The first NIS Directive for network and information security in the European Union has regulated the improvement of cyber security of particularly critical infrastructure systems with important utility functions since May 2018. These include sectors such as healthcare, energy and water, transport and financial markets. The NIS Directive has been criticised for too open formulation of the specifications and for a lack of monitoring of its practical application and implementation.
The European Commission first proposed the second updated Network and Information Security Directive (NIS 2) in December 2020. Its content was finalised in May 2022. NIS 2 additionally includes the areas of crisis and incident management as well as provisions for improved risk management in organisations. It also regulates the use of encryption, security testing and management, and vulnerability disclosure.
Version 2 of the NIS Directive represents a new attempt to enforce a unified European cyber security strategy. The focus is on modernising the security of critical services in the EU. NIS 2 will be linked to the forthcoming law on cyber resilience. [1] [2]
Most significant change in NIS 2: Extension to more companies
Many companies have already experienced the impact of cyber attacks – very often based on ransomware. The NIS 2 directive considers this with an expansion to include 16 sectors or industries with utility functions. In addition, all larger industrial companies are included.
Best practices for improving cyber security are now mandatory. Significant fines can be imposed Non-compliance with the risk management recommendations can result in significant fines. The regulation is cushioned by a “size-cap” rule in order not to burden small companies too much with bureaucracy. In a German source, companies with less than 50 employees and a turnover of 10 million euros per year appear as the limit; concrete implementation projects for Austria have not yet been identified. [3]
Further changes in the updated NIS 2 Directive
- Companies and organisations need an improved risk management approach. They also need to consider and include their supply chains and dependencies on partner companies.
- National authorities have a monitoring and control function.
- Non-compliance with the directive will lead to penalties. Public bodies are exempt from this. Boards of directors and supervisory boards can be held accountable for non-implementation.
- Reporting obligations: Organisations must report cyber security incidents to the competent authorities within 24 hours.
- NIS 2 will also apply to public administration at central and regional level. In addition, Member States may include the local level.
The main extensions thus concern active risk management and the expansion to include more industrial companies in order to improve cyber security across the EU.
When is the NIS 2 directive coming?
The now completed draft law on the NIS 2 Directive still has to be approved by the EU Parliament with a majority vote. Forecasts assume that this can still happen in 2022. After that, the EU member states have 21 months from the entry into force of the directive to adopt the provisions into their national law.
Recommendations:
CISA Guide: Securing operational technologies from ransomware attacks
Defense in Depth: Multi-layer approach for lived OT security
Sources:
[3] https://www.openkritis.de/it-sicherheitsgesetz/eu-nis-2-direktive-kritis.html