The NIS2 Directive: Everything to Know About NIS2

The increasing rise of cybersecurity incidents led the European Union (EU) to take a hard look at industries and suppliers that, if compromised, could potentially be detrimental. Industries such as energy, transport, and finance, were preeminent concerns when the leaders of the EU met in 2016 to create cybersecurity legislation for all critical suppliers across the EU. With the goal of improving the supplier’s cybersecurity resilience, the initial NIS initiative was born.

When was the NIS Directive introduced?

In 2016, the NIS Directive was introduced by the EU to strengthen the existing legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape. NIS did this by expanding the scope of cybersecurity rules to new sectors and entities, improving resilience and incident response capacities of public and private entities, and set common rules around cybersecurity to boost the overall level of cybersecurity across the EU.

In the years since, it became apparent that the original legislation had some shortfalls that needed to be looked at and expanded on.

The NIS2 Directive

The initial NIS Directive left many EU member states interpreting the directive differently, leaving gaps in security and challenging the original intent of the directive. NIS2 is an update to the original NIS EU cybersecurity directive that resolves these gaps by mandating what cybersecurity practices are important and what essential suppliers must have in place by 2024, as well as how breaches must be reported to the European authorities.

What is the purpose of the NIS2 Directive?

The COVID-19 crisis and the rapid digital transformation that stemmed from it, along with growing threats due to digitalization and interconnectedness, forced the EU to revisit the original NIS Directive, analyze the impact, and identify the deficiencies created by this new digital era.

What the commission found was the following deficiencies from the previous NIS Directive:

• insufficient cyber resilience levels of businesses operating in the EU
• inconsistent resilience across member states and sectors
• insufficient common understanding of the main threats and challenges among EU
• lack of joint crisis response

The NIS2 Directive expands the baseline for cybersecurity risk management measures and reporting obligations across the EU in initial sectors including energy and transportation. The new NIS2 includes health and digital infrastructure. It expands rules for a regulatory framework and lays down mechanisms for effective cooperation across the EU. It also updates the list of sectors and activities subject to cybersecurity obligations and provides remedies and sanctions to ensure enforcement.

When does NIS2 go into effect?

This past November the Council adopted the NIS2 Directive and published the new directive December 2022 officially replacing and repealing the NIS Directive (Directive 2016/1148/EC). Member states must incorporate the provisions of the NIS2 Directive into national law in 21 months (about 2 years) from the entry into force of the directive.

Who does NIS2 apply to?

NIS2 applies to all companies, suppliers, and organizations (referred to as “entities”) that deliver essential or important services for the European economy and society. If you fit within one of the categories listed below, then NIS2 applies to you.

Examples of “Essential Entities” (EE) include:

• transport
• energy
• banking
• health
• water
• public administration
• managed service provider

Examples of “Important Entities” (IE) include:

• postal and courier services
• waste management
• chemical production and processing
• food
• manufacturing of medical devices
• digital providers (search engines, social networking platforms, etc.)

NIS2 also applies to suppliers outside the EU if they provide essential or important services to the European economy and society.

NIS2 will likely not apply to entities with less than 50 employees or 10 million in annual revenue unless they have a critical role in the EU’s economy or society.

NIS2 holds management accountable for the following:

• ensuring that cybersecurity risk assessments are carried out;
• implementing technical and organizational security measures;
• staying on top of cybersecurity through training and risk management programs, and ultimately
• managing risks appropriately

Failure to demonstrate that risk and cybersecurity practices that have been addressed could result in authorities being able to rely on a robust set of enforcement and investigation powers. These could include the ability to conduct raids, perform security audits and request data, information and documents (amongst others).

Further, member states must provide authorities the ability to impose considerable fines:

• For essential entities, of at least up to €10 million or 2% of the worldwide annual turnover.
• For important entities, of at least up to €7 million or 1.4% of the worldwide annual turnover.

Does NIS2 apply to the UK?

UK Government has confirmed that it is moving forward with plans to update the NIS regulations as they apply to the UK. While there has been alignment since the UK’s exit from the EU, UK officials have confirmed that there will be differences going forward in the way that the cybersecurity of critical infrastructure will be regulated.

What's new in NIS2?

As mentioned earlier in this post the NIS2 Directive was created to address the shortcomings of the original NIS Directive. A few of these include eliminating the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into essential and important categories, which will be subjected to different supervisory regimes.

The proposal strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that must be applied. The proposal introduces more precise provisions on the process for incident reporting, content of the reports and timelines.

Furthermore, the Commission proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships.

What does this mean if you are a Small to Medium Business (SMB) or a Managed Service Provider (MSP)? Under the old NIS Directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 Directive introduces a size-cap rule. This means that all medium-sized companies in selected sectors will be included in the scope. At the same time, it leaves a certain discretion to the member states to identify smaller entities with a high security risk profile that should also be covered. NIS2 also addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships.

NIS2 seeks to set minimum rules for regulatory frameworks used by governments and businesses, establishing clearer and stronger minimum cybersecurity measures. This includes the following list of security measures, suppliers’ vulnerabilities, and cybersecurity practices that those falling into these new categories are “encouraged” to incorporate into their cybersecurity measures and/or contractual arrangements with their direct supply chains:

• risk analysis and information system security policies;
• incident handling;
• business continuity and crisis management;
• supply chain security;
• secure network and systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• policies and procedures to assess effectiveness of measures;
• basic computer hygiene practices and cybersecurity training;
• policies and procedures regarding use of cryptography/encryption;
• HR security; and,
• The use of MFA, secured comms and secured emergency comms.

How Datto can help you comply with the NIS2 Directive

NIS2 prescribes a variety of cybersecurity actions, most notably ones relating to risk analysis, incident response, business continuity and vulnerability management. Datto helps address these issues and has a range of solutions that help organizations improve their NIS2 posture.

For example, Datto RMM provides visibility into network assets and can automate the process of patch management. By doing so, administrators improve their vulnerability standing that also saves them time by automating patch management. Furthermore, Datto RMM in conjunction with Datto Ransomware Detection further reduces risk by eliminating ransomware attacks.

As for incident response, Datto has two offerings that help with this need. Datto EDR, an easy to use endpoint detection and response tool, stops advanced threats that other endpoint antivirus solutions miss. In addition, Datto also offers a managed detection and response service, Datto Managed SOC, powered by RocketCyber. With Datto Managed SOC, businesses that do not have a security operations center (SOC), can use the service to get 24x7 threat detection and response, as well as threat hunting, which further reduces their risk exposure.

Lastly, when it comes to business continuity, Datto is the market leader. Datto offers a multitude of business continuity and disaster recovery solutions so that when a cyberattack occurs, businesses can recover in record time as if nothing happened at all.

The NIS2 Directive aims to strengthen security across critical sectors in the EU government and companies that operate in or within the EU. Implementation of this directive is now in the hands of the member states to enact laws and regulations to comply with it. Businesses that work within the EU will need to look at their security practices and solutions to ensure they align with these new laws. The Datto Managed SOC team is available to help your business navigate and comply with NIS2.