EU updates directive on network and information security

• The aim of the EU NIS2 Directive is to make a significant contribution to a more secure digital economy in the European Union and to increase the resilience of compliant organizations against cyber-attacks.
• The NIS2 Directive now covers a larger number of sectors and provides guidance for developing a compliance roadmap for organizations.

The NIS2 Directive contains new and amended business obligations to raise the standard of cybersecurity in EU Member States. The Directive tightens supervisory measures, simplifies reporting obligations, increases the intensity of security standards imposed, focuses on exchange and cooperation, addresses supply chain security and introduces enforcement requirements with harmonized sanctions across Member States.

Scope

The NIS2 Directive introduces uniform obligations for organisations operating in eighteen critical sectors. The sectors are divided into two groups:

• “highly critical sectors”, including transport (air, rail, water, road), banking, financial market infrastructure, energy, healthcare (including medical devices), drinking water, wastewater, digital infrastructure, information and communication technology (ICT), public administration and space; and
• “critical sectors“, including digital providers, manufacturing, postal and courier services, waste management, chemical processing, food and research.

The NIS2 Directive applies when an organisation provides services or carries out activities in an EU Member State, regardless of whether the organisation is established in the European Union.

Organisations can be classified as ‘essential’ or ‘important’ under NIS2. The classification depends on the size of the business and whether it is considered a critical or highly critical area. Large organisations (250 or more employees or €50 million or more turnover) or medium organisations (fifty or more employees or €10 million or more turnover) fall within the scope of NIS2. There are some exceptions where organisations of any size can be considered essential, including qualified trust service providers, top-level domain name registrars and DNS service providers. This means that some organisations are automatically considered ‘essential’ if a service interruption would have a significant negative impact on society or if they are the only national provider. How enforcement is done depends on the category an organisation falls into.

Compliance monitoring and risk management

Compliance monitoring is an important distinction between essential and key entities. Essential entities, which mainly include organizations from highly critical sectors, are subject to proactive oversight. This results in active monitoring of compliance. Key entities are monitored after an incident. If inadequate action has been taken and NIS2 requirements have not been met, key entities may be subject to the same sanctions as essential entities.

According to the NIS2 Directive, every NIS2-eligible organization – whether essential or important – must adhere to due diligence in securing network and information systems. The Directive sets out a set of minimum requirements for the types of measures that providers must follow. This includes creating and updating risk analysis and information system security policies, focusing on crisis management and maintaining operations in the event of a major cyber incident. This also includes ensuring supply chain security, using cryptography and encryption, and creating policies and procedures to determine the effectiveness of risk management practices.

Damage report

The directive provides a new timeframe for reporting incidents.

• Early stage report. Incidents should be reported to the relevant supervisory authority within 24 hours of becoming aware of the incident. The report should indicate whether the incident was caused by an illegal or malicious act or could have cross-border implications. Within 24 hours of the report, the reporting body will receive a response with initial feedback and indications of possible mitigation measures or technical assistance may be provided by the supervisory authority.
• notification. Within 72 hours of becoming aware of the incident, the reporting body must issue a report that must include an initial assessment of the severity and impact of the incident. Any indications of a threat should also be included in this phase.
• Final report. A final report is required within one month of the incident being reported. It must include a detailed description of the incident, the probable cause of the incident, mitigation measures applied and ongoing, and details of any transboundary impacts. The obligation to submit a final report aims to improve future risk management and incident response.

Punish

The directive contains a mandatory list of sanctions. These include information requests and data access, security clearances, security scans and on-site inspections. EU member states can each determine the extent of the measures taken. In addition, administrative penalties can be imposed depending on the circumstances of the case. For essential companies, this means fines of up to €10 million or at least 2 percent of total annual worldwide turnover, whichever is higher. For important companies, this means fines of up to €7 million or at least 1.4 percent of total annual worldwide turnover, whichever is higher.