NIS2 implementation: who’s affected and how to prepare

NIS2 implementation: who’s affected and how to prepare

“To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU,” announced the European Parliament last February.

The result was the Network and Information Security 2 directive, officially known as Directive (EU) 2022/2555, or NIS2 for short. The goal? To boost EU-wide cybersecurity and resilience. The new legislation, which expands the scope of the cybersecurity rules to new sectors and entities, must be transposed by member states by October 17, 2024. But who’s affected by NIS2 and how? And what should affected entities do to make sure they tick all NIS2 compliance boxes?

Our next webinar will discuss the different aspects of NIS2 and what steps companies should take to prepare for compliance. Register below to save your spot.

What is NIS2? Key objectives and considerations

An evolution of its predecessor, the directive on security network and information systems or NIS, the EU’s NIS2 directive represents a significant step forward in strengthening cybersecurity across the European Union. It aims to address the burgeoning challenges and increasing sophistication of cyber threats that impact essential and digital services.

NIS2 broadens the scope compared to its predecessor, including a wider range of sectors considered vital for societal and economic well-being, such as energy, transport, banking, and digital infrastructure. NIS2 compliance ensures that both public and private entities in these sectors apply robust cybersecurity measures, promote incident reporting, and boost their overall resilience against cyber threats.

Notably, NIS2 emphasizes the importance of cross-border collaboration in cybersecurity, recognizing that cyber threats don’t respect national boundaries. By setting a common level of cybersecurity measures across member states, the directive facilitates a more coordinated and effective response to cyber incidents, thereby contributing to the collective security of the EU’s digital landscape.

NIS2 implementation timeline: what to do by when?

EU member states have until October 17, 2024 to transpose NIS2 into their national legislation. By April 17, 2025, they must identify essential and important entities under the new directive, which they can enable to register themselves. Therefore, explains EY, organizations will have to determine if their services fall within the scope of NIS2, identify the member states where they provide “in-scope” services, and register by the deadline in each one.

Does the EU’s NIS2 directive apply to my organization?

The NIS2 directive specifically targets operators of essential services (OES) and digital service providers (DSPs), including sectors not covered under the original directive. The new legislation classifies these into two categories: essential and important entities, broadening its applicability to include more sectors like postal and courier services, waste water, public administration, and space.

According to the EU’s February 2023 briefing, essential entities under the NIS2 directive include businesses in the following sectors and subsectors:

  • energy (electricity, district heating and cooling, oil and gas)
  • transport (air, rail, water, and road)
  • banking
  • financial market infrastructures
  • health
  • manufacture of pharmaceutical products including vaccines
  • drinking water
  • waste water

digital infrastructure (internet exchange points; DNS providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; and public electronic communications networks and electronic communications services)

  • public administration
  • space

Businesses operating in the following sectors and subsectors fall into the category of important entities:

  • postal and courier services
  • waste management
  • chemicals
  • food
  • manufacturing of medical devices, computers and electronics, machinery equipment, motor vehicles
  • digital providers (online marketplaces, online search engines, and social networking service platforms)

Another thing to remember is that NIS2’s scope encompasses medium-sized and large companies within the covered sectors, ensuring that a larger portion of the EU’s critical infrastructure is protected against cyber threats. It also introduces stricter supervisory measures for national authorities, enhanced enforcement requirements, and imposes heftier fines for non-compliance.

What does the NIS2 directive entail? An 8-point summary of NIS2 requirements

1. Implement cryptography and encryption techniques to safeguard your data

Encryption transforms data into a format unreadable to unauthorized individuals, a common practice among digital platforms to protect user information. However, the encryption standards employed by companies can vary greatly. To comply with NIS2, organizations must ensure their workplace encryption methods offer a robust defense against cyber threats and breaches.

2. Make sure that good data protection practices run through the entire supply chain

Even with the most advanced cybersecurity tools and protocols within your walls, vulnerabilities can arise when sharing data with suppliers or contractors. Responsible businesses consider cybersecurity in their partnership choices and check if the tools used for collaboration with external entities, such as file-sharing platforms or email systems, safeguard digital assets effectively.

3. Prep your organization for cybersecurity events, whether breach or mistake

No organization wants to deal with a data leak, but preparedness is key. Devise a comprehensive playbook for how to deal with such incidents, whether accidental or malicious, and switch to a high-security cloud solution. This ensures that only essential personnel, relevant authorities, and cybersecurity incident response teams have access to sensitive information in the event of a breach.

4. Ensure that your work can continue even in the worst-case scenario

Threats to business continuity can be devastating to any firm, but in the case of those managing critical resources like water supply and healthcare, the outcome can leave the broader community reeling. To enhance disaster recovery and backup management, consider adopting cloud-based storage solutions with backup files readily accessible 24/7 from virtually anywhere.

5. Organizations should be prepared to share information on vulnerabilities

At the heart of NIS2 is information sharing. While it’s crucial for organizations to collaborate in reducing cyber risks, sharing details about system vulnerabilities is not something you want to do without the highest level of security possible. Encrypting data prior to transmission, a feature that many security-focused collaboration platforms are equipped with, can be a powerful tool to achieve just that.

6. Prioritize cyber hygiene and enforce practices to maintain it rigorously

Cybersecurity is a collective duty. It’s vital that every member of an organization receives fundamental training in spotting and mitigating cyber threats, with periodic updates to this knowledge. Just as importantly, make sure that cybersecurity software and systems are user-friendly. The more complicated a tool or platform, the more likely employees are to bypass it – and switch to an unsecured alternative.

7. Implement robust access control and asset management policies

Integrating access control with asset management is crucial for organizational security. A company committed to strong asset management will maintain an accurate inventory of its hardware and software tools. Effective access control ensures that the organization also knows exactly who has access to these assets, safeguarding sensitive data, files, or devices from unauthorized access.

8. Draw up a comprehensive IT security maintenance strategy

Cyber threats are constantly changing and evolving. Luckily, so is cybersecurity. But the only way organizations can get any real benefit from these improvements is through a properly maintained IT infrastructure. Before choosing a new piece of software or digital platform to incorporate into your daily office workflow, make sure to check if it is still regularly updated with new patches and releases.

How does NIS2 tie in with the Critical Entities Resilience Directive?

Both the NIS2 directive and the Critical Entities Resilience Directive, or CER for short, are key to the European Union’s strategy to bolster the overall security and resilience of its critical infrastructures. While NIS2 amplifies the measures needed for cybersecurity across essential service operators and digital service providers, CER expands this scope by encompassing not only cybersecurity but also physical security and resilience against a variety of threats.

NIS2 sets the cybersecurity baseline, requiring entities within critical sectors to adopt strict security practices and report major cyber incidents. The CER directive builds upon this groundwork by identifying “critical entities” that, due to their significance in society, must not only secure their cyber front but also their physical premises against disruptions such as natural disasters, terrorism, or other forms of attack. This ensures a holistic security posture, acknowledging that breaches in physical security can have as detrimental an impact on service continuity as cyber attacks.

By mandating risk assessments, both CER and NIS2 advocate for a thorough evaluation of vulnerabilities that could be exploited through either cyber or physical means. Covered entities are required to develop, refine, and update their resilience plans, ensuring ongoing vigilance against emerging threats. The periodic risk assessments demanded by CER align with NIS2’s call for continuous improvement in cybersecurity practices, encouraging entities to remain agile and responsive to the evolving security landscape and enabling swift recovery should an adverse event occur.

How does NIS2 and the Digital Operational Resilience Act interplay?

The integration of the NIS2 directive within the wider regulatory framework of the Digital Operational Resilience Act (DORA) for the financial sector is testament to the EU’s comprehensive approach to ensuring that its financial system can withstand and recover from cyber and operational attacks.

The DORA regulation covers financial sector players such as banks, insurance companies, and investment firms, emphasizing the necessity for these organizations to enhance their ability to anticipate, withstand, respond to, and recover from operational disruptions.

NIS2’s emphasis on cybersecurity and resilience of critical infrastructure sectors complements DORA’s objectives by extending the resilience framework to a broader spectrum of essential services.

Both DORA and NIS2 call for rigorous risk management processes, including performing regular risk assessments, testing incident response plans, as well as investing in continuous technological and procedural improvements to safeguard against the evolving threat landscape.

The synergy between NIS2 and DORA also facilitates a robust information-sharing network among critical sectors, promoting a culture of transparency and cooperation in threat intelligence. This network is vital for identifying, mitigating, and responding to cyber threats that could have systemic impacts.

How Tresorit can help you ensure NIS2 compliance – and keep cloud collaboration productive

A zero-knowledge, end-to-end encrypted document productivity and digital trust platform, Tresorit empowers you to:

Protect users and assets in the cloud with E2E encryption

  • Every file and relevant metadata on our users’ devices are encrypted with randomly generated encryption keys. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of. Meaning that even if our servers were breached, no one would be able to read their contents.

Keep access secure and limited

  • Monitor and decide which devices are allowed to access which files and from where users are allowed to log in to their company account to safeguard business-critical information. Manage files and tresors at a granular level to ensure they’re only accessible to those who need them and limit downloads or revoke access at any time.

Stay in control of what happens to your data

  • Implement data protection measures, including controlling who has access to what data, logging file activities, and creating internal security policies for data management. No file content can be modified without your knowledge, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.

Set up and enforce enterprise security policies in one place

  • Make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes. Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies. Create and modify different policies for each template at any moment through a unified interface.

Encrypt attachments automatically in Gmail and Outlook

  • Empower your teams to work efficiently and send encrypted emails by integrating Tresorit with Google Workspace or Azure Active Directory and Office 365. The add-ins offer a fast and easy way for users to replace risky email attachments with encrypted share links and password-protected files using their existing email addresses.

Would you like to learn more about NIS2? In our upcoming webinar, Koen Verbeke, CTO of Cranium and Turul Balogh, our Group Information Security and Data Protection Officer will delve into the key elements of NIS2 and explore its far-reaching impact on organizations. They will provide a comprehensive overview of the Directive and highlight the steps organizations need to take to achieve compliance.

What you will learn:

  • Understanding of the core objectives and requirements of NIS2, and which sectors and types of organizations are affected
  • What steps to take to assess and enhance your organization's cybersecurity posture, together with best practices for implementing NIS2 compliance measures
  • How to prepare for audits and reporting obligations under NIS2 and what role your management and staff will play in maintaining compliance

The free webinar is open to all and will be taking place online on September 12 2024 at 15:00 CET. There’ll also be a special Q&A session for any queries, questions, or concerns that you may have.