The NIS2 Directive: Are you ready to raise the bar on cyber resilience?
Cybersecurity must be a collective effort to successfully defend against sophisticated cyber-attacks. Modern technology networks are hyperconnected, so an attack originating in one area can quickly impact another area severely — whether that area is in a different company, industry or even country. The need to develop a collective strategy is even more urgent when the networks that countries rely on to deliver critical national infrastructure services are targeted by nation-state actors wishing to cause disruption. These essential services can include health, finance, water, transport and even government itself.
This urgency was brought into stark focus by the recent U.S. Government announcement that the Chinese hacker group Volt Typhoon was detected infiltrating the IT environments of its transport and water systems for the past five years. The statement, co-signed by national cybersecurity agencies in Britain, Canada, Australia and New Zealand, emphasised the risk of disruptive attacks launched from within compromised networks. Protecting against such widespread and high-impact attacks will only be successful if all parts of the network are covered, and that requires a collaborative approach.
In the UK, the Law Society recently provided guidance to law firms after a service provider of managed IT services for law firms and the professional services industry experienced a cyberattack that purportedly resulted in the disruption of up to 80 law firms, with many left unable to access case files.
Examples like this provide the rationale behind the EU’s Network and Information Security (NIS2) Directive, which is set to be transposed into national law in every EU country by October 2024. NIS2 provides a list of security risk-management measures that essential and important entities should implement to protect network and information systems and seeks to achieve a higher common level of cybersecurity and cyber resilience across the EU. The aim is to increase collective preparedness, improve the ability of organisations to withstand and recover more quickly from cybersecurity incidents and generally raise cybersecurity standards in key industries and their supply chains across Europe. Prescribing and enforcing minimum levels of cybersecurity performance for in-scope organisations will lessen the likelihood of cyberattacks disrupting citizens, societies and economies, minimise the impact of the attacks that do happen and empower collective incident responses.
As the name implies, this isn’t the first attempt to collectively improve cybersecurity standards. This iteration addresses some of the shortcomings of the earlier directive and increases the number of organisations and sectors covered. It provides for greater harmonisation and international cooperation and is more prescriptive on the timeframes and content that must be included in incident reporting.
NIS2 will impact governance, risk and compliance practices for essential and important entities across 18 sectors, divided between Sectors of High Criticality and Other Critical Sectors. Examples include energy, transport, health, drinking water and waste management, health, digital infrastructure, ICT service management, postal and courier services, production, processing and distribution of food, manufacturing and digital providers.
Crucially, NIS2 also:
- Creates governance and accountability for effective cybersecurity strategy and oversight at the highest leadership levels. Management bodies are assigned an active role and will have the responsibility to approve the cybersecurity risk-management measures taken by their organisations and to oversee implementation. A failure to ensure compliance can result in individuals being found liable for breach of their duties. Sanctions include temporarily prohibiting a person who is responsible for discharging managerial responsibilities at the CEO or legal representative level from exercising their managerial functions.
- Requires organisations to address cybersecurity weaknesses in their supply chain. This inclusion of security-related requirements between each organisation and its direct suppliers or service providers will ensure a top-down contractually driven effect that impacts an entire ecosystem of suppliers supporting the estimated 160,000 essential and important entities that are directly in scope of NIS2. Direct suppliers or service providers should also ready themselves for these contractual obligations.
- Has extraterritorial application for certain entities who are not established in the EU but offer services within the EU. These include DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms. Further, direct suppliers who are not established inside the EU, such as UK businesses, but which supply European essential or important entities, will need to satisfy those customers that they are operating to NIS2 standards.
- Establishes reporting obligations for essential and important entities for significant cybersecurity incidents. These organisations will be required to provide the government’s Computer Security Information Response Team (CSIRT) or competent authority with an early warning within 24 hours, an incident notification within 72 hours, status updates and a final report within 30 days of the incident notification.
What are the penalties for NIS2 failures?
Organisations that fail to comply with NIS2 face a range of penalties including:
- Fines of up to €10 million or a maximum of 2% of global turnover for essential entities and €7 million or up to 1.4% of global turnover for important entities.
- Responsible persons (such as CEOs or legal representatives) in essential entities may be temporarily prohibited from exercising managerial functions in that entity if it is not in compliance.
- Responsible persons in essential or important entities may be held liable for breaching their duties to ensure compliance with NIS2.
- Being publicly named or subject to binding instructions requiring them to remedy infringements.
- Being forced to notify customers or service recipients of the nature and severity of risk as a result of compliance failings.
Raising the bar on cyber resilience
Complying with the NIS2 Directive, therefore, requires organisations to ensure they have good visibility over cybersecurity performance, with effective controls and monitoring to deliver the assurance needed by senior leaders.
From a governance perspective, NIS2 also requires that the members of management bodies of essential and important entities are trained in cybersecurity so they can identify and prioritise cybersecurity risks and are sufficiently experienced in that area to discharge their risk management duty effectively.
Beyond the immediate organisation, enhanced levels of third-party risk management will be essential to identify and manage cybersecurity risk among key companies in the supply chain and ensure that the supply chain has implemented appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of their network and information systems.
How can Diligent help?
Meeting the diverse requirements of the NIS2 Directive will entail a unified approach to governance, risk and compliance. Organisations will need visibility across the different areas of cybersecurity risk and third-party risk to deliver the assurance needed by management bodies.
The Diligent One Platform can help deliver that assurance. Diligent offers integrated tools covering internal controls, enterprise and third-party risk and compliance, which support risk practitioners and management bodies by offering a single source of truth. This data is vital for accurate decision-making, planning and quick action when a significant cybersecurity incident occurs.
Take a more in-depth look at preparing for the NIS2 Directive by downloading our white paper and NIS2 checklist today.
