The European Parliament voted overwhelmingly to approve the NIS2 Directive to increase cyber resilience across European countries. This comes as EU nations fall under a barrage of cyber attacks, including a recent incident that affected the Pierre-Rouquès-Les Bluets Hospital.

According to MEP Bart Groothuis, “Ransomware and other cyber threats have preyed on Europe for far too long. We need to act to make our businesses, governments, and society more resilient to hostile cyber operations”.

The NIS2 will introduce significant changes, policies, and strategic responses to the European cyber security landscape. Here’s what you should know about NIS2 and its implications.

What is NIS2?

NIS2 is a legislation that provides European nations with a consistent and standard cyber security framework. It replaces its predecessor, NIS, which was introduced in 2016. The NIS2 allows European governments to enforce security requirements amongst companies directly or directly involved in critical infrastructure.

The NIS2 eliminates the ambiguity in cyber security implementation and enforcement. It provides clear and concise guidelines to ensure that member states respond uniformly to hostile incidents. Also, NIS2 standardizes sanctions between EU nations and streamlines coordination between governments, NGOs, and ENISA in cybersecurity measures.

NIS2 draws attention to supply chain security and other mitigation measures

The NIS2 highlights supply chain risks, which leave organizations vulnerable to attacks when not addressed. In a supply chain attack, threat actors compromise the organization’s network through 3rd party providers and services. The Directive emphasizes ensuring resilience consistencies in the ICT supply chain’s hardware, software, and non-technical elements.

Besides supply chain security, the NIS2 recommended measures to strengthen organizational security posture. This includes risk analysis, business continuity plan, usage of encryption, and incident response. When enforced, the NIS2 compels companies to stricter cyber security regulations. It imposes a penalty of up to €10 million or 2% of the company’s global annual turnover.

Which entities are covered by the NIS2 Directive? 

The NIS2 Directive has significantly increased the scope of entities, bringing the total number of sectors from 19 to 35. The act segregates entities into two types, essential and important. You can find the scope, subsector, and specific entities in Annex 1 and Annex 2 of the NIS2 Directive. 

NIS2 expands the scope of entities accountable for threat mitigation, incident reporting, and safeguarding their digital assets. Essential entities are organizations in the energy, transport, banking, health, digital infrastructure, public administration, and space industry. 

For example, oil production, refining and treatment facilities, storage, and transmission operators are categorized as essential entities. Likewise, medical devices considered critical during a public emergency also belong to the same category.

Meanwhile, important entities include the following sectors, postal services, waste management, chemicals, food, medical devices, electronics, machinery, motor vehicles, and digital providers.

For example, businesses that serve as digital providers for online marketplaces, search engines, and networking services platforms are defined as important entities. Manufacturers of non-critical medical devices and automotive parts are also included in the NIS2 Annex II as important entities. 

According to the legislation, the obligation applies not only to institutions directly participating in such sectors but also to supporting subcontractors.

Important requirements of the NIS2 Directive

The NIS2 Directive is a comprehensive legal document that touches on different areas of security requirements and legal implications. These are the important takeaways that help companies chart their next steps for NIS2 compliance. 

• Conduct risk analysis and update information system security policies.
• Have a robust incident handling plan for rapid prevention, detection and response.
• Prepare for business continuity and crisis management.
• Improve the security posture of supply chain management, including data storage and processing.
• Reinforce network and information system security, including vulnerability handling.
• Set testing policies and procedures to evaluate existing security risk management practices.
• Employ encryption technologies to safeguard data.

How To Prepare For NIS2?

Once enacted, member states have up to 21 months to reform their national cybersecurity laws in line with the NIS2. In other words, European companies that fall within NIS2’s provision must prepare themselves for the new reforms by 2024.

Here’s how to get started.

Revisit your incident response plan and ensure that your security team is able to issue a preliminary notification to relevant authorities within 24 hours of discovering a breach. Likewise, customers and other users that might be affected should be notified promptly.

To comply with NIS2, companies must perform due diligence and deploy appropriate measures to mitigate supply chain risks and other vulnerabilities. This applies to companies participating in mission-critical economies.

SecTeer helps organizations to be NIS2-ready with automated security patching. You can learn more about SecTeer VulnDetect here.