Europe’s new NIS2 cybersecurity directive covers more sectors, increases accountability

All 27 members of the European Union, on May 19, agreed to bring in tougher cybersecurity rules with their agreement on the new Network and Information Security (NIS2) Directive, which was first proposed in December, 2020.

The new measures, created in response to increased digitisation and the rise of malicious cyber activity globally, look to boost the cyber resilience of entities across a range of sectors deemed critical for the economy and society. Unlike the 2016 NIS directive, the new Directive includes healthcare, medical devices, energy grids, digital services, waste management, critical product manufacturing and public administration in its scope.

The NIS2 Directive also aims to increase the cybersecurity requirements imposed on companies with new standards and reporting rules. This includes provisions for top management accountability for any non-compliance with the cybersecurity obligations and measures to increase the collective European cyber-resilience in both public and private sectors.

Why it matters: The original NIS Directive, while contributing to improving cyber security, left too many gaps and discretion to individual member states. Ambiguity regarding the laws added to a lack of accountability measures and fragmented implementation by member states were just some of the faults with the original NIS Directive. Gaps in approaches lead to friction, act as a barrier to trade and eventually lead to more risk to businesses and individuals. This is why the NIS2 is so important to the cybersecurity community. 

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.

Advertisement. Scroll to continue reading.

The NIS2 Directive comes with a broader scope

The NIS2 Directive significantly expands the current scope of application, which is of major importance. Growing interconnectedness, rapid digitisation and ubiquitous connectivity mean more sectors are becoming systemically important to defend from cyber risk than before. 

The new rules have added seven new industries in both the public and private sectors to its scope.

• Providers of public electronic communications networks or services: In 2020 alone, the EU member states reported a total of 170 telecom security incidents resulting in 841 million lost user hours and gathering support for the NIS2 directive. Till now, European telecom operators notified “significant” security incidents to their national authorities, who would compile a report for the EU Cybersecurity Agency at the end of each year. 

• Waste and water management: The nature of public water systems and its limited operational technology usage make them attractive to attackers as they have the potential to harm the environment, economies and citizens. The inclusion of waste disposal and water management fall under the EU’s new directives seems to be a wise precautionary measure.

• Manufacturers of certain critical products: The new directive sets out to cover the healthcare sector more broadly than before by including medical device and pharmaceutical manufacturers in its scope, though there are concerns that it might overlap existing medical device regulations.

• Food: The new cybersecurity obligations will now cover all medium to large-sized enterprises in the food distribution sector as a ‘critical’ sector.

• Digital services such as social networking platforms and data centers: Social media platforms will have to make incident reports and if the company is based outside the EU then it has to keep a representative in the EU to address grievances. Incident report rules also apply to domain name, service providers, and data banks.

• Space: The European Union Agency for Space Programme will also fall under the ambit of the directives as will its member agencies to a certain degree. The NIS2 Directives recommend the EUASP to have some influence as to how satellite data management policies under the NIS2 directives will operate.  

• Postal and courier services: Europeans’ increasing dependence on postal services during the pandemic has seen the EU cover its members’ postal and courier entities under its cybersecurity framework. Postal company servers contain sensitive information such as names, addresses, contact details, etc, and may pose as an attractive target to threat actors.  

• Standard rules for public administration websites: So far, individual member governments had been maintaining their own cybersecurity infrastructure, with the 2016 NIS recommendations serving as a standard but not a mandate, but now all member states’ administration websites and servers need to abide by the same rules.    

 The NIS2 Directive’s redefining of its original scope to now be more clear in covering “essential services” means companies will be undertaking measures to increase their cyber resilience at a much larger scale across the continent.

What are the major changes in the NIS2 Directive?

The following are the three broad changes that the NIS2 wishes to implement in a synchronised, centralised manner across the European Union. 

1. Government accountability: Enhancing security governance and making senior executives in a business accountable for any cyber incidents the company may face is a major feature of the NIS2 Directives. It outlines that senior management needs to know security standards and oversee processes aligned to risk management practices, and be capable of managing that risk. “Cyber has to be a board-level and senior management issue, not delegated to technical teams,” Will Dixon, former EU cybersecurity advisor, wrote in his analysis of the NIS2, “Accountability will empower chief information security officers (CISOs), though it also comes with expectations that they can communicate effectively with senior management and be technical and business leaders.”
2. Fines and sanctions: Increased fines and broadened sanctions are two measures that the NIS2 adopts to ensure that businesses will comply with their obligations. The NIS2 mandates a more comprehensive set of powers to be conferred on “competent authorities”; however, should an organisation fail to either implement the recommendations of an EU security audit or bring security measures into line with NIS requirements, then they can be penalized with administrative fines up to €10 million or 2% of the entity’s total turnover worldwide (whichever is higher). Regulatory fines at this scale in other jurisdictions, notably in the US and UK, have generated greater cybersecurity measures. For example, penalties leveraged on Uber, Equifax and British Airways have all seen marked improvements in their respective cyber-resiliency.
3. Incident response mandate: As a measure to close the gaps in security incident reportage, the NIS2 Directive is making reporting “significant” incidents mandatory. The definition of what constitutes a “significant attack” on an entity has been clarified. It will no longer be a defined metric (number of impacted users) but rather whether there was disruption to critical services, or financial or material loss. Also, notifications have been reduced from 72 to 24 hours, and reporting will be to users of services and potentially the public.

Taken together, these revisions seemingly incentivise greater responsibility to securing cyber estate and provide greater transparency to all parties affected by a potential breach. 

Why is the EU rolling out the NIS2 Directives? 

The European Union had sought an open public consultation on the evaluation and impact assessment of the original NIS Directive in 2020, which turned up some gaps that the new Directive seeks to address.

1. Fragmented implementation: The implementation of the NIS1 Directive was independently done by member states because the rules were not defined to apply centrally. This resulted in fragmenting the EU Single Market, which comprises all 27 member states and a few others as part of the European Economic Area, as companies are beholden to individual member states’ security rules. One of the top criticisms of the NIS1 Directive was the inconsistencies in the ways member states draw up lists of operators of essential services (OESs) and digital service providers (DSPs). The NIS2 implements notes that this fragmentation allowed companies to escape accountability and the new directive will be looking to centralise the cybersecurity rules to make companies answerable before the European Commission for any breach or attack they may have faced.   
2. Supply chain protection: The rising number of cyber attacks on supply chain networks is a major concern for the European Union and the NIS2 Directive seeks to improve the situation by placing “harmonised” measures to “strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements.” A supply chain is the network between a company and its suppliers to produce and distribute a specific product to the final buyer. The Directive also seeks to define the relationship that the various links on the chain have with each other and for the first time will cover resiliency measures for the information and communication technology supply chain.
3. Improve collective capabilities: One of the weaknesses that the EU’s Agency for Cybersecurity (ENISA) found in its analysis of the first NIS Directive was that individual members had independent capabilities to respond to threats and therefore, categorised them differently. This had adversely impacted the EU’s collective cyber resiliency. The new Directive seeks to improve the level of joint situational awareness and the collective capability to prepare and respond, by:
   1. taking measures to increase the level of trust between competent authorities
   2. sharing more information-setting rules and procedures in the event of a large-scale incident or crisis
4. Internet of Things: The Internet of Things (IoT) refers to the interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data. Put simply, it is supposed to connect everyday appliances such as lighting, refrigerators or ovens to the owner’s phone. The ENISA predicts that 22.3 billion IoT devices would be in use around the world by 2024, therefore, leading the NIS2 Directive to consider mandating resiliency initiatives covering both the user’s control device and the individual IoT devices hooked to it.
5. 5G: The security of the upcoming 5G networking is one of the key aspects of the NIS2. By the end of 2020, the European Council had begun the accelerated deployment of very high capacity and secure 5G network infrastructures, urging the member states to make full use of the 5G specific cybersecurity toolbox in their operations. The security guide identifies security risks related to 5G networks and the 5G supply chain at the EU level.

What is the current situation in Europe with NIS1?

The NIS1 Directive went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive’s regulations into their own national laws.

The aim of the NIS Directive was to create an overall higher level of cybersecurity in general. The directive significantly affects digital service providers (DSPs) and operators of essential services (OESs). OESs are those organisations who engage in critical societal or economic activities and whose operations would be greatly affected in the case of a security breach. Both DSPs and OES are now held accountable for reporting major security incidents to Computer Security Incident Response Teams (CSIRT).

While DSPs are not held to regulations as stringent as those for operators of essential services, DSPs based outside the EU (but still operating there) face stiff regulations. Even if DSPs and OESs outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.

Advertisement. Scroll to continue reading.

The member states of the EU are required to create an NIS directive strategy, which includes the CSIRTs, in addition to national competent authorities and individual points of contacts for each member state. These resources are given the responsibility of handling cybersecurity breaches in a way that minimises impact. In addition, all member states of the EU are “encouraged” to share cyber security information.

Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventive manner. Both DSP and OES must provide information that allows for an in–depth assessment of their information systems and security policies. All significant incidents must be notified to the CSIRTs. 

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Read also:

• Deep Dive: The Legality Of India’s New Cybersecurity Directive
• Cybersecurity Directive Applies To Foreign Companies As Well, IT Ministry Clarifies

Advertisement. Scroll to continue reading.