Navigating the evolving landscape of network and information security is a pivotal concern in the current era. As technology becomes more complex, the need for comprehensive policies and regulations to safeguard critical infrastructure and digital services becomes ever more apparent. One such initiative set to drastically alter the cyber landscape is the NIS 2 Directive.
What is the NIS 2 Directive for cybersecurity?
The NIS 2 Directive, or Network and Information Security Directive 2, is EU-wide legislation on cybersecurity. It was introduced as a robust step forward to heighten the overall level of cybersecurity within the European Union. Introduced in 2016, the NIS 2 Directive came into force in 2023 to modernize the existing legal framework.
This update came in response to the escalated digitization and evolving threat landscape.
The NIS 2 Directive expands its coverage beyond the initial realm. It extends the cybersecurity rules to new sectors and entities. It is designed to reinforce the resilience and incident response capacities of public and private entities. It achieves this by fostering Member States' preparedness and promoting cooperation among them.
For instance, it mandates that Member States be suitably equipped. This includes a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority.
What are the main goals behind NIS 2?
The NIS 2 Directive’s primary objective is to promote robust cybersecurity across the EU. This includes safeguarding vital sectors from cyber threats and boosting trust in digital services.
It does this by:
Establishing a standardized level of cybersecurity protection across all EU member states.
Clearly identifying and regulating the sectors affected by the directive.
Enforcing strict security measures and incident reporting rules.
Improving the cooperation and coordination among member states in handling cyber threats.
The aim of NIS 2 is to establish a standardized level of protection across all EU member states. It clearly identifies affected sectors and security requirements and unifies reporting obligations. It also introduces enforcement measures and sanctions. These efforts protect critical infrastructure and EU citizens from cyberattacks.
One major improvement of NIS 2 over its predecessor is its specific scope. Sectors affected include transport, energy, banking, healthcare, water supply, and digital infrastructure. Medium and large organizations operating within these sectors fall under the NIS 2 scope.
NIS 2 distinguishes between “essential” and “important” entities. Both types must comply with the same security measures. However, 'essential' entities are under proactive supervision.
Changes include strengthened security requirements, enhanced enforcement, stricter incident reporting, and improved cooperation. It has rules for risk management, cybersecurity training, crisis management, and data encryption. It aims to eliminate the flexibility that led to vulnerabilities under the original NIS.
Incident reporting is now mandatory under NIS 2, with an initial report required within 24 hours of a cybersecurity issue. This enables authorities to respond better to potential threats. Moreover, NIS 2 fosters cooperation and communication between member states. It does this by establishing a European Cyber Crisis Liaison Organization Network. This makes data protection a collective effort.
How does the NIS 2 Directive impact business?
The NIS 2 Directive’s wider scope brings a broader range of businesses under its ambit. It particularly affects those providing digital services or critical infrastructure within the EU.
As such, it's crucial for these entities to understand what the directive entails. You may need to prepare for enhanced risk management and incident reporting requirements. Additionally, businesses must cooperate with national cybersecurity authorities and comply with the directive.
One of the key areas for businesses to address under the NIS 2 Directive is the security of network and information systems. This includes Application Programming Interfaces (APIs).
To meet the requirements of the directive, businesses are expected to establish a robust API security program. This program should include technical and organizational measures. These measures include authentication, authorization, encryption, and consistent monitoring for the security of APIs.
Key steps to building a comprehensive API security program might include:
Conducting a comprehensive cybersecurity risk assessment. This should help identify any risks posed to your network, information systems, and APIs.
Implementing appropriate measures to manage identified risks. Key measures might include authentication, authorization, encryption, and consistent monitoring of your APIs.
Developing robust incident reporting mechanisms. You should establish systems that can detect and report security incidents related to your APIs.
Ensuring compliance with relevant regulations and standards. In addition to the NIS 2 Directive, businesses should ensure they are compliant with other applicable regulations like the GDPR and other pertinent data protection laws.
Training and awareness. Finally, companies should educate their employees, contractors, and third-party providers about API security best practices. This could cover secure coding practices, secure deployment practices, and incident response procedures.
By focusing on these aspects, businesses can ensure that they are prepared for the NIS 2 Directive. They can adequately protect their networks and systems from potential cyber threats. In addition, they will be better positioned to demonstrate their compliance to national cybersecurity authorities, thereby enhancing trust in their digital services or critical infrastructure.
Which sectors are affected by NIS 2?
The NIS 2 Directive expands its reach beyond the original NIS Directive, encompassing a broader range of sectors.
These include essential service operators in areas such as:
Energy
Transport
Banking
Healthcare
Digital service providers like online marketplaces, cloud computing services, and search engines
Businesses in these sectors must adhere to the regulations and requirements set forth by the NIS 2 Directive.
When does NIS 2 come into force?
The Member States have been given a window of 21 months until October 17, 2024, to transpose the measures outlined in the NIS 2 Directive into national law.
The implication is clear: Businesses must prepare and adapt to the new network and information security landscape.
New Cybersecurity Directives – the CER Directive
Beyond the NIS 2 Directive, another noteworthy initiative on the horizon is the European Directive for Critical Entities Resilience (CER). The CER Directive aims to fortify the resilience of critical entities in sectors like energy, transport, water, health, and digital infrastructure.
The CER Directive replaces the European Critical Infrastructure Directive of 2008. It introduces stronger rules to enhance critical infrastructure against threats, including natural hazards, terrorist attacks, insider threats, and sabotage.
The CER Directive entered into force on January 16, 2023. Member States have until October 17, 2024, to transpose the requirements of the CER Directive into national law. By this date, each Member State is required to adopt and publish the measures necessary to comply with the directive. They must apply those measures from October 18, 2024.
Under the CER Directive, Member States must develop a strategy for enhancing the resilience of critical entities by January 17, 2026. This strategy aims to strengthen the ability of critical entities to prepare for, cope with, protect against, respond to, and recover from incidents that could disrupt the provision of essential services.
The CER Directive covers eleven sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Member States are required to adopt a national strategy and conduct regular risk assessments.
The bottom line
The NIS 2 Directive is poised to become a vital framework for cybersecurity in the EU. Businesses that fall under its scope must install rigorous technical measures.
The deadline for national adoption of the directive is looming. Businesses must begin preparing to meet the NIS 2 requirements.
In the context of the need for compliance with NIS 2 regulations, NordPass offers valuable support as a password manager. Its features are designed to enhance your organization's password security.
One key feature is the encrypted password vault. This securely stores all work-related passwords and information using the secure XChaCha20 encryption. NordPass's zero-knowledge architecture ensures only authorized users can access the data.
NordPass also provides a password generator. It allows you to easily create strong and unique passwords that are resistant to guessing or brute-force attacks. The password health feature helps you assess the strength and security of your passwords. Identify any weaknesses or instances of password reuse that may put your accounts at risk.
Additionally, NordPass includes a data breach scanner. Automatically detect if any of your company's domains or emails have been compromised in data breaches. This enables you to take immediate action to mitigate potential risks and protect your accounts. The password policy feature allows you to establish a robust password policy at the administrative level.
The activity log feature of NordPass provides transparency and accountability. This helps you maintain control over your company's logins. Multi-factor authentication adds a layer of security, reducing the risk of unauthorized access.
These features help businesses enhance their password security and compliance with NIS 2 regulations. This helps contribute to a more secure and resilient digital environment.