New proposed directive - NIS 2
There is a proposal for a new directive which originates from the NIS directive – this new proposed directive is called NIS 2. NIS 2 has a number of additions and will affect more sectors and companies than the original NIS Directive.
What is the NIS Directive?
The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
Read more about the original NIS Directive here!
Proposal for a new directive - NIS 2
The initial NIS Directive included a process to conduct regular review of itself. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2.
The proposal for NIS 2 contains aspects that meet deficiencies with the original NIS Directive. These deficiencies where found:
- Business in the EU do not have a sufficient level of cyber resilience (cyber resilience is the resistance to a possible cyberattack, but also the ability to keep capacity up during an attack, and how well you return to your original capacity after an attack)
- There is inconsistency between member states and sectors concerning cyber resilience
- There is not a sufficient understanding among member states about present threats and challenges, as well as not having a joint crisis response
What is new with NIS 2?
Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions:
- Larger scale than NIS, more sectors are considered as essential services (list further down)
- Managers are held accountable for securing the business.
- Incident reporting now has to be done within 24 h instead of 72 h.
- Higher demands on security and reporting, where a minimum requirement list must be followed
- Security of supply chains and suppliers
- Stricter supervisory measures for national authorities
- Elimination of the distinction between operators of essential services and digital service providers
- Stricter supervisory measures for national authorities, firmer enforcement requirements
- Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued. The fines will be up to 10 million EUR or 2 % of the entities' total turnover worldwide.
- Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities
More sectors and companies are affected by NIS 2
In the new proposal, new sectors have been added based on how vital they are for society and the economy. A wider range of companies within each sector will also be included. This as an action to respond to Europe's increased exposure to cyber threats.
In the current NIS Directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure. These sectors will be joined by manufacture of pharmaceutical products including vaccines and of critical medical devices, public administration, and space.
Other important entities that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers.
Within each affected sector, all large and medium sized businesses within the EU will have to comply. Smaller businesses can also be affected if deemed necessary due to their profile.
The expansion of the scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will help increase the level of cybersecurity in Europe in the medium and longer term.
When will NIS 2 come into force?
The European committee adopted the new proposal on 28th of October 2021, as well as a mandate to enter into interinstitutional negotiations. The European Council then agreed its position on 3rd of December 2021. The next step was that the co-legislators reached a provisional agreement on the text in the proposal on 13th of May 2022. The proposal now needs to be adopted formally by both institutions, with the Parliament due to vote on it in plenary in the coming months.
Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.
Some important forums that also aim to strengthen European cybersecurity
The EU Cybersecurity Act and ENISA
The EU Cybersecurity Act came into force on 27th of June 2019 and applies in full across the EU since 28 June 2021.
It has two main purposes:
- To give ENISA (the EU Agency for Network and Information Security) a permanent mandate
- To establish a European cybersecurity certification framework for ICT (information and communications technology) products, services and processes.
The idea is that companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union. The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) as it grants a permanent mandate to the agency, and gives it more resources and new tasks.
The European Cyber Resilience Act
According to the European Commission work programme for 2022, a proposal on a European cybersecurity resilience act (legislative) will be published in Q3 2022. The aim is to establish common standards for cybersecurity products. The Act addresses market needs and aim to protect consumers from insecure products by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services.
The Cyber Resilience Act will complement the existing EU legislative framework, which includes the Directive on the security of Network and Information Systems (NIS Directive) and the Cybersecurity Act, as well as the future Directive on measures for high common level of cybersecurity across the Union (NIS 2) that the Commission proposed in December 2020.
Will you be affected by NIS 2?
Each company affected will now have to have a well-organised incident management, a structured approach to risk management and a cybersecurity manager at management level.
With real penalty fees for businesses that do not take care their responsibility (2% of sales or 10 million EUR) as well as personal responsibility for the CEO and regulatory supervision - you really need to make sure that you follow the Directive?
So what to do now?
First of all: Find out if you and/or your customers are covered by the directive! If you for example are an entity that provides a service which is essential for the maintenance of critical societal and/or economic activities, for example an energy company, you are classified as an "operator of essential services". Then start by sorting out what requirements that are placed on you and make a gap analysis against the current situation.
Here are some actions that all companies affected by NIS will have to take:
- Take security measures to protect network security and information systems. This includes risk analysis and information system security policies.
- Requirement to report incidents that affect continuity in the services (prevention, detection, and response to incidents).
- Work with business continuity and crisis management as well as supply chain security. This includes to have policies and procedures for cybersecurity risk management measures.
- The use of cryptography and encryption.
- Supervision by designated supervisory authorities
- Work systematically and risk-based with their information security
If you have activities that are subject to the Security Protection Act, it may be worth monitoring NIS a little extra in the future. It has been hinted that the special exception that meant that security protection always violated the NIS Directive will change.
With the new NIS Direcitive, management bodies will have a crucial and active role in the supervision and implementation of these measures. What could happen if an essential operator is non-compliant?
- Fines up to 10 million EUR or 2% of the total global annual turnover
- Management liability
- Temporary bans for managers
- Designation of a monitoring officer
You do not want to end up here. Start your information security work today!
To learn more about how to protect your most important information, read more about how to start working systematically with information security!
If you need help, do not hesitate to contact us at Advenica!