NIS2: Implications and New Responsibilities for European Businesses and CISOs

The adoption of the revised Network and Information Security (NIS2) directive in the European Union has ushered in a new era of stringent cybersecurity measures for businesses and vital transformations for Chief Information Security Officers (CISOs). The original NIS directive was recognized as the EU’s first attempt to unify cybersecurity requirements across member states. However, inconsistent interpretations led to disparities in its implementation.

To address these challenges, the EU introduced NIS2 on November 28, 2022, bringing a raft of changes. The new directive seeks to remove ambiguities, establish a uniform standard of protection across the EU, and assign more responsibilities to CISOs. With clear guidelines, new enforcement mechanisms, and a broader scope, NIS2 is setting a new benchmark in the realm of cybersecurity.

Broadened Scope – The NIS2 Impact on Businesses

Exploring the Expanded Reach of NIS2

The NIS2 directive offers a detailed list of sectors that it impacts, eliminating the room for individual interpretation. The scope has been broadened to include providers of digital services or infrastructure, such as cloud services, DNS services, social media networks, and search engines, even if their physical locations are outside the EU. This change signifies that any entity providing important or essential services within the EU comes under the purview of NIS2:

1. Transport
2. Energy
3. Banking and financial market infrastructure
4. Healthcare
5. Water supply
6. Public administration (at central and regional levels)
7. Waste management
8. Postal and courier services
9. Food
10. Manufacturing of medical devices
11. Chemical and pharmaceutical production
12. Aerospace
13. Digital infrastructure and digital service providers

These sectors are considered important due to their role in maintaining the vital functions of the economy and society. The directive applies to both medium-sized and large organizations operating within these sectors.

Categorization of Entities – Essential vs. Important

NIS2 categorizes entities as ‘essential’ or ‘important’ based on potential consequences of service disruptions. Essential entities, including sectors like healthcare, energy, and transportation, are those whose disruption would potentially have serious ramifications for the country’s economy or society. CISOs in these sectors, in particular, need to understand the implications of their classification.

For entities classified as ‘important’, the CISO’s responsibilities generally include:

1. Risk Assessment and Management: Establishing a robust framework for identifying and managing cybersecurity risks.
2. Security Policies and Training: Developing and implementing comprehensive security policies and procedures. This includes overseeing employee cybersecurity training to reduce human error, which is a common vulnerability.
3. Incident Response: Establishing an effective incident response plan. This involves defining the procedures for handling a cyber incident, including identifying the incident, responding to it, recovering from it, and reporting it as necessary.

While ‘important’ entities are subject to the NIS2 regulations, they are generally only subject to supervision if an incident of non-compliance is reported.

For entities classified as ‘essential’, the CISO has additional responsibilities, as these organizations are subject to more intensive proactive supervision due to the potentially severe societal or economic consequences of service disruption. The responsibilities for a CISO in an ‘essential’ entity would include all of the above, plus:

1. Increased Reporting: ‘Essential’ entities have stricter reporting requirements. An initial report must be submitted within 24 hours of a cybersecurity incident, followed by a more detailed report within a month.
2. Certification Requirements: Under the NIS2, ‘essential’ entities may be required to certify specific ICT products, services, and processes under the EU Cybersecurity Act.
3. Proactive Supervision: Due to their classification, ‘essential’ entities are subject to proactive supervision. This means the CISO will need to maintain an ongoing dialogue with regulators and ensure the entity is continuously compliant with the regulations.

The CISO’s role becomes more crucial and challenging in ‘essential’ sectors due to the higher stakes and more rigorous requirements. In all cases, the aim is to ensure the entity’s resilience to cyber threats, protect critical infrastructure, and safeguard the EU’s citizens and economy from potential cyber-attacks.

Stricter Security Requirements and Enhanced Enforcement

Strengthening Cybersecurity Framework with NIS2

NIS2 introduces a strengthened cybersecurity framework that businesses must comply with. The directive lays down a detailed set of requirements, including risk assessment, cybersecurity training, security policies, crisis management, supply chain security, vulnerability and incident handling, and data encryption. For CISOs, it is crucial to implement these measures effectively.

The NIS2 directive strengthens the cybersecurity framework across the EU, introducing new measures designed to provide more comprehensive and consistent cybersecurity standards. The primary objective of this updated directive is to address the shortcomings in the NIS1 directive and ensure a higher level of cybersecurity across all EU member states:

1. Broader Scope: The NIS2 directive expands the definition of entities that fall under its purview. It distinguishes between ‘essential’ and ‘important’ entities, broadening the scope to include more industries and organizations. This expanded coverage helps ensure that a greater number of businesses are maintaining adequate cybersecurity standards.
2. Stricter Requirements: The NIS2 directive sets out a more robust framework for security requirements. It clearly outlines the measures all entities must take, which include risk assessment and management, cybersecurity training, crisis management, supply chain security, and incident handling and reporting. There’s no option for flexibility as the directive prescribes rules everyone must follow.
3. Incident Reporting: Under NIS2, incident reporting becomes mandatory, with a detailed process for what these reports should contain and when they must be filed. In contrast to NIS1, all incidents must now be reported, regardless of whether the attack had any implications for the entity’s operations.
4. Enhanced Cooperation: NIS2 encourages cooperation both within and between EU member states. It mandates the creation of the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) to manage EU-wide incidents. Moreover, every member state must designate a national Computer Security Incident Response Team (CSIRT).
5. Clear Penalties: The NIS2 directive establishes clear penalties for non-compliance. It stipulates specific fines and sanctions, leaving no room for individual interpretation among the member states.

For CISOs and other cybersecurity professionals, these changes mean more stringent requirements for cybersecurity measures, stricter reporting obligations, and greater accountability. The NIS2 directive places a strong emphasis on proactivity, pushing entities to take more rigorous steps to prevent cyber attacks before they occur.

The Directive’s Stance on Incident Reporting

NIS2 enforces stricter incident reporting. The directive requires all cybersecurity breaches to be reported, regardless of their impact on an entity’s operations. This mandates CISOs and their teams to react swiftly to breaches, conduct thorough investigations, and promptly notify the relevant authorities.

For a CISO, incident reporting involves several key responsibilities:

1. Detection and Assessment: The first step in incident reporting is the ability to detect and assess potential cybersecurity incidents. This involves continuous monitoring of systems and networks to identify unusual activities that could signal a breach or attempted breach. The CISO must ensure that appropriate detection tools and processes are in place and that they are effectively configured to recognize signs of potential incidents.
2. Initial Reporting: Under the NIS2 directive, an initial incident report must be submitted within 24 hours of identifying a cybersecurity issue. The CISO must ensure that an incident response team is in place, ready to act swiftly when a security event occurs. The initial report needs to include basic information about the incident and its potential impact.
3. Detailed Reporting: A more comprehensive report must be provided within a month. This report will need to outline the nature of the incident, the impact it has had on the entity’s operations and services, the measures taken in response to the incident, and the steps being taken to prevent similar incidents in the future.
4. Maintaining Communication: The CISO is typically the key point of contact with external stakeholders, including regulatory bodies, during a cybersecurity incident. Clear and open communication is essential during these times. This can help maintain trust and manage reputational damage in the aftermath of a cyber incident.
5. Learning from Incidents: After an incident has been managed and reported, it’s essential to learn from it. The CISO should lead a “lessons learned” exercise to identify weaknesses in the organization’s systems and processes and ensure measures are put in place to strengthen them. This process is important for improving the organization’s overall cyber resilience.

The NIS2 directive’s stringent incident reporting requirements underscore the importance of having strong detection and response capabilities in place.

Understanding the Implications of Enhanced Enforcement

The new directive specifies clear sanctions and fines for non-compliance. The clarity provided in this area significantly impacts the role of a CISO. It underscores the importance of compliance, making it paramount for CISOs to develop and implement robust strategies to meet the directive’s requirements.

1. Understand the Regulations: The first step for CISOs is to thoroughly understand the new regulations and what they imply for their specific organization. This includes gaining a comprehensive understanding of the conditions under which sanctions and fines can be imposed.
2. Conduct Risk Assessments Regularly: NIS2 requires entities to conduct regular risk assessments. It’s the CISO’s responsibility to ensure these assessments are thorough and effectively identify potential vulnerabilities and threats.
3. Implement Robust Cybersecurity Measures: The NIS2 directive sets out stringent security measures that must be implemented. This includes addressing areas such as risk management, cybersecurity training, crisis management, supply chain security, and incident handling and reporting. As a CISO, ensure your organization meets these standards.
4. Proactive Incident Reporting: NIS2 makes incident reporting mandatory, and a failure to comply can result in penalties. CISOs need to establish clear protocols for incident detection and reporting within their organizations. They must ensure that all cybersecurity breaches are reported promptly, following the two-stage approach detailed in the directive.
5. Regular Compliance Audits: Conduct regular audits to ensure your organization remains compliant with the new regulations. This helps identify any areas of non-compliance early on, allowing you to address them before they result in sanctions or fines.
6. Foster a Cybersecurity Culture: CISOs should work towards fostering a culture of cybersecurity within their organizations. This involves training employees, promoting awareness about cyber threats, and encouraging adherence to cybersecurity policies and best practices.
7. Stay Updated: Regulations and cyber threats are constantly evolving. Therefore, CISOs must stay abreast of the latest developments and be prepared to adapt their strategies accordingly.

Remember, under the NIS2 directive, the consequences of non-compliance are severe. It’s crucial to take these enforcement enhancements seriously and take proactive steps to ensure your organization remains compliant.

Improved Cooperation

The Role of Cooperation in Strengthening Cybersecurity

The NIS2 directive stresses the importance of coordination and communication between EU member states. It mandates each state to designate a national Computer Security Incident Response Team, fostering a unified defence against cybersecurity breaches.

For a CISO, the national CSIRT is an essential partner in managing cybersecurity risks.

1. Expertise and Support: CSIRTs have a wealth of expertise and experience in dealing with cybersecurity incidents, and they can provide valuable support and advice in the event of a breach. This can be particularly useful for organizations that do not have extensive in-house cybersecurity resources.
2. Information Sharing: CSIRTs often disseminate alerts and advisories about new threats and vulnerabilities. By maintaining close ties with the national CSIRT, a CISO can ensure they have access to the latest threat intelligence, helping them to protect their organization more effectively.
3. Incident Reporting: Under the NIS2 directive, incidents must be reported to the national CSIRT. Therefore, a good relationship with the CSIRT can help streamline this process and ensure that the organization meets its regulatory obligations.
4. Crisis Management: In the event of a major cybersecurity incident, the national CSIRT may coordinate the response and recovery efforts. The CISO must ensure that their organization can work effectively with the CSIRT in these situations.

A strong relationship with the national CSIRT is a crucial aspect of a CISO’s role, and can significantly enhance an organization’s ability to manage cybersecurity risks.

The Rise of the European Cyber Crisis Liaison Organisation Network

The European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) is one of the significant player under the NIS2 directive. It represents a robust framework for coordination and cooperation between EU member states, strengthening Europe’s collective response to significant cybersecurity threats and incidents.

EU-CyCLONe will play several vital roles:

1. Coordinating Response: EU-CyCLONe will be pivotal in managing cross-border cyber incidents and crises. It will coordinate the collective response of member states, ensuring a harmonized approach that helps mitigate the impact of such incidents and enables faster recovery.
2. Improving Information Sharing: EU-CyCLONe will serve as a hub for exchanging information related to cybersecurity threats, incidents, and vulnerabilities. This will enable quicker dissemination of essential threat intelligence among member states, enhancing their ability to proactively address these threats.
3. Facilitating Joint Exercises: The network will facilitate joint exercises designed to improve the preparedness and resilience of member states against cyber threats. These exercises will test and enhance each member state’s ability to respond to cyber crises effectively.
4. Establishing Common Practices: Through collaboration and shared experiences, EU-CyCLONe will support the development of common practices and standard procedures for incident response. This will ensure a more uniform and efficient approach to managing cyber crises across the EU.

For CISOs, the establishment of EU-CyCLONe is a substantial development. It improves the predictability and effectiveness of the EU-wide response to cyber incidents, allowing for better planning and preparation. It also means that CISOs can expect increased support and guidance during significant incidents, and more opportunities to learn from the experiences of their peers in other member states.

EU-CyCLONe plays a crucial role in fostering a unified cybersecurity culture across Europe. By encouraging collaboration and mutual assistance, it contributes to the broader goal of creating a more resilient digital single market, which benefits businesses, consumers, and society as a whole. Therefore, CISOs must be aware of the role of EU-CyCLONe and understand how their organizations can engage with and benefit from this network.

How NIS2 Reinforces Shared Responsibility

The directive’s emphasis on improved cooperation solidifies the concept of shared responsibility. It puts forth a vision of cybersecurity as a common effort, making it crucial for CISOs to foster collaboration at all levels.

In the NIS2 framework, “shared responsibility” is particularly significant in two key aspects:

1. Within Organizations: Within a single organization, the responsibility for cybersecurity is not limited to the IT department or the CISO. Instead, it is a duty shared across different roles and departments. Everyone, from top management to individual employees, plays a crucial part in ensuring cybersecurity. For instance, top management is responsible for setting the cybersecurity strategy and ensuring adequate resources, while employees need to follow best practices to avoid common cyber threats like phishing attacks.
2. Across Sectors and Nations: The NIS2 Directive extends the principle of shared responsibility to a broader scale. It applies to a wide range of sectors considered essential or important for the EU’s economy and societal stability. The idea is that these sectors must work in collaboration, share information about threats and vulnerabilities, and adopt a consistent approach to managing cybersecurity risks. Similarly, all EU member states are required to cooperate, share information, and coordinate responses to cybersecurity incidents. This shared responsibility is institutionalized through mechanisms such as the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe).

The concept of shared responsibility acknowledges that in an interconnected digital landscape, the actions (or inactions) of one entity can have a ripple effect, impacting the cybersecurity posture of others. Therefore, effective cybersecurity requires collective effort and collaboration. This approach allows for better defense against cyber threats and a more coordinated response when incidents occur.

Conclusion

The revised NIS Directive (NIS2) represents a significant step forward in strengthening Europe’s cybersecurity posture. By expanding its scope to include more sectors, defining clear security requirements, mandating stringent incident reporting, and setting up a robust enforcement framework, NIS2 ensures a harmonized approach to cybersecurity across EU member states. It encourages a culture of shared responsibility, acknowledging that in our interconnected digital world, cybersecurity is a collective effort.

For Chief Information Security Officers, NIS2 introduces both challenges and opportunities. On one hand, CISOs must navigate increased responsibilities, ensure strict compliance, and develop robust incident reporting mechanisms. Particularly for those in essential sectors, there’s the added layer of proactive supervision. On the other hand, the directive provides a clear framework to guide their cybersecurity strategy, reduces inconsistencies across borders, and offers increased opportunities for cooperation and information exchange. It highlights the pivotal role that CISOs play in not just securing their own organizations but contributing to the broader cybersecurity ecosystem.

While NIS2 is an important milestone, it is part of a broader legislative landscape. The proposed DORA (Digital Operational Resilience Act) complements NIS2 by specifically addressing the cybersecurity needs of the financial sector. Also, the European Electronic Communications Code (EECC) has provisions impacting telecom providers offering certain digital services. In the context of rising global supply chain attacks, the NIS2’s emphasis on supply chain security marks a crucial development.