NIS 2 Directive: Enhancing IT Security in Europe

The Directive has received its official name: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures to ensure a high common level of cybersecurity throughout the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

It was published in the Official Journal on December 27, 2022 and entered into force on January 16, 2023.

It must be transposed into national legislation by each Member State no later than October 17, 2024.

The NIS 1 Directive

The 2016 version of the NIS Directive, known as NIS 1, focused on three main axes:

• To achieve a high level of preparedness among Member States, the NIS Directive required Member States to adopt a national strategy on the security of networks and information systems. Member States were also required to designate national computer security incident response teams (CSIRTs), responsible for handling risks and incidents, a competent national authority, and a single point of contact (SPOC). The SPOC must serve as a liaison to ensure cross-border cooperation among the authorities of the Member State, the competent authorities of other Member States, and the NIS cooperation group.
• The NIS Directive established the NIS Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States, and the CSIRT network that promotes rapid and effective operational cooperation between national CSIRTs.
• The NIS Directive aimed at ensuring the adoption of cybersecurity measures in seven sectors vital to the economy and society and heavily reliant on ICT, such as energy, transportation, banking infrastructure, financial market infrastructure, drinking water, healthcare, and digital infrastructure.

More Affected Sectors

With the NIS 2 Directive, the list of affected sectors has significantly expanded with a distinction:

• “Sectors of high criticality” are identified in Annex 1: energy, transportation, banking sector, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administrations, space.
• “Other critical sectors” are identified in Annex 2: postal and courier services, waste management, manufacturing, production and distribution of chemicals, production, transformation, and distribution of foodstuffs, manufacturing, digital suppliers, research.

As one can see, the list is extensive. According to some estimates, the number of affected businesses has increased tenfold compared to the first NIS Directive.

As a corollary of this new sectoral approach, the distinction between Operators of Essential Services and Digital Service Providers, used in the previous Directive, disappears; the goal is to prevent Member States from determining themselves which entities are included in the perimeter of the Directive, with the ultimate aim of achieving as comprehensive harmonization as possible of the sectors concerned.

“Essential” and “Important” Entities

According to NIS 2, entities operating within the sectors identified above are grouped into two categories, depending also on size and annual turnover:

• Entities that employ more than 50 people and have a turnover of more than 10 million euros are considered “essential”;
• Entities that do not meet these thresholds but belong to the identified sectors are considered “important.”

Public administration and the public sector have specific rules.

A Holistic Approach

The Directive requires affected entities to take a holistic approach: cybersecurity risks must be considered comprehensively.

For example, companies will need to consider risks associated with the value chain (subcontractors, suppliers, etc.). The logic is straightforward: if a vaccine manufacturer operates flawlessly but lacks glass vials to deliver the product due to a cyberattack at its vial supplier, the entire vaccine production is halted.

Involved and Responsible Management

The leaders of essential and important entities are more involved and, in some cases, held accountable.

This is the spirit of Article 20, titled “governance,” which states:

• Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.
• Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

Heavy Obligations

Under NIS 2, Member States are required to ensure that essential and important entities take appropriate and proportionate technical, operational, and organizational measures to manage the risks threatening the security of networks and information systems that these entities use in their activities or the provision of their services, and to eliminate or reduce the consequences of incidents on the recipients of their services and other services.

The message is important: adopting technical measures alone is not enough; such measures must also be operational and organizational. Therefore, it is not advisable to delegate the issue to the IT department alone.

These measures are based on an “all-hazards” approach aimed at protecting networks and information systems and their physical environment against incidents, and they include at least:

1. policies related to risk analysis and information system security;
2. incident management;
3. business continuity, such as backup management and business continuity and crisis management;
4. supply chain security, including security aspects related to the relationships between each entity and its suppliers or direct service providers;
5. security in the acquisition, development, and maintenance of networks and information systems, including vulnerability handling and disclosure;
6. policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
7. basic cybersecurity hygiene practices and cybersecurity training;
8. policies and procedures related to the use of cryptography and, where applicable, encryption;
9. human resource security, access control policies, and asset management;
10. the use of multi-factor authentication or continuous authentication, secure voice, video, and text communications, and secure emergency communication systems within the entity, as needed.

The aim of these measures is to ensure, for networks and information systems, a level of security appropriate to the existing risk, taking into account the state of knowledge and, if applicable, applicable European and international standards, as well as the implementation cost.

When assessing the proportionality of these measures, due consideration must be given to the entity’s exposure to risks, its size, and the likelihood of incidents occurring and their severity, including their societal and economic consequences.

Increased Coordination

The responsibility of the system rests on three types of actors:

1. Computer Security Incident Response Teams (CSIRTs). These are centers established by (and in) each Member State, in accordance with the NIS 1 Directive, in charge of responding to security incidents.
2. The NIS Cooperation Group, which drafts guidelines for national authorities and coordinates their action;
3. EU-CyCLONe (European cyber crises liaison organization network), a new entity responsible for responding to large-scale incidents.

The interaction between these three stakeholders should ensure increased cross-border cooperation.