The NIS2 Directive is the new EU-wide legislation on cyber security. Moving forward on the cyber security rules introduced by the EU in 2016, the NIS2 Directive provides legal measures to bring the readiness and skills to prepare for and mitigate cyber threats in the EU to the next level, starting in 2023. We’ll discuss whom the NIS2 applies to, and how CybExer Technologies can help your organization to welcome NIS2 ready and prepared.
Introduction
The NIS2 Directive (Directive on Measures for a High Common Level of Cybersecurity across the Union in the language of Brussels bureaucracy) is a EU-wide legislation on enhancing cyber security in the Member States. NIS2 has started to resonate in the cyber security community and market, and will do so at least until its implementation deadline in two years’ time, and most likely beyond.
The main aim of NIS2 is to provide additional legal measures to boost the overall level of cyber security in the EU and so to make the Union more cyber resilient in general.
Since the NIS2 Directive already came into force in 2023, it is the high time to start getting ready for its implementation and plan accordingly.
NIS2: Why should you care and what is the timeline?
The new Directive is a reformed version of the original NIS Directive, the first one on cyber security which came into effect on the EU level in 2016. Since then, the EU policy-makers have spotted a number of flaws in the legislation, and the need was identified for an updated version which would bring more clarity into certain issues. The NIS2 was born.
The new cyber security Directive modernises the existing legal framework to keep up with the ever-changing cyber threat landscape and to address the impact of the increased digitalization.
It does so by expanding the minimum cyber security standards and requirements to new entities and sectors, and further improving the cyber resilience and incident response capabilities of private and public entities, authorities and the EU overall.
The NIS2 Directive was adopted by the European Council on 28th November 2022 and published in the Official Journal of the EU on 27th December 2022. Starting from the NIS2 Directive coming into force, the EU Member States have 21 months during which they must incorporate the provisions of the NIS2 Directive into their national legal framework. In other words, the Member States must adopt and publish the measures necessary to comply with NIS2 by September 2024 when the Directive takes effect.
In February 2023 this might seem like lot of time, yet the opposite is true. The NIS2 is very complex and sets significantly higher standards of cyber security for the involved entities than before. Now is the best time to start with planning its implementation.
What are the key requirements which the NIS2 Directive imposes?
- Expanded scope: NIS2 applies to a broader scope of sectors and entities than those covered by the current NIS Directive, including to “essential” and “important” entities in relevant sectors, as described below.
- Cybersecurity risk management measures: NIS2 requires entities to implement certain cybersecurity risk management policies, including risk analysis and incident response; encryption and cryptography; vulnerability disclosure; cybersecurity training and ICT supply chain security.
- Incident reporting: NIS2 imposes an initial notification obligation within 24 hours of becoming aware of certain incidents, a second notification within 72 hours, and a final report within 1 month.
- “Management body” oversight: NIS2 imposes direct obligations on management bodies to approve and supervise the implementation of the cybersecurity risk management measures. Members of the management bodies must undergo regular training on cybersecurity risks and assessing risk management practices.
- Enforcement: national authorities are granted enforcement powers that include suspension of the entity’s authorization to operate, publication of the noncompliance, imposing personal liability on members of the management bodies, and administrative fines of up to EUR 10M or 2% of total worldwide turnover, whichever is higher.
Does it apply to you?
The NIS2 Directive applies the cap-size rule which means that all medium-sized and large entities providing services or operating within the sectors specified in the Directive fall within the scope. Smaller entities with a high-risk profile can be identified and determined by the Member States.
NIS2 however does not cover entities engaged in activities in the areas like law enforcement or defence and national security. Similarly, parliaments, central banks and judiciary are excluded from the Directive’s scope.
The entities to which NIS2 applies are divided into essential entities (as defined in Annex I) and important entities (defined in Annex II).
The “essential” category covers entities in key sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, ICT-sector management, certain public administration entities and space. The “important” category includes sectors such as postal services, waste management, food production, production and distribution of chemicals or digital providers and research.
The European Commission’s impact assessment estimates that the number of companies in the scope of NIS2 is roughly 110,000 across the entire EU.
If we take into account entities coming from the 3rd countries but closely connected with the EU’s single digital market which will also be obliged to comply to a certain degree, the number will grow significantly more.
How can CybExer Technologies help you with the NIS2 implementation?
The ultimate goal of NIS2 is to make the EU and its Member States more cyber resilient and safe. That is the reason why the Directive, among other things, puts special emphasis on the enhancement of cyber trainings and exercises across the EU.
CybExer Technologies is an expert in cyber range technology and cyber security trainings and exercises. We stand ready to help you understand the current cyber threat landscape, your organization’s skills gap and upskill your and your employees’ knowledge on cyber security matters regularly in preparation for the NIS2 implementation. Book a meeting with us to find out more about how your organization can use our cyber range as a service or what exercises and trainings we can organize for you and your employees.