framework of the original NIS Directive that was introduced in 2016.
This update came in response to the escalated digitization and evolving threat landscape.
The NIS2 Directive expands its coverage beyond the initial realm. It extends the cybersecurity rules to new sectors and entities. It is designed to reinforce the resilience and incident response capacities of public and private entities. It achieves this by fostering Member States' preparedness and promoting cooperation among them.
For instance, it mandates that Member States be suitably equipped. This includes a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority.
What are the main goals behind NIS2?
The NIS2 Directive’s primary objective is to promote robust cybersecurity across the EU. This includes safeguarding vital sectors from cyber threats and boosting trust in important services.
It does this by:
Establishing a standardized level of cybersecurity protection measures across all EU member states.
Clearly identifying and regulating the sectors affected by the directive.
Expanding cyber security measures and tightening incident reporting rules.
Improving the cooperation and coordination among member states in handling cyber threats.
The aim of NIS2 is to establish a standardized level of protection across all EU member states. It clearly identifies affected sectors and minimum security requirements and unifies reporting obligations. It also introduces enforcement measures and sanctions. These efforts aim to protect critical infrastructure and EU citizens from cyberattacks.
One major improvement of NIS2 over its predecessor NIS 1 is its specific scope. Sectors affected include manufacturing, food, courier services, space, and digital infrastructure. Medium and large organizations operating within these sectors fall under the NIS2 scope.
NIS2 distinguishes between “essential” and “important” entities. Both types must comply with the same security measures. However, “essential” entities are under proactive supervision.
Changes include strengthened security requirements, enhanced enforcement, stricter incident reporting, and improved cooperation. It has rules for risk management, cybersecurity training, crisis management, and data encryption. It aims to eliminate the flexibility that led to vulnerabilities under the original NIS.
Incident reporting now has new mandatory stricter timeframes, with an initial report required within 24 hours of a cybersecurity issue. This enables authorities to respond better to potential threats. Moreover, NIS2 fosters cooperation and communication between member states. It does this by establishing a European Cyber Crisis Liaison Organization Network. This makes network security a collective effort.
How does the NIS2 Directive impact business?
The NIS2 Directive’s wider scope brings a broader range of businesses under its ambit. It particularly affects those providing critical infrastructure within the EU.
As such, it's crucial for these entities to understand what the directive entails. You may need to prepare for enhanced risk management and incident reporting requirements.
One of the key areas for businesses to address under the NIS2 Directive is the security of network and information systems.
To meet the requirements of the directive, businesses are expected to establish a robust cybersecurity-risk management program. This program should include technical and organizational measures including authentication, authorization, encryption, and consistent monitoring for the security of network, information systems, and APIs.
Key steps to building a comprehensive network and information security program might include:
Conducting a comprehensive cybersecurity risk assessment. This should help identify any risks posed to your network, information systems, and APIs.
Implementing appropriate measures to manage identified risks. Key measures might include authentication, authorization, encryption, and consistent monitoring of your network and information systems.
Developing robust incident reporting mechanisms. You should establish systems that can detect and report security incidents related to your network and information systems.
Ensuring compliance with relevant regulations and standards. In addition to the NIS2 Directive, businesses should ensure they are compliant with other applicable regulations like the GDPR and other pertinent data protection laws.
Training and awareness. Finally, companies should educate their employees, contractors, and third-party providers about network and information system security practices. This could cover secure coding practices, secure deployment practices, and incident response procedures.
By focusing on these aspects, businesses can ensure that they are prepared for the NIS2 Directive. They can adequately protect their networks and systems from potential cyber threats. In addition, they will be better positioned to demonstrate their compliance to national cybersecurity authorities, thereby enhancing trust in their services or critical infrastructure.
Which sectors are affected by NIS2?
The NIS2 Directive expands its reach beyond the original NIS Directive, encompassing a broader range of sectors.
These include essential service operators in areas such as:
Energy
Transport
Banking
Healthcare
Digital service providers like online marketplaces, social networking platforms, and search engines
Research
ICT-Service management
Space
Entities providing domain name registration services
Businesses in these sectors must adhere to the regulations and requirements set forth by the NIS2 Directive.
When does NIS2 come into force?
The Member States have been given a window of 21 months until October 17, 2024, to transpose the measures outlined in the NIS2 Directive into national law.
The implication is clear: Businesses must prepare and adapt to the new network and information security landscape.
New Cybersecurity Directives – the CER Directive
Beyond the NIS2 Directive, another noteworthy legislation is the European Directive for Critical Entities Resilience (CER). The main difference between NIS2 and CER is that NIS2 is focused on cybersecurity, and CER is focused on physical security from natural disasters, floods, fires, etc.
The CER Directive replaces the European Critical Infrastructure Directive of 2008. It introduces stronger rules to enhance critical infrastructure against threats, including natural hazards, terrorist attacks, insider threats, and sabotage.
The CER Directive entered into force on January 16, 2023. Member States have until October 17, 2024, to transpose the requirements of the CER Directive into national law. By this date, each Member State is required to adopt and publish the measures necessary to comply with the directive. They must apply those measures from October 18, 2024.
Under the CER Directive, Member States must develop a strategy for enhancing the resilience of critical entities by January 17, 2026. This strategy aims to strengthen the ability of critical entities to prepare for, cope with, protect against, respond to, and recover from incidents that could disrupt the provision of essential services.
The CER Directive covers eleven sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Member States are required to adopt a national strategy and conduct regular risk assessments.
The bottom line
The NIS2 Directive is poised to become a vital framework for cybersecurity in the EU. Businesses that fall under its scope must install rigorous technical, operational and organizational measures.
The deadline for national adoption of the directive is looming. Businesses must begin preparing to meet the NIS2 requirements.
In the context of the need for compliance with NIS2 regulations, NordPass offers valuable support as a password manager. Its features are designed to enhance your organization's password security.
One key feature is the encrypted password vault. This securely stores all work-related passwords and information using the secure XChaCha20 encryption. NordPass's zero-knowledge architecture ensures only authorized users can access the data.
NordPass also provides a password generator. It allows you to easily create strong and unique passwords that are resistant to guessing or brute-force attacks. The password health feature helps you assess the strength and security of your passwords. Identify any weaknesses or instances of password reuse that may put your accounts at risk.
Additionally, NordPass includes a data breach scanner. Automatically detect if any of your company's domains or emails have been compromised in data breaches. This enables you to take immediate action to mitigate potential risks and protect your accounts. The password policy feature allows you to establish a robust password policy at the administrative level.
The activity log feature of NordPass provides transparency and accountability. This helps you maintain control over your company's logins. Multi-factor authentication adds a layer of security, reducing the risk of unauthorized access.
These features help businesses enhance their password security and compliance with NIS2 regulations. This helps contribute to a more secure and resilient digital environment.