The final text of the Security of Networks & Information Systems Regulations 2 (NIS 2) has been passed by the European Union and was published in the EU journal in December 2022. After coming into force on January 16th 2023, impacted organisations have 21 months to demonstrate compliance with NIS2 or face supervisory action. Member states must adopt and publish the measures necessary to comply with the NIS 2 Directive by October 2024.
But why is this significant?
The original NIS was the first piece of EU-wide legislation aiming to improve network and information security. Generally, NIS2 adds many more verticals into the spotlight and introduces fines, sanctions, and penalties for not undertaking proper risk management, basic cyber-hygiene and taking undue delays in corrective action. This will push organisations to continuously update their software and security protocols and implement access controls that prevent unauthorised access and activity within systems.
This will have implications for all manufacturers, including those that make IoT devices, Medical devices (IoMT) and Operational Technology (OT). Under the NIS2 directive, essential and important entities are to be required to use certain certified ICT products, ICT services and ICT processes or obtain a certificate under a European cybersecurity certification scheme such as the new Cyber Resilience Act. This mandates the security of their products through the entire development process. Inevitably this will be a challenging transition, especially in cases where IoT products remain vulnerable to cyberattacks as a result of them being built with inadequate security controls like hardcoded passwords, lack of encryption for data they transmit or software/firmware vulnerabilities that may be difficult to patch. Evidently, the revised NIS regulations will push those manufacturers to up their security stakes as a result to maintain reputation as well as compliance.
In short, it will help organisations implement a coordinated strategy in cases of large-scale cyber-attacks. As a result, the consequences of cyber incidents that would typically cause damage will be reduced, ensuring greater security for both the organisation and its customers.
Increasing cybersecurity in Europe
The original NIS regulations were implemented in 2018, with the aim to boost the level of security within network and information systems for the provision of essential and digital services. The goal of the new directive is to reduce the losses to cybercrime by €11.3 billion per year. In order to reach this, important organisations will need to increase their cyber budgets by 22% in order to meet the compliance requirements for newly selected organisations and by 12% for organisations that were previously categorised essential under NIS1.
Expanding the NIS regulation
NIS2 now applies to broader vertical industries. It expands the current definition of critical service provider and adds a second category of “important” service provider.
More importantly, NIS2 introduces fines and penalties for non-compliance with best practices, in addition to the existing fines and penalties for breach occurrences. This is an attempt to streamline reporting obligations and avoid further fragmentation across EU member states.
Fines for essential entities can reach 2% of Global revenue or €10 million, while important entities face 2% of global revenue or €7 million.
The spirit of NIS2 is to encourage “Active Cyber Protection”. It aims to create a framework- first culture for risk management, rather than the typical defence of reacting to breaches and incidents once they’ve already occurred. NIS2 ensures that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21 of the legislation.
Among those now deemed essential under NIS 2 are energy, transport, finance, healthcare, drinking and wastewater, digital infrastructure, ICT service management public administration and even space organisations. In addition, postal courier services, waste management, chemical, food, manufacturing, digital providers and research organisations have been added under a second category of ‘important’ entities.
Important entities, however, are not subject to the same criteria or fines that essential entities are. The fines for important entities are 1.4% of Global revenue or €7million, instead of the 2% of global revenue or €10 million for essential entities.
In addition, the supervisory criteria prioritises essential entities who will be supervised with ex-ante measures as well as ex-post measures. Additionally, important entities will be managed with ex-post measures if a lack of compliance evidence alleges a failure in executing their obligations.
Additionally, the NIS2 regulations also focus on securing the supply chain of operators of essential services. With operators more vigorously evaluating the security of devices on their networks, there are important implications for IoT, IoMT and OT manufacturers. By enforcing more appropriate security measures themselves, it will help everyone in the chain to stay compliant throughout the product development ecosystem.
Compliance
Article 21 covers best practices obligations, which essential and important entities will have to comply with. The tighter cybersecurity obligations organisations must follow cover risk management, reporting and information sharing, which include:
(a) policies on risk analysis and information system security
(b) incident handling
(c) business continuity
(d) supply chain security
(e) security in network and information systems, including vulnerability handling and disclosure
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures
(g) basic cyber hygiene practices and cybersecurity training
(h) policies and procedures regarding the use of cryptography and encryption
(i) human resources security, access control policies and asset management
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Proactive cybersecurity starts with asset vulnerability management
The best approach organisations can take to comply with the NIS2 directive is to implement continuous monitoring of every asset. As the famous saying goes, ‘you can’t protect what you don’t know about’. This type of full visibility will allow information security teams to detect anomalies and status changes in real time, which in turn reduces SOC investigation time and any potential damages.
Asset vulnerability management, in particular, provides information about vulnerabilities related to each asset, regardless of which type it is. By using this type of intelligence, organisations will have constant insight into the latest vulnerabilities and exploits. As a result, they will be able to take a proactive stance to their cybersecurity, staying one step ahead of threat actors.
In summary
The expansion of the original NIS scope should help increase the level of cybersecurity in Europe in both the medium and longer term. Ultimately, it sets out the best practice obligations that essential and important entities must comply with. Any actions needed in order to follow the new regulations and implement the correct security measures must be completed without undue delay or lead to increased sanctions. This could result in fines or even orders to suspend the critical service or responsible individuals until the corrective measures have been concluded.
The drastic changes and consequences of non-compliance are the result of an evolving threat landscape that is putting organisations within all sectors at greater risk, particularly those that work within critical infrastructure. The growing threat of converging cyber and physical elements mean that cyber-attacks have the potential to cause physical damage or harm to people, which is why it is vital to adequately secure all organisations with proactive cybersecurity plans. And, a large aspect of this is compliance to regulations that exist for good reason. If everybody plays their part to reduce cybersecurity gaps and increase cyber hygiene, it will make European organisations more protected and a safer place to do business as a result.
Andy Norton is an European Cyber Risk Officer and an expert in Hactuary and go to market executions for Armis.
