In the wake of increased cyber-attacks on national critical infrastructure, authorities around the world are imposing stricter requirements on organizations that their populations rely on for a wide range of essential services, which includes a wide and growing number of private companies that should be preparing now to meet their new obligations.
Notably the EU issued the Network and Information Systems (NIS) Directive in 2016 and the US saw the introduction of Executive Order 14028 on Improving the Nation's Cybersecurity in 2021. But European authorities are now seeking to go even further with an update to the NIS Directive, known as NIS2, which is expected to go into force by the second half of 2024.
Like its predecessor, NIS2 aims to protect critical organizations and infrastructure within the EU from cyber threats and to achieve a high level of common security across the EU by focusing on organizations that provide essential services.
However, unlike its predecessor, NIS2 has a much wider scope, going beyond the traditional critical national infrastructure providers to include a range of organizations that are essential for the normal functioning of society, which include both EU and non-EU organizations that will have to ensure their compliance in future.
NIS2 also includes stricter security requirements, reporting obligations, and enforcement sanctions, so it is important that organizations covered by NIS2 are not only aware of their new obligations, but also know how to begin preparing now to ensure they comply with the laws based on the directive which are expected to emerge in late 2024.
The NIS2 update has been driven by the fact that since NIS in 2016, everyday life has become more dependent on network delivered digital systems due to digital transformation, which has massively expanded the cybersecurity attack surface.
In response to the changes brought about by digital transformation, which has been accelerated by the Covid 19 pandemic, the proposed NIS2 directive increases requirements in five areas:
- The types of organizations covered
- Cooperation across the EU
- Security measures
- Reporting obligations
Perhaps the most important one to note is the widened scope of application. While NIS has different rules for operators of essential services and digital service providers, NIS2 merges these together and will apply to “essential and important entities”, which effectively will extend the scope of the directive to cover organizations across a wider range of sectors to include, for example, data centers, content delivery networks, trust services providers, providers of public electronic communications networks, and social networking platforms.
Under the NIS2 Directive, this wider group of organizations will have the benefit of increased cooperation and coordination of incident response across EU member states, including coordinated disclosures of newly-discovered vulnerabilities and the use of European cybersecurity certification schemes.
In addition to requiring essential and important entities to implement appropriate and proportionate security measures, NIS also requires governance requirements such as regular training at the board level, accountability by senior management for ensuring adequate security standards, and ensuring appropriate risk analyses are performed.
NIS2 expands the range of security incidents that must be notified to the relevant authorities to include any incident that causes or could cause sever operation of the service or financial losses for the entity concerned, and any incident that has affected or could cause considerable losses. It also shortens the time allowed for notification.
And finally, NIS2 introduces a minimum of administrative sanctions for breaches of the rules for cybersecurity risk management or incident reporting. The proposed sanctions include fines of up to up to €10 million or 2 % of the essential entities' total worldwide turnover, whichever is higher and up to €7 million or 1.4 % of the important entities' total worldwide turnover.
KuppingerCole recommends that organizations adopt the concept of a security fabric to support a consistent approach to cyber security and to compliance with the multiple laws and regulations that apply across the various delivery models.
All organizations need to take steps to improve their cyber resilience and the NIS2 directive provides a useful framework for this. This updated directive will place obligations for cyber resilience on more organizations - you must check whether your organization is within its scope. Whether or not this is the case you should take action to ensure that your organization's resilience to cyber-attacks is adequate. Even if the obligations of the directive do not apply, meeting them would help in this respect.
— Mike Small, Senior Analyst, KuppingerCole.
Because we understand the importance of cyber resilience, particularly for critical infrastructure providers, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.
To find out which organizations will have to comply with the updated NIS Directive, what technical recommendations they will have to comply with, and recommendations on what actions to take to prepare ahead of the directive’s transposition into law, have a look at the recently published Leadership Brief on the EU NIS2 Directive.
For further information on the Cybersecurity Fabric model referenced in the recommendations of the above report, please click here.
As noted earlier, all organizations need to improve their cyber resilience and the NIS2 directive provides a useful for this. To read more about how to achieve cyber resilience, have a look at this Leadership Brief entitled: Leadership Brief: Cyber Hygiene: The Foundation for Cyber Resilience.
Increased cooperation and coordination of incident response across EU member states is a key element of NIS2. To find out why all organizations should invest in an Incident Response Management Plan, have a look at this Leadership Brief on Incident Response Management.
For a comparison of the US Executive Order 14028, the EU Network and Information Security (NIS) Directive, and IT Security Act (IT-SIG) 2.0, have a look at this Advisory Note on Federal Regulations on Cybersecurity, which demonstrates the relationship between these national regulations and future developments in cybersecurity.
This Advisory Note on Cyber Risk – Choosing the Right Framework looks at the frameworks that organizations can adopt to help them manage the cyber risks that could impact their businesses in the digital era, that include NIS and eventually its successor, NIS2.
Discover why there needs to be closer alignment and integration between business continuity and cyber security teams, and find how to achieve this to reduce the impact of cyber-attacks in this Advisory Note on Business Continuity in the age of Cyber Attacks.
And get a foundation for rating the current state of your cyber security projects and programs in this Advisory Note on a Maturity Level Matrix for Cyber Security.
Get a more immersive update on what suppliers of utilities, healthcare, transport, communications, and other services can expect in the NIS2 Directive by watching this Webinar on The Changing Scope of the NIS 2 EU Directive.
If your organization is covered by legislation based on the NIS Directive and the coming NIS2 directive, you may be interested in signing up for this Master Class on Business Resilience Management, which although was inspired by the Pandemic crisis, is designed to help organization to know exactly what actions to take in any crisis, including a cyber-attack on critical infrastructure.
Organizations investing in technologies to improve cyber resilience, can have a look at some of the related technology solutions that we have evaluated in the following Leadership and Market Compass reports:
The detection of malware and preventing it from executing is fundamental to cyber defense and cyber resilience. To find out more about solutions that can detect and prevent malware from executing on endpoints, have a look at this Leadership Compass on Endpoint Protection Detection & Response.
Similarly, to find out more about solutions that help security analyst discover evidence on the network and in the cloud of malicious activities, have a look at this Leadership Compass on Network Detection & Response (NDR).
And to find out more about how to create the foundation for a comprehensive set of identity services to provide seamless and controlled access of everyone to every service, have a look at this Leadership Compass on Leadership Compass: Identity Fabrics.
To learn more about solutions that provide backup, restoration, and disaster recovery of IT service data into the cloud, in the context of the hybrid IT service delivery environment that is now commonly found in medium to large organizations, have a look at this Market Compass on Cloud Backup and Disaster Recovery.
And finally, for an overview of the market for solutions designed to protect sensitive data, have a look at this Market Compass on Enterprise Information Protection.