What is NIS2 – And What Does it Mean for your Business?

The Network and Information Systems Directive (NIS2) is a directive from the European Union designed to copper fasten cybersecurity efforts across all member states. This directive aims to enhance the security of network and information systems, ensuring that businesses are better prepared to handle cyber threats. By mid-October, European states will have been expected to have transcribed NIS2 into national law, mandating NIS2’s provisions for businesses that fall within its scope. 

NIS2 marks the second iteration of the NIS Directive 2016, which put in place measures for a common cybersecurity framework across the EU’s 27 member states. This obligated certain sectors to maintain standardised cybersecurity standards to protect their systems and data from attack. The updated NIS2 framework will be far more extensive, and seeks to bolster EU cybersecurity infrastructure in the face of exponentially growing threat vectors, from criminal gangs to hostile state actors. Richard Browne, the head of Ireland’s National Cybersecurity Centre, has admitted that under the terms of the NIS2, many businesses will find it a challenge to get fully compliant – and that either way, compliance will take time. 

So what exactly does the NIS2 consist of, and what does it mean for your business? 

 

What are your Obligations under NIS2? 

There are four key pillars under NIS2, detailing the obligations of organisations under the new European legislation. These consist of Cybersecurity and Risk Management; Incident Reporting; Supervision, Enforcement, and Penalties; and Increased Liability of Management Bodies. 

Cybersecurity and Risk Management 

Under the terms of NIS2, organisations in scope are mandated to take ‘appropriate and proportional technical, operational and organisational measures’ to ensure they are meeting minimum standards of security for their digital systems and data. These measures include, but are not limited to (dependent on organisation size, scope and sensitivity of the sector in which they operate): 

• Policies on risk analysis and information system security 

• Incident handling protocols and procedures 

• Business continuity plans, such as backup management and disaster recovery, and crisis management 

• Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers 

• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure 

• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures 

• Basic cyber hygiene practicses and cybersecurity training 

• Policies and procedures regarding the use of cryptography and, where appropriate, encryption 

• Human resources security, access control policies and asset management 

• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate 

The exact specifications under each point have not yet been codified in European or Irish law at the time of writing, and are expected to be detailed further once transposition is complete. 

Incident Reporting Requirements 

Under NIS2 organisations will be mandated to formally report incidents that have an impact on the normal provision of their services. This is defined in the legislation as ‘an event compromising the availability, authenticity, integrity or confidentiality or stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.’ This covers events that significantly disrupt operations, or impose a financial loss on the organisation. 

Incident reports follow a templated timeline, to help guide organisations in how to formulate their reporting: 

• Early warning report within 24 hours of the incident taking place. This report should detail if the incident was caused by malicious activity; if the incident has a cross-border impact; and if the organisation requires assistance. 

• Incident notification within 72 hours of the event. This should update on the initial report, including details on the severity of the incident, its expected impact and indicators of compromise where applicable. 

• Final report within one month of the incident. This should outline the severity and impact of the event, along with the type of threat or suspected root cause, what mitigation measures have been taken, and any cross-border implications. If the event is still ongoing, a progress report in this timeframe is expected, with the final report to instead come within one month of handling the incident. 

Reporting structures under NIS2 will operate in parallel with existing obligations under other EU-wide directives, most notably GDPR. 

Supervision, Enforcement, and Penalties 

NIS2 empowers state regulatory bodies to monitor and enforce compliance with the directive on a national level. The exact shape the regulatory environment will take will vary from state to state as NIS2 is transposed into national lawbooks, but ultimately the responsibilities and duties of these bodies remain the same. 

Compliance measures that can be imposed on organisations differ depending on whether that organisation is classified as an Essential entity under the legislation or an Important entity. The differentiation exists to maintain a fair burden of regulation on businesses which fall on the fringes of NIS2’s scope. 

Under NIS2, regulators on a national level will be empowered to: 

• Issue formal warnings for NIS2 non-compliance 

• Issue binding instructions 

• Order entities to cease conduct that is deemed non-compliant 

• Order entities to bring risk management or reporting obligations up to standard or to a specific manner within a specific period 

• Order entities to submit proper notice to stakeholders whose activities with that entity are subject to a cybersecurity threat 

• Order entities to implement the recommendations provided as a result of a security audit within a reasonable deadline 

• Designate a monitoring officer with well-defined tasks over a determined period of time to oversee the compliance 

• Order entities to make aspects of non-compliance public 

• Levy administrative fines on entities: 

• For Essential entities, these fines can reach up to €10 million, or 2% of global annual turnover, whichever is higher 

• For Important entitites, these fines can reach up to €7 million, or 1.4% of global annual turnover, whichever is higher 

And, additionally, for Essential entities only: 

• Suspend an entity’s certification or authorisation concerning the service, if deadline for taking action is not met 

• Temporarily prohibit those responsible for discharging managerial responsibilities at Chief Executive Officer or legal representative level from exercising managerial functions 

Liability of Management Bodies 

Under NIS2, responsibility for cybersecurity regulations now extends to the management team, and is no longer the sole purview of the IT department in a given organisation. The directive outlines the new responsibilities faced by management teams in ensuring their organisations are compliant within the NIS2 framework. 

These responsibilities include: 

• Approve the adequacy of the cybersecurity risk management measures undertaken by their organisation 

• Supervise the implementation of the risk management measures outlined under NIS2 

• Undergo training in order to get up to speed on necessary knowledge and skills to be able to identify risks and assess cybersecurity risk management practices and their impact on the services provided by their organisation 

• Offer similar training to their employees on a regular basis 

• Bear ultimate responsibility for non-compliance with NIS2 

 

Who does NIS2 Apply to? 

NIS2 makes a distinction, as noted, between entities considered Essential, and those merely considered Important. This not only keeps businesses on the edge of NIS2’s scope from being overly burdened wtih red tape, but better manages regulatory resources to prioritises threats as they are identified. In general terms, organisations labelled Essential are subject to pro-active supervision, whereas Important organisations are only subject to supervision after they have reported an incident. 

A business’ status under this dual label system is defined not only by the sector in which it operates, but by its relative size as well. This ensures that smaller businesses, even those operating in sensitive areas, are not unduly burdened by the regulatory framework. 

The breakdown of how NIS2 applies is as follows: 

Highly Critical Sectors 

Large entities (>250 employees and an annual turnover equal to or above €50 million) in this category are classified as Essential. Most medium-sized entities (50 – 250 employees and an annual turnover equal to or above €10 million) are classified as Important. 

• Energy 

• Oil, gas, electricity, charging providers 

• Transport 

• Air, rail, water, road 

• Banking 

• Financial market infrastructure 

• Health 

• Drinking water 

• Supply and distribution 

• Waste water 

• (If essential part of general activity) 

• Digital infrastructure 

• ICT service management 

• Business to business 

• Public administration 

• Central and regional governments 

• Space 

• Ground-based infrastructure 

Other Critical Sectors 

All entities within this category, except small and microenterprises, are classified as Important for regulatory purposes. 

• Postal and courier services 

• Waste management 

• (If principal economic activity) 

• Chemicals 

• Manufacturing, production and distribution 

• Food 

• Industrial production, processing and wholesale distribution 

• Manufacturing 

• Medical devices, computers, electronic and optical products, etc. 

• Digital providers 

• Online marketplaces, social network platforms, search engines, etc. 

• Research organisations 

• Domain name registration services 

• These are not subject to NIS2 as a whole, but rather only certain articles from the directive 

 

The regulatory burden on businesses as a result of NIS2 promises to be considerable. The good news for businesses looking to get their cybersecurity infrastructure up to compliance standard is that while the EU deadline for national transposition of NIS2 into law is October 17th, most European jurisdictions – including Ireland – are anticipated to miss this deadline. This will give businesses more time to get themselves ready before they fall under the supervisory framework outlined under the directive.