The NIS 2 Directive or the directive (EU) 2022/2555 entered into force on Jan 16, 2023, and member states were given 21 months until Oct 17, 2024, to transpose its measures into national law. This directive provides detailed information on cybersecurity rules and obligations across 9 chapters and 46 articles. For the sake of the article, key objectives, provisions, role of EU member states, compliance and enforcement, and implications of non-compliance are being discussed.
What is the NIS 2 Directive?
The NIS 2 directive is a substantial law designed to create a high level of cybersecurity in the EU member states. The directive contains stringent cybersecurity measures, which call for enhancing cybersecurity measures for information sharing, supervision, and an enforcement mechanism in member states. It requires critical organisations to adhere to risk management & incident reporting standards. Furthermore, a member state of the Union must frame a national cybersecurity strategy, form incident analysis groups, appoint responsible authorities, and assign main contacts for cybersecurity.
The NIS 2 Directive significantly expands the original NIS directive or directive (EU) 2016/1148 by introducing more stringent cybersecurity requirements and higher penalties and broadening its scope by covering more sectors, including postal and courier services, food supply chains, and waste management, among others.
The Preamble 121 of the NIS 2 Directive states that when ensuring the security of network and information systems, personal data should be processed ONLY for necessary purposes, legitimate interests, to a proportionate limit, and in a lawful manner. It also states that personal data such as email IDs, URLs, and time stamps is required to be processed and/or revealed for measures related to, but not limited to:
- preventing, analysing, containing, responding to incidents, and
- raising cybersecurity awareness;
- information exchange to remediate vulnerability; and voluntary information exchange about cyber threats.
NIS Directive does not supersede the power or responsibilities of the authorities that monitor the processing of personal data under EU-GDPR and union data privacy law (Directive 2002/58/EC). Considering the usage of Artificial Intelligence and similar innovative technologies, organisations under the scope of the NIS 2 Directive should be compliant with the principles of data protection such as data security, data minimisation, and data accuracy. To minimise redundant, obsolete, and trivial (ROT) personal data, automated and certified tools like BitRaser can help erase unwanted data permanently beyond the recovery scope. The real-time generated erasure reports and certificates can also help in complying with EU-GDPR, data privacy laws, or data protection laws of respective member states.
Scope of NIS 2 Directive
The scope of the NIS 2 directive is outlined in Article 2 of Chapter I – General Provisions. The sectors and entities that fall in the scope of the directive (EU) 2022/2555 are described in the article. These include essential and important entities in sectors like energy, transport, waste management, healthcare, and digital infrastructure among other sectors.
It is important to note that articles 42 and 43 have been added to the NIS 2 directive (EU 2022/2555). These articles delete Article 19 of Regulation (EU) 910/2014 and Articles 40 & 41 of Directive (EU) 2018/1972.
The NIS 2 directive is also applicable to entities which are:
- publicly available electronic communications service providers or public electronic communications network service providers
- domain name system service providers and Top-Level Domain (TLD) name registries
- trust service providers
- sole providers of a service that is essential for critical economic or societal activities
- services that, if disrupted, can significantly impact public security, safety, or health
- services that, if disrupted, could bring a significant systemic risk
- services or sectors of critical importance at the regional or national level or for other interdependent sectors in the member state
- public administration entities of the central government
- public administration entities at the regional level that post a risk-based assessment are providers of service that, if disrupted, could impact critical economic or societal activities
Note: The public administration entities carrying out activities in the domains of law enforcement, public security, defence, or national security, or are jointly established with a third country according to an international agreement, are excluded from this directive’s scope.
Major Provisions of NIS 2 Directive
To achieve resilient cybersecurity, the NIS 2 directive has established several provisions that work to strengthen the overall security of network and information systems while ensuring that all important and essential sectors take proactive steps to manage cybersecurity risks. Some of the provisions are:
- National Cybersecurity Strategy: A national cybersecurity strategy should be adopted by every member state, and the Commission should be informed of this strategy within 3 months of the adoption, excluding national security-related information. The strategy should lay down objectives, resources, policies, and regulatory measures for organisations belonging to the governed sectors. It includes information regarding but not limited to asset-identification and risk assessment mechanisms, a governance framework describing the duties of relevant stakeholders at national levels, etc. In the context of a national cybersecurity strategy, the member states should implement policies that manage vulnerabilities, address supply chain cybersecurity, raise cybersecurity awareness, promote cyber protection, etc. Read Article 7 to know more.
- Computer Security Incident Response Teams (CSIRTs): CSIRTs or competent authorities should be the ones to receive notifications of breach incidents. Notifications of incidents should not be received by the single points of contact directly except when they are acting as a CSIRT or a competent authority. Member states must ensure that each CSIRT has an appropriate, resilient, and secure communication infrastructure to exchange information with essential and important entities and other relevant stakeholders. The assistance of ENISA (European Union Agency for Cybersecurity) to develop their CSIRTs may be requested by member states. Articles 10 and 11 provide information on CSIRTs, their requirements, technical capabilities, and the tasks they are responsible for.
- Enhanced Role of Cooperation Group: The role of Cooperation Group in NIS 2 Directive has been expanded and formalised in Article 14. The group is established to strengthen confidence and trust, support and facilitate strategic cooperation, and the exchange of information among member states. It should be composed of the commission, representatives of member states, and ENISA (European Union Agency for Cybersecurity). Efficient, effective, and secure cooperation of the representatives in the Cooperation Group should be ensured by the member states. From conducting an assessment of cyber incidents or threats to providing transposition-related guidance to the competent authorities, a cooperation group has diverse responsibilities, which are explained in the article. In compliance with EU-GDPR, agreements of the Union with international organisations or third countries can be formed, which allows participation in activities of EU-CyCLONe (Europe Cyber Crisis Liaison Organisation Network), CSIRTs network, and the Cooperation Group.
- Supply Chain Risk Management: Collaborating with the Commission and ENISA, the Cooperation Group carries out security risk assessments taking into consideration technical and non-technical sector-specific factors, to support essential and important entities in managing risks related to supply chains and suppliers. The objective of these assessments is to detect vulnerabilities, threats, critical ICT services, and products, along with risk mitigation measures.
- Establishment of Registries: Article 27 states that Top Level Domain (TLD) name registries and entities providing Domain Name Registration(DNS) services should be required to enable lawful access to specific DNS data that are necessary for the purpose of access request in accordance with union and national law. In particular, TLD name registries should establish policies and practices for the collection and maintenance of accurate registration data and the prevention and correction of inaccurate registration data. The verification of at least one registry contact should be done by the TLD name registries that provide domain name registration services. These verification controls are performed at the time of and after registration, ex-ante and ex-post, respectively.
- Incident Reporting: The NIS 2 Directive takes a multi-stage approach while also including both swift and in-depth types of reporting which mitigates a significant incident from spreading and improves the cyber resilience of sectors and entities, respectively. Beginning from the time of being aware of a significant incident, the CSIRT or the competent authority, whichever is applicable, must be informed of it via an early warning within 24 hours. The entities should then follow with an incident notification within 72 hours (of the incident) to indicate the seriousness, impact, and signs of compromise. Within a month of the incident, entities should submit a final report.
Compliance and Enforcement of NIS 2 Directive
Article 34 explains the general conditions for imposing administrative fines on essential and important entities. It states that while taking into consideration the circumstances of every individual case, the member states must ensure that the imposition of administrative fines on essential and important entities is proportionate, dissuasive, and effective.
Penalties include:
For Essential Entities
- Upon infringing Article 21 or 23, the essential entities are subject to administrative fines of a maximum of at least EUR 10,000,000 or of a maximum of at least 2% of the total global annual turnover in the previous financial year to which the essential entity belongs, whichever is higher.
For Important Entities
- Upon infringing Article 21 or 23, the important entities are subject to administrative fines of a maximum of at least EUR 7,000,000 or of a maximum of at least 1.4% of the total global annual turnover in the previous financial year to which the important entity belongs, whichever is higher.
According to the prior decision of the competent authority, the member states may have the authority to impose periodic penalties to compel an essential or important entity to stop an infringement of the NIS 2 Directive. Regarding the imposition of administrative fines and their extent on public administration entities, the member states may lay down the rules without having prejudice to the authorities of the competent authorities.
Note: In the absence of administrative fines imposed by the legal system of a member state, it becomes the responsibility of the member state to ensure that this Article is applied in a way that the competent authority initiates the fine and the competent national courts or tribunals impose it while making sure that those legal remedies are effective and have an equivalent effect to the administrative fines. The imposed fines should be dissuasive, effective, and proportionate.
Measures to Mitigate Non-Compliance Risks
Article 21 elucidates the cybersecurity measures to manage risks efficiently. Below is a detailed interpretation:
- It is the responsibility of the member states to ensure that operational, organisational, and technical measures are taken by both important and essential entities in an appropriate manner to manage the risks posed to the security of the NIS and for prevention and minimisation of the impact of the incidents. The proportionality of these measures should be assessed by the size of the entity, degree of exposure to risks, severity, and probability of occurrence of incidents, along with their economic and societal impact.
- The aim of the above-referred measures should be to protect NIS and the physical environment from incidents by being based on an all-hazards approach, which includes at least:
- policies on risk analysis and information system security.
- incident handling.
- business continuity like crisis and backup management.
- supply chain security.
- security in the acquisition, development, and maintenance of NIS.
- policies and procedures for assessing the efficacy of cybersecurity risk-management measures.
- cybersecurity training and cyber hygiene practices.
- policies and procedures regarding the usage of cryptography and, in appropriate cases, encryption.
- access control policies, asset management, and security of human resources.
- the usage of MFA or continuous authentication solutions, secured text, audio, and video communications, and, wherever appropriate, secured emergency communication systems.
- The member states should ensure that to determine the appropriateness of a measure mentioned in paragraph 2, point d; entities must take into consideration the quality of products, vulnerabilities particular to every direct supplier and service provider, and cybersecurity practices followed by their suppliers and service providers. For critical supply chains, the coordinated security risk assessments carried out according to Article 22(1) must be taken into account.
- It is to be ensured by the member states that the entities, upon not complying with measures in paragraph 2, take appropriate, necessary, and proportionate measures without delay.
Comparison Between NIS Directive and NIS 2 Directive
A close comparison between the two versions of the directive can provide a clearer picture:
|
Aspect
|
NIS Directive (2016/1148)
|
NIS2 Directive (2022/2555)
|
|
Scope
|
Covers essential services and digital service providers.
|
Expands to include more sectors and types of entities, both "essential" and "important."
|
|
Risk Management Requirements
|
Basic cybersecurity requirements for covered entities.
|
Stricter and more detailed risk management, including incident response and supply chain security.
|
|
Cybersecurity Requirements
|
General security measures for entities in scope.
|
More specific and stringent cybersecurity measures, including business continuity planning and vulnerability handling.
|
|
Incident Reporting
|
Required for incidents with significant impact on services.
|
Stricter reporting requirements; incidents must be reported within 24 hours, with details within 72 hours.
|
|
Enforcement and Penalties
|
Left to individual member states, varying penalty structures.
|
Stricter penalties and enforcement of up to at least EUR 10,000,000 or of a maximum of at least 2% of the total global annual turnover in case of non-compliance by essential entities.
|
|
Governance and Oversight
|
National authorities designated by each member state.
|
Stronger oversight: national authorities must ensure compliance and establish cyber crisis management authorities, CSIRTs, and cybersecurity contact points.
|
|
Supply Chain Security and Digital Service Providers
|
The supply chain is not specifically addressed. Digital service providers are included but less regulated.
|
Explicitly addresses cybersecurity in supply chains and digital service providers, requiring risk management for third-party vendors.
|
|
Cross-Border Cooperation
|
Encouraged but limited in scope.
|
Stronger focus on cross-border cooperation and sharing information on cyber threats among member states.
|
Conclusion
The NIS 2 directive (EU) 2022/2555 is a step forward in enhancing proactive cybersecurity postures across Europe. However, it is not to be ignored that EU-GDPR is the prominent law governing the overall data protection of EU citizens. To leverage the benefits of a digitally-enabled world, the member states must adopt the policies and practices in this directive, cooperate at the union level, and complete the transposition process at the earliest.
+1-844-775-0101
