In 2016, the European Commission adopted the EU Network and Information Security (NIS) Directive. The directive aims to establish regulations that improve the overall cybersecurity level across Europe and was recently updated in January 2023 to a new directive called NIS2. The NIS Directive is a multifaceted legislation that applies to various industry sectors, providing regulations that help EU member states build strong cybersecurity postures.
Improve your organization’s cybersecurity posture with UpGuard BreachSight >
What is The NIS Directive?
The NIS Directive is the initial legislation in the European Union that concentrates on cybersecurity. There are a variety of critical components within this directive that covered entities must adhere to, which work together to enhance cybersecurity across networks within the EU.
Security Requirements
Entities covered by the NIS Directive must implement appropriate measures to secure their network and information systems. Examples include anti-malware solutions, multi-factor authentication (MFA), encryption, and access control. Enhanced security measures are strong preventive measures that help control the level of risk an organization has. These measures are often the first defense against cybercriminals and common threats like ransomware.
Incident Reporting
The NIS Directive requires entities to report security incidents to their national authorities. This ensures a coordinated response from member states, particularly regarding the broader threat landscape. Especially when dealing with high-level coordinated cyber attacks and popular ransomware, reviewing security incident reports can help identify trends and patterns and provides smooth crisis management.
National Strategies
The NIS Directive requires every member state of the EU to adopt a national strategy for the security of network and information systems. This strategy should include strategic goals and suitable policy and regulatory measures. Member states can craft this strategy to fit their cybersecurity goals while staying within the parameters outlined in the NIS Directive.
National Competent Authorities (NCA)
The NIS Directive mandates that EU member states designate one or more national competent authorities to ensure compliance within their territories. These individuals have legally delegated, or invested power, to enforce the NIS Directive in their state, including outlining penalties for non-compliance with cybersecurity regulations.
Computer Security Incident Response Teams (CSIRTs)
EU member states are also required under the NIS Directive to establish CSIRTs. These security teams handle incidents while sharing information with other member states and providing early warnings about potential cybersecurity risks.
CSIRTs are connected to a broader network that promotes cooperation between individual CSIRTs and outside stakeholders.
Who Must Comply with the NIS Directive?
The NIS Directive is focused on creating a high common level of cybersecurity for network and information systems across the EU. Therefore, the NIS covers a variety of industries and entities within each member state.
Industry Sectors
The NIS Directive applies to public and private organizations, focusing on two specific types of entities.
Operators of Essential Services (OES)
OES entities provide essential services, and if a security incident disrupts them, it could severely impact the economy, society, or individual welfare. Examples of OES industries are:
- Energy Companies (Electricity, Oil, Gas)
- Transportation
- Banking Institutions
- Healthcare Providers
- Financial Market Infrastructures
- Drinking Water Supply and Distribution
- Digital Infrastructure (Domain name service providers, internet exchange points, etc.)
Digital Service Providers (DSP)
These organizations provide digital services at a large scale and could impact the internal market if disrupted. DSPs include
- Online marketplaces
- Online search engines
- Cloud computing services
Penalties for Non-Compliance
Organizations not complying with the NIS directive face various penalties unique to each EU member state’s national law. While the directive does outline a basic protocol for penalties, individual states determine the nature and amount of each specific penalty.
Various penalties are enforced for different types of infringements, and some of the more common ones include failing to report security incidents within the designated timeframe and neglecting to implement proper security measures. Penalties range from fines to business restrictions, with the nature and gravity of infringements requiring heavier penalties.
For example, in France, the NIS Directive is applied to national law through the “Code de la défense” (Defense Code) and the "Code des postes et des communications électroniques" (Electronic Communications and Postal Code). The French National Agency for the Security of Information Systems (ANSSI) handles non-compliance, which includes four main types of penalties:
- Fines: These can rise to €300,000 for non-compliance, like failing to report a security incident or not complying with security requirements.
- Criminal Penalties: In severe cases, like failing to report significant incidents, responsible individuals can face up to one year in prison with additional fines.
- Orders to Comply: Formal notices are sent out for non-compliance, ordering entities to comply. If they fail, the ANSSI can implement the changes and charge the entity for the costs.
- Public Notice: In specific situations, ANSSI can make the non-compliance public, causing reputational consequences for the involved entity.
Key Goals of the NIS Directive
The overarching goal of the NIS Directive is to raise the level of cybersecurity across all the member states in the EU. Within that goal are other benefits that contribute to a strong cybersecurity posture and provide safeguards against future cyber threats.
Improved Cybersecurity for Critical Infrastructure
Cybersecurity is vital for any organization but essential for critical infrastructure. Think about organizations that handle electricity, transportation, health, and banking—and how often you rely on them to provide their services on a day-to-day basis. If any of those services are disrupted due to a cyber attack, it can have an immediate devastating impact.
The NIS Directive provides enhanced cybersecurity strategies for those critical infrastructure entities, providing safeguards from cyber threats for essential services.
Capacity Building
The NIS Directive requires member states to establish competent national authorities and Computer Security Incident Response Teams (CSIRTs). These teams are primarily responsible for assisting member states to enhance their cybersecurity incident prevention, response, and resolution capabilities. It is of utmost importance to have a solid and robust capacity to combat cyber threats in the coming times effectively.
Cooperation & Consistency Among Member States
Due to the unique nature of the European Union, cooperation and consistency among member states is a high priority. Each member state may have its requirements and legislation, but the NIS Directive creates a common baseline of cybersecurity measures and reporting obligations across all member states.
This also fosters a sense of cooperation between member states as they work to enhance information about coordinated responses to cybersecurity incidents and threats. Cyber threats affect everyone, and the NIS Directive’s requirements work together to help EU member states protect themselves and each other from potential security incidents.
Raising Public Awareness
Part of the directive's broader objective is to raise awareness about cybersecurity risks and promote a security culture among businesses, public organizations, and citizens. The vast reach of the NIS directive helps everyday citizens and companies better understand cybersecurity risk management while continuing to promote a culture that prioritizes cybersecurity and personal data protection.
Strengthening the NIS Directive: NIS2
At the end of 2022, the EU’s Official Journal published EU Directive 2022/2555, known as NIS2. The NIS2 Directive is a new revised version of the original NIS Directive, updating and strengthening the directive due to emerging challenges in the cybersecurity landscape.
Key Differences
- Scope Expansion: NIS2 expands the entities covered by the original NIS directive. Alongside OES and DSPs, more sectors are now covered, including public administrations and specific enterprises in certain sectors.
- Improved Cooperation (CSIRT platform): NIS2 aims to enhance cooperation among EU Member States in addressing cyber incidents and threats. The European Union Agency for Cybersecurity (ENISA) must create a European vulnerability disclosure database to facilitate knowledge sharing.
- Improved Incident Reporting: NIS2 includes changes that streamline the process of reporting cybersecurity incidents, allowing member states to respond faster and more consistently.
- Risk Management: NIS2 outlines the importance of entities conducting expansive risk assessments and implementing robust risk management practices.
- Stricter Sanctions: NIS2 proposes that member states can and should introduce stronger sanctions for non-compliance with the new directive, including fines of up to 10% of an entity's annual turnover. This ensures that entities take their cybersecurity responsibilities seriously.
Preparing for the NIS2 Directive
If your organization or entity must comply with the NIS Directive or falls under the expanded scope of new entities in NIS2, here are a few items to help you prepare for the updated regulations.
- Understand the New Scope and Changes: Get familiar with the specifics of the NIS2 directive, and understand what new changes may apply to your organization. The new directive has updated definitions, expanded scope, and more changes that require detailed research.
- Gap Analysis: Conduct an internal analysis to identify where your organization currently stands regarding compliance with the NIS directive. This can include risk assessments and audits of your network and information systems, which can help identify areas of adjustment required for NIS2 compliance.
- Strengthen Security Measures: Building upon your gap analysis, introduce updates and changes that strengthen your security infrastructure. This can include updating your reporting mechanisms, improving risk management measures, and reviewing your Incident Response Plan.
- Communicate with Stakeholders: With the expanded scope of NIS2, engaging with relevant internal and external stakeholders about your updated cybersecurity measures is crucial. Think about your supply chain and vendors, suppliers, and local authorities who may interact with your organization daily.
- Record Keeping and Documentation: Proper record-keeping is crucial to demonstrate compliance with NIS2. Review your current documentation processes, and implement new practices to help provide comprehensive documentation of risk assessments, security measures, and incidents.
- Consult with Legal Experts: At the end of the day, NIS2 is a complex compliance directive, and if your organization is feeling overwhelmed with all the new changes, consider consulting with legal experts familiar with NIS2. They can help your organization prepare for any changes affecting you directly.
Deadlines for Implementation
NIS2 took effect in January 2023, but EU member states have until October 2024 to adopt and implement the local laws to comply with NIS2.
In the interim, it is advisable that companies in the relevant sectors, especially digital service providers, closely follow the national transposition process and the expected clarifications from the EU Commission. This, along with preparations for compliance, will help ensure a smooth transition for all involved parties.
NIS2 and GDPR
NIS2 works alongside the General Data Protection Regulation (GDPR) to foster a secure and trustworthy digital environment across the European Union. The GDPR is an overarching data protection law that gives EU citizens and residents more control over their personal data. Additionally, it requires organizations to ensure protection and privacy when using that data.
NIS2 aims to enhance the resilience of crucial industries and digital services. At the same time, the GDPR concentrates on safeguarding the privacy rights of individuals and ensuring personal data is processed securely and responsibly. Together they create a holistic framework for cybersecurity in the European Union. The NIS2 framework safeguards essential systems and services against cyber threats, while the GDPR ensures that the data passing through those systems are protected, and individual rights are not violated.
The combination of NIS2 and the GDPR establishes a dependable digital environment by ensuring strong infrastructure resilience and data protection. This fosters trust by providing reliable systems and privacy guarantees.
NIS2 and DORA
The Digital Operational Resilience Act (DORA) is a recent EU regulatory framework that works together with NIS2 to enhance the cybersecurity posture of the EU across different sectors. While NIS2 increases the scope and sets stricter cybersecurity requirements for critical sectors, DORA focuses solely on the financial industry and improving its overall cyber resilience.
DORA demands higher resilience standards and rigorous testing protocols from applicable financial entities. To comply with DORA, entities must establish and maintain strong digital risk management capabilities, continuously test their information and communication technology (ICT) systems, and effectively manage risks posed by third-party ICT service providers through a comprehensive oversight framework. By setting high resilience standards, DORA aims to protect the financial market's integrity and stability from the increasing risks of digital disruptions and cyber threats.
DORA was finalized in early 2024, and organizations will have an additional year to comply with the new requirements. NIS2 and DORA work together to create a comprehensive regulatory environment that addresses sector-specific risks and harmonizes cybersecurity practices across various sectors. These regulations provide a unified approach to managing and mitigating cyber risks, thus safeguarding the EU's digital economy and ensuring a cohesive and resilient digital ecosystem throughout the European Union.
The Impact of the NIS Directive on Cybersecurity
The NIS Directive was a crucial step in developing cybersecurity regulations in the European Union. It aimed to strengthen critical infrastructures and essential digital services against increasing cyber risk, improving cyber resilience across these vital sectors. The directive required mandatory reporting of significant cybersecurity incidents, which promoted transparency and facilitated the sharing of threat intelligence. This had a considerable impact on preparedness and coordinated responses across different sectors.
By working together, the EU has improved its ability to respond to cybersecurity threats and share best practices. This collaborative approach has also led to a more unified and resilient digital single market through harmonizing cybersecurity standards. NIS2 will continue building upon these regulations, enhancing cybersecurity and protecting critical networks and systems.
Get your organization NIS2-ready and protected against cyber risks with UpGuard. Check out our UpGuard BreachSight product tour to learn about this all-in-one platform designed to help your organization monitor your attack surface, identify risks, and enhance your cybersecurity posture.