What is the NIS2 Directive?
NIS2 Directive (Network and Information Security), is the EU-wide legislation on cybersecurity. It provides for legal measures boost the overall level of cybersecurity in the EU.
The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive which came into force in 2023. It modernized the existing legal framework to keep up with increased digitalization and an evolving cybersecurity threat landscape. It further enhances the resilience and responsiveness of public and private entities, competent authorities and the EU as a whole.
Why the need for NIS2?
The Directive on measures to ensure a high common level of cybersecurity in the Union (the NIS 2 Directive) sets out legal measures to boost the overall level of cybersecurity in the EU by ensuring:
• The preparedness of Member States, requiring them to be properly equipped. For
for example, with a Computer Security Incident Response Team (CSIRT) and a
National Authority for Networks and Information Systems (NIS),
• Cooperation between all Member States, through the establishment of a Cooperation Group
support and facilitate strategic cooperation and information exchange between
Member States.
• A culture of security in all sectors that are vital to our economy and society and rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructure, health and digital infrastructure.
Undertakings identified by Member States as operators of essential services in the they shall take appropriate security measures and notify the national competent authorities in the event of major incidents. Providers of key digital services, such as search engines, cloud IT services and online marketplaces, will have to comply with the security requirements and notification requirements under the Directive.
When will NIS2 Directive come into force?
NIS2 entered into force with EU member states required to transpose the directive into national law by October 17, 2024. Organizations covered by the directive must comply with the national legislation implementing NIS2 by this deadline.
Who will be affected by the NIS2 Directive?
NIS2 typically applies to public and private sector organizations that offer specific critical services or infrastructure, meet the criteria for medium or large enterprises, and operate within the EU. However, some entities will be subject to the new regulations regardless of their size, and Member States may include additional entities under NIS2. Furthermore, the supply chains of these covered entities might also be indirectly impacted by NIS2. A key aspect of the NIS2 Directive involves policies, processes, and controls for evaluating supply chain security, which includes managing third-party and fourth-party risks.
NIS2 Directive objectives
The main provisions of NIS2 are identified below:
- Mandates and provides guidelines for national cybersecurity strategies.
- Sets out the requirements and technical capacities of national CSIRTs, and the exchange of information.
- Establishes cybersecurity risk management and reporting obligations for two categories of entities: essential entities and important entities.
- References to EU certification schemes and compliance with standards.
With specific regard to the energy sector, EE-ISAC considers that there are potentially many areas for future public-private, and private-to-private cooperation to achieve greater resilience in essential infrastructure and services. Good cooperation between relevant stakeholders has been established, but there needs to be more proactive and a formal communication framework among the national competent authorities (NCAs), the computer security incident response team (CSIRTs), the NIS Cooperation Group and the ISACs is required to facilitate such cooperation.
Threat intelligence feeds provide a wealth of information that needs to be customized and translated into actionable and actionable intelligence. Reported issues include the cost of the threat intelligence and no specifications for the energy sector or critical infrastructures Operators. Actions are being decided and prioritized, but without knowing whether the intelligence sources subscribed to are sufficient or adequate. EE-ISAC currently aims to meet some of these needs through its MISP platform by developing threat intelligence to the energy sector. The Association aims to enrich the threat intelligence community with interesting insights into threat trends and attack schemes affecting the energy sector. In addition, any European ISAC plays a critical role in analyzing, at an international level, weak signals and any element that is not yet classified as a threat but could be significant in terms of ex-post incident analysis and reporting.
The Group’s overall mission is to achieve a high common level of security for networks and information systems in the European Union. It supports and facilitates strategic cooperation and exchange of information between EU Member States.
The NIS Cooperation Group is composed of representatives of the EU Member States, European Commission and the EU Agency for Cybersecurity (ENISA). The Presidency is the position held by the Member State holding the Presidency of the Council of the European Union (EU).
The information exchange models within the NIS2:
Enterprises-enterprises Article 26 requires companies to exchange cybersecurity information with each other within communities of trust, NIS2 now obliges companies to join an ISAC and report their participation to their national authority.
Enterprises-national authorities Article 20 requires companies to report incidents and to report threats that could have led to an incident.
National authorities-national authorities Article 11 requires cooperation between competent authorities, CSIRTs and single windows (SPOCs) within each Member State, in the provision of information on risks, threats and incidents.
The NIS 2 Directive identifies cybersecurity risk management requirements or essential and important entities in the EU Member States.
Cybersecurity Risk Management Measures:
- Manage the risks posed to the security of networks and information systems, entities used for their operations or for the provision of their services.
- Prevent or minimize the impact of incidents on the recipients of its services and other services.
Cybersecurity risk management measures, which comprise the risk management requirement and an incident impact requirement, do not focus on the prevention of cyberattacks, but instead focus on limiting the impact of cyberattacks on the ability of specific networks and information systems to withstand incidents and limiting the impact of incidents on the recipients of their services and on other services.
The consequence is that cyberattacks with severe and persistent impacts on the entity’s essential and important network and information systems are permitted by the risk management requirement and incident impact requirement, if they do not affect the ability of a specific network and information systems to withstand incidents or impact the recipients of its services and other services.
Critical and important entities can receive significant assistance in the selection of effective, appropriate and proportionate measures under the risk management requirement and the incident impact requirement by taking the following measures during reconnaissance: assessment of their reconnaissance footprint, scanning for internal resource vulnerabilities, in-depth penetration testing, internal threat intelligence and external threat intelligence reviews, and threat modeling.
Incident reporting obligations are covered in NIS 2 by Article 23 – Reporting obligations that EIEs must notify without undue delay to their CSIRT or, where applicable, their authorities, of any incident that has a significant impact on the provision of their services. It is for Member States to ensure that essential and important entities communicate, without undue delay, to the recipients of their services that are affected by a significant cyber threat, any measures or remedies that those recipients may take in response to that threat. Where appropriate, entities shall also inform those recipients of the significant cyber threat itself.
An incident is considered significant if:
- Has caused or is likely to cause serious operational disruption to services or financial loss to the entity concerned.
- Has affected or is likely to affect other natural or legal persons significant material or non-material damage.
The entities concerned submit to the CSIRT or, where appropriate, to the competent authority:
- Without undue delay and, in any event, within 24 hours of the date on which it became aware of the significant incident, an early warning, which shall, where appropriate, indicate whether the significant incident is suspected to have been caused by unlawful or malicious acts, or could have a cross-border impact.
- Without undue delay and in any event within 72 hours of the date on which it becomes aware of the significant incident, an incident notification which, where applicable, shall update the information referred to in the previous point and indicate an initial assessment of the significant incident, including its severity and impact, and where available, the Indicators of Compromise.
- At the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant situation updates.
- A final report no later than one month after the submission of the incident notification, including the following: a detailed description of the incident, its severity and impact; the type of threat or root cause that is likely to have triggered the incident; mitigation measures implemented and underway; if applicable, the impact of the incident.