NIS2: What is NIS 2 Directive, requirements overview and how to comply

NIS2 Directive, also known as NIS Regulation 2, represents a renewed and more robust legal framework in the European Union designed to strengthen cybersecurity in member states. 

In this article we will provide a detailed overview of what NIS2 Directive is, the cybersecurity measures it imposes, its key dates, and how it affects companies and those obliged to comply with it.

What is NIS2

NIS2 Directive (EU Directive 2022/2555 of the European Parliament and of the Council) is an update of the original NIS Directive (Directive 2016/1148) on the security of network and information systems. Adopted in December 2022 initially, NIS2 responds to the increasing sophistication and frequency of cyber-attacks, as well as society's increased reliance on digital technologies.

NIS2 establishes a common framework for cybersecurity across the European Union, with the aim of improving the resilience of critical systems and essential services. It also extends its scope to a wider number of sectors and types of companies, and strengthens security requirements, including penalties for non-compliance.

Network and Information Security 2 (NIS 2) is a normative regulation in the form of a Directive whose main purpose is to strengthen cybersecurity at EU level. This new regulation is part of the EU Cybersecurity Strategy.

It broadens the scope of the previous regulation in all its parts and aspects, now covering a greater number of sectors and entities, including those considered "essential" and "important" (so called) for society and the economy, such as energy, health, transportation, and water, among others.

What is SRI2

SRI2, or Security Incident Response System, is a key concept within the framework of NIS2 Directive. This system refers to the organized ability of obligated entities to detect, analyze and mitigate security incidents that may compromise the continuity of their operations.

NIS2 involves a set of policies, procedures and tools that enable organizations to not only respond to cybersecurity incidents, but also to anticipate and manage them effectively. This proactive approach is central to NIS 2 Directive, as the directive emphasizes prevention and preparedness, rather than reacting only after an incident.

Within the context of NIS2, the term SRI2 also refers to "Security of Network and Information Systems 2". This creates an extension of the regulatory framework that seeks to ensure that companies and organizations adopt effective security measures to protect their critical infrastructures against cyber threats given newest types of fraud and identity theft. This includes both risk management and the obligation to report significant incidents within specific timeframes, ensuring that potential damage is minimized and that authorities can intervene in a timely manner.

NIS2 measures

NIS2 Directive introduces a number of cybersecurity measures that companies and organizations must implement to meet its requirements. These measures are more stringent compared to the original NIS Directive and are designed to address current threats in the digital landscape. Some ancillary measures are detailed below:

• Assessment and risk management: Organizations should conduct ongoing assessments of the risks associated with the security of their networks and information systems. This includes identifying threats, assessing vulnerabilities and implementing controls to mitigate risks.
• Access control: The directive imposes the need to implement strict access controls to critical systems and data. This includes the use of multi-factor authentication (MFA) to ensure that only authorized personnel can access certain resources.
• Data and systems protection: Organizations should implement technical measures to protect their data and systems from cyber threats. This may include data encryption, network segmentation, and the implementation of firewalls and intrusion detection systems.
• Corporate responsibility: The top management of organizations must approve and supervise the cybersecurity measures implemented, being responsible for the consequences of any non-compliance.
• Reporting obligations: Organizations are required to report significant security incidents within 24 hours as an initial warning, followed by a full report within 72 hours, and a detailed report within one month.

NIS 2-Specific cybersecurity measures

On the other hand, NIS 2 implements concrete and specific cybersecurity measures. Among the ten minimum measures that entities must adopt are multifactor authentication, data encryption and supply chain security.

This establishes a set of measures designed to cover a broad spectrum of possible vulnerabilities and risks associated with the information systems and networks of the obligated entities. 

1. Organizational Security Policies: Organizations should conduct regular risk assessments to identify potential threats to their information systems. Based on these analyses, they should develop and update security policies that address the identified risks, ensuring that the measures implemented are proportional to the magnitude of the risks.
2. Cryptography Policies and Procedures: Cryptography is essential to protect the confidentiality and integrity of data in processes such as electronic signatures. NIS2 requires organizations to have clear policies for the implementation of cryptography, including the proper use of encryption techniques in all communications and storage of sensitive data.
3. Incident Response and Notification Plan: It is crucial that organizations have a detailed plan for managing cybersecurity incidents. This plan should include procedures for incident detection, analysis, containment and mitigation, as well as an effective communication process for informing stakeholders and relevant authorities.
4. Supply Chain Security: Organizations must ensure that their suppliers and supply chain partners also comply with cybersecurity regulations. This includes continually assessing supply chain risks and implementing contracts that stipulate cybersecurity obligations.
5. Multifactor Authentication: Multifactor authentication (MFA) becomes a mandatory measure under NIS2 Standard and its requirements. This implies that, in addition to the password, users must present a second form of identification, which adds an extra layer of security to prevent unauthorized access to critical systems.
6. Cyber Hygiene and Cybersecurity Training: Ongoing cybersecurity training is essential for all employees to understand best practices and emerging threats. This includes regular cyber hygiene training, such as updating passwords, recognizing suspicious emails, and safe web browsing.
7. Security Procedures for Sensitive Data: Organizations must implement strict procedures for managing sensitive data. This includes policies on who can access this data, how it is handled and how it is protected against unauthorized access or security breaches.
8. Business Continuity Plan: NIS 2 requires organizations to be prepared to ensure operational continuity during and after a cyber incident. This involves having up-to-date backups, redundant systems and clear procedures for restoring critical systems.
9. Vulnerability Management: Organizations should establish processes to identify and correct vulnerabilities in their information systems. This includes implementing security patches, updating software and periodically reviewing the infrastructure for potential weaknesses.
10. Emergency Communication and Internal Encryption: In emergency situations, it is critical that internal communication is secure. NIS2 and its obligations require encryption of all critical communications, whether by text, voice or video, to ensure that sensitive information is not intercepted during an incident.

These ten measures form the basis for a comprehensive approach to cybersecurity under NIS2, ensuring that organizations are better prepared to deal with today's cyber threat landscape and meet the standards required by the European Union.

Dates and calendar for NIS2 Directive

NIS2 Directive was formally adopted in December 2022, and its implementation in EU member states follows a specific timetable. A summary of the key dates is detailed below:

• December 2022: Adoption of NIS2 Directive by the European Parliament and the Council.
• January 6, 2023: Entry into force of NIS 2 Directive.
• 18 months from entry into force: Member states have until July 17, 2024 to transpose the directive into national law. This implies that, by that date, each state must have adapted its legal frameworks to comply with the requirements of NIS2 standards.
• From July 2024: Organizations subject to the Directive must comply with the obligations set out by the directive. Companies must have implemented all cybersecurity measures and be prepared for inspections and audits by national authorities.

NIS 2 in Spain and the EU

NIS2 Directive has a significant impact on all EU member states, including Spain. As an EU regulation, it requires each country to adapt its national legislation to align with new requirements.

In Spain, Law 8/2021 on Network and Information Systems Security will be updated to incorporate the mandates of NIS2. National Cryptologic Center (CCN) and National Institute of Cybersecurity (INCIBE) will play crucial roles in implementing and monitoring compliance with the directive.

At the EU level, NIS2 seeks greater harmonization in cybersecurity policies among member states. Previously, differences in the implementation of the original NIS Directive created gaps in cybersecurity within the EU. With NIS 2, the European Commission has introduced more uniform measures, including standardized criteria for identifying critical sectors and services, and greater powers for national authorities.

Sectors that are particularly affected by NIS 2 Directive in the EU include transportation, energy, banking, digital infrastructure, healthcare, water, and public administration. These industries are considered critical to the functioning of society, and as such, are subject to strict cybersecurity requirements under the new directive.

How does NIS 2 Directive affect companies? Compliance and obligations

NIS2 Directive has a significant impact on companies in the European Union, especially those considered essential or important. These companies will be required to conduct comprehensive risk assessments and adapt their security measures to the new requirements. In addition, the top management of these organizations will have direct responsibility for overseeing and approving cybersecurity policies, and may be sanctioned in the event of non-compliance.

Expansion of the scope of application

One of the main new features of NIS2 is the broadening of the scope of application compared to the original NIS Directive.

While the first directive focused on operators of essential services and digital service providers, NIS 2 includes a wider range of sectors such as banking and financial services, such as water supply, postal and courier services, waste management, chemical and food industry, among others. In addition, the European NIS2 Directive also introduces an approach based on company size.

Stricter compliance requirements

Companies bound by NIS2 must comply with a more stringent set of requirements compared to the original directive. In addition to those mentioned in the article price blocks, other technical and organizational security measures are included that are appropriate and proportionate to the risks they face.

Penalties for noncompliance

NIS2 introduces more severe penalties for companies that fail to comply with the requirements of the directive. Penalties for non-compliance can be severe, including fines of up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1% of global turnover for significant entities.

In addition, national authorities have the power to order companies to take corrective action in the event that deficiencies in their cybersecurity posture are detected. In the most serious cases, companies may face suspension of their business activities if they fail to comply with the authorities' orders.

Senior Management Responsibility

Another important new feature of NIS2 is the direct responsibility it imposes on senior management. Managers must now be directly involved in cybersecurity governance and ensure that security policies and measures are effectively implemented throughout the organization.

This implies that cybersecurity is not only a technical issue, but also a strategic issue that needs to be addressed at the board level.

NIS2 regulation requirements and obligated parties

NIS2 Directive sets out specific requirements that must be met by obligated organizations. These requirements fall into two main categories: technical and organizational measures, and incident reporting requirements.

Technical and organizational measures

Organizations must implement a series of technical and organizational measures that are appropriate and proportionate to the level of risk. These measures include:

• Periodic risk assessments
• Cybersecurity policies
• Access controls and authentication
• Physical and logical infrastructure protection
• Business continuity management

Incident reporting requirements

In the event of a cybersecurity incident affecting the continuity of essential services or the supply of critical assets, organizations must notify the relevant authorities. Notification must be made within 24 hours of detection of the incident and include details on:

• The nature and extent of the incident.

• The impact on the services or assets affected.

• Measures taken to mitigate the impact of the incident.

• Any other relevant information that may assist the authorities in assessing the situation and coordinating an appropriate response.

Obligated parties

• Essential Entities: Sectors such as energy, health, water, transportation and finance, which are critical to the functioning of society and the economy.
• Important Entities: Sectors that, although not critical, play a relevant role in the value chain, such as digital suppliers and postal services.

Obligated entities must implement rigorous policies and procedures, ensure cybersecurity training and awareness, and be prepared to respond quickly to any incident. The main sectors affected include:

• Energy and utilities: Companies operating in the electricity, gas, oil and other energy resources sectors.
• Transportation: Air, sea, rail and road transportation companies.
• Banking and finance: Financial institutions and stock market operators.
• Digital infrastructures: Internet service providers, data centers and other critical infrastructures for certified communications or e notices.
• Health: Organizations operating in the health sector, including pharmaceutical companies and hospitals.
• Water supply: Companies that manage water supply and treatment.
• Public administration: Government entities and other essential public institutions.

Each of these sectors is subject to a specific set of requirements, tailored to the nature of the services they provide and the level of risk they face.

As far as size is concerned, there are very significant modifications. Thus, medium-sized and large companies operating in the sectors covered by the directive are automatically included, regardless of their level of criticality. This means that a greater number of companies in the EU will be subject to the cybersecurity requirements, even if they are not considered critical under the previous directive.

RegTech Services for NIS2 compliance

In summary, NIS2 Directive represents a significant strengthening of cybersecurity standards in Europe, with a focus on critical infrastructure protection and corporate responsibility in cyber risk management. Companies must prepare to meet these new requirements by the 2024 deadline.

It is critical that companies and organizations understand the obligations imposed by NIS2 and take proactive steps to comply with the requirements set forth. With the implementation deadline just around the corner, preparing for and adapting to NIS 2 should be high on the agenda of any affected company.

With the implementation of NIS2 Directive, organizations face the need to adapt to a stricter and more complex regulatory framework. This is where RegTech (regulatory technology) services come into play, providing tools and technology solutions to help companies comply with regulatory requirements in an efficient and automated manner.

In the context of NIS2, RegTech services enable organizations to automate the monitoring, analysis and implementation of cybersecurity measures required by the directive. 

1. Compliance Automation: RegTech tools can automate the collection and submission of compliance reports, ensuring that organizations meet the incident reporting deadlines set by NIS2 (24 hours, 72 hours and one month) and 24/7 maintenance of their onboarding and digital recruiting systems.
2. Continuous Security Monitoring: RegTech platforms can provide continuous monitoring of security systems with alerting modules in their commercial platforms such as Customer Hub, allowing early detection of vulnerabilities and automatic deployment of patches and updates.
3. Risk Assessment and Management: RegTech's advanced tools offer real-time risk assessment capabilities, helping companies identify and mitigate risks before they become security incidents.
4. Audits and Reporting: NIS2 requires periodic audits to ensure compliance. RegTech services facilitate these audits by providing detailed and accurate reports that meet regulatory requirements.
5. Communication Security: Since NIS2 requires encryption of internal communications in emergency situations, RegTech solutions can integrate secure communication systems with electronic notifications and digital signature that meet these requirements.
6. Forensic Analysis and Incident Response: In the event of a cybersecurity incident, RegTech tools can perform generate full traceability of certain operations thanks to their E2E audit reports with advanced and automatic audit trails to identify events (timestamps) and smart contracts thanks to root qualified RPA bots and assist in containment and recovery.

Process automation not only significantly reduces the costs associated with compliance management, but also helps all types of company operations. RegTech solutions ensure greater accuracy and consistency in the implementation of cybersecurity measures, minimizing the risk of human error. Instead of reacting to audits and sanctions, companies can take a proactive and automated approach, ensuring ongoing compliance and improving their security and anti-fraud controls.

In conclusion, RegTech SaaS services and solutions are becoming an essential tool for companies looking to effectively comply with NIS2 Directive, ensuring not only regulatory compliance but also a significant improvement in their overall cybersecurity.

Tags