CybersecuritySecurity

What is the NIS2 Directive and What is it for?

🕑 6 minutes read

What is the NIS2 Directive and What is it for?

Cybersecurity has become an imperative priority for all organizations. The entry into force of the NIS2 Directive in January 2023 has marked a new horizon in the protection of critical infrastructures within the European Union. This new regulation not only raises the bar for security but also expands its scope to a wide range of sectors.

The NIS2 Directive (Directive (EU) 2022/2555) is a regulation of the European Parliament and the Council that seeks to ensure a high level of cybersecurity across the European Union. It is built on three fundamental pillars: cybersecurity controls, risk management, and governance and cooperation. From implementing policies and procedures to continuous monitoring and incident management, NIS2 provides a comprehensive framework to safeguard digital operations.

When does NIS2 come into effect?

It came into force in January 2023, marking the start of the transposition period by Member States. They have untiOctober 17, 2024 o incorporate it into their national legislation and until January 2025 to communicate the applicable sanctioning regime to the European Commission. By 2025, it will be determined which entities are considered essential and important, and in 2027, the Commission will review the Directive’s functioning and report on it to the Parliament and the Council.

What Organizations are affected?

The Directive affects essential entities based on their critical infrastructure, differentiating high-criticality sectors such as:

  • Energy.
  • Banking.
  • Financial.
  • Transportation.
  • Healthcare.
  • Digital infrastructure.
  • Potable water and wastewater.
  • ICT service management (B2B)
  • Public administration is also part of this group, although the judiciary, parliaments, and central banks are excluded.

Additionally, other critical sectors are affected, including:

  • Research
  • Chemicals
  • Food
  • Postal services
  • Digital providers
  • Waste management

These sectors, while not marked as high-criticality, are also essential for the sustainability and security of key infrastructures and services in a national and European context.

What are essential and important entities?

The Directive identifies two types of entities: “Essential Entities” and “Important Entities.” Essential entities include those from high-criticality sectors that exceed the maximum thresholds, as well as qualified trust service providers, top-level domain name registries, and DNS service providers, regardless of their size. They also include public electronic communications network providers or public communication service providers considered medium-sized enterprises, public administration entities, any other entity belonging to other critical sectors identified by the Member State as an essential entity, critical entities identified by the CER Directive, and, where applicable, operators of essential services identified under the previous NIS Directive.

“Important Entities” are those that, while not in high-criticality sectors, are vital to the economy and society.

Key Aspects of NIS2

Governance and Accountability

The NIS2 Directive requires EU Member States to ensure that the governing bodies of organizations not only approve but also oversee the implementation of cybersecurity risk management measures. These governing bodies can be held accountable for violations as outlined in Article 21 of the Directive. It is imperative that these bodies stay updated on cybersecurity training, passing this knowledge on to their employees.

Security Requirements

Article 21 of the Directive mandates that entities adopt a strategic and holistic approach to cybersecurity risk management. Key points include:

  • Developing information security policies and risk assessments.
  • Implementing a comprehensive incident management process.
  • Ensuring operational continuity and backup management.
  • Strengthening supply chain security.
  • Managing security in the acquisition, development, and maintenance of systems.
  • Evaluating the effectiveness of cybersecurity risk management measures.
  • Maintaining basic cyber hygiene practices and security training.
  • Using cryptography and encryption as protective measures.
  • Implementing access control policies and asset management.
  • Adopting multi-factor or continuous authentication solutions.

Mechanisms for Cybersecurity Information Exchange
Article 29 outlines mechanisms for information exchange and the circumstances in which entities subject to the Directive must share information. The primary goal is to prevent, detect, or respond to incidents, recover from them, or reduce their impact, thereby enhancing the cybersecurity level of the entities involved.

Incident Notification
Article 23 stipulates that Member States must ensure that essential and important entities notify their reference CSIRT or the competent authority of any incident that significantly impacts their service delivery. The incident reporting process is divided into four phases: incident detection, initial notification, intermediate notification, and final notification.

Role of Competent Authorities
Competent authorities play a crucial role in ensuring cybersecurity across the EU, conducting thorough inspections, specialized audits, and remote monitoring. They can impose administrative sanctions on governing bodies and suspend the operations of an essential entity if necessary

Sanctioning Regime

Member States have until January 17, 2025, to communicate their respective sanctioning regimes to the EU. The financial penalties for non-compliant organizations are significant:

  • Essential entities: up to €10,000,000 or 2% of the previous year’s global annual turnover.
  • Important entities: up to €7,000,000 or 1.4% of the previous year’s global annual turnover.

Relación entre NIS2, ISO 27001, DORA y PIC/CER

La Directiva NIS2 se complementa con varios otros marcos y normativas que juntos proporcionan un enfoque integral para la ciberseguridad y la resiliencia operativa. Aquí se detallan algunas de las relaciones clave:

  1. ISO 27001:
    • Gestión de Seguridad de la Información: ISO 27001 es un estándar internacional que especifica los requisitos para establecer, implementar, mantener y mejorar un sistema de gestión de seguridad de la información (SGSI). NIS2 complementa ISO 27001 al proporcionar un marco regulatorio más amplio que incluye la gestión de riesgos y la notificación de incidentes a nivel de la UE.
    • Políticas y Procedimientos: Ambas normativas requieren que las organizaciones desarrollen y mantengan políticas y procedimientos de seguridad de la información, aunque NIS2 tiene un enfoque más específico en ciertos sectores críticos y en la notificación obligatoria de incidentes.
  2. DORA (Digital Operational Resilience Act):
    • Resiliencia Operativa Digital: DORA, que se aplica principalmente a entidades financieras, establece requisitos de resiliencia operativa que son coherentes con las exigencias de NIS2. Ambas normativas buscan asegurar que las entidades puedan resistir y recuperarse de incidentes disruptivos.
    • Evaluación y Pruebas: Tanto DORA como NIS2 enfatizan la importancia de la evaluación continua y las pruebas regulares de los sistemas de seguridad y resiliencia, incluyendo pruebas de penetración y ejercicios de simulación de incidentes.
  3. Directiva CER (Critical Entities Resilience):
    • Protección de Infraestructuras Críticas: La Directiva CER se centra en la resiliencia de las entidades críticas contra una amplia gama de amenazas, incluidas las cibernéticas. NIS2 y CER están alineadas en su objetivo de proteger las infraestructuras críticas, aunque NIS2 tiene un enfoque más centrado en la ciberseguridad.
    • Cooperación y Gobernanza: Ambas directivas destacan la necesidad de cooperación y gobernanza efectiva entre los Estados Miembros y las entidades críticas para mejorar la seguridad y la resiliencia a nivel europeo.

GlobalSuite Coverage of NIS2

GlobalSuite Solutions offers comprehensive coverage to help you comply with the requirements of the NIS2 Directive. Our solutions include:

  • Risk management framework
  • Incident management, classification, and reporting processes
  • Digital operational resilience program
  • Penetration testing procedures guided by threat intelligence
  • System deployment of ICT security tools, policies, and procedures
  • Business continuity and recovery policies
  • System for learning from and evaluating vulnerabilities, incidents, and cyberattacks
  • Drafting of policies and regulations / Risk analysis and management: GDPR, ENS, NIS2, ISO 27001/ISO 22301, DORA
  • Data Protection Laws and Relations with Public and Supervisory Bodies

Leverage GlobalSuite’s Expertise to Comply with NIS2

At GlobalSuite Solutions, we are ready to help you comprehensively comply with the NIS2 Directive. Our suite of tools and services is designed to address each NIS2 requirement, from risk management to incident reporting and operational continuity. Schedule a one-on-one call with our experts to learn how our solutions can be tailored to your organization’s specific needs and ensure regulatory compliance efficiently and effectively. Transforming your cybersecurity approach has never been easier with GlobalSuite Solutions’ help.