The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.
Network and Information Security2, codenamed NIS2, is the European directive that came into force last January 17, 2023, to strengthen cybersecurity and safeguard critical infrastructure in Europe and individual member states by responding to the rise of increasingly sophisticated and malicious cyber threats and establishing a robust defence strategy.
As we have reiterated many times, including in this blog, the evolution of technology, especially artificial intelligence tools, the continuous connection of all private and professional devices, and the remote working mode, which was cleared during the pandemic, imply an increasing cyber risk.
Added to all this is the complex global geopolitical situation, which increasingly has a very dangerous implication in the network:state-sponsored hacking, cyber espionage and cyber warfare are nothing new as global tensions and conflicts increasingly manifest themselves in the digital space. An increasing professionalization of the cybercrime industry accompanies all this.
An explosive combination, to say the least, that disproportionately increases the risk of attacks on essential sectors: energy, education, healthcare, public administration, transportation, media and telecommunications.
All areas that certainly cannot afford to disrupt their operations or put their valuable data assets at risk, and for that very reason are very attractive and lucrative prey for criminals.
A strong acceleration of risk forced the European Union to deeply revise the previous NIS directive of 2016, implemented in Italy in 2018, which many said was deficient, by issuing NIS2.
The objectives and actions envisaged by NIS2.
The new directive thus takes a necessary step forward in digital resilience and threat management.
It not only enhances cybersecurity but wants to lay out a roadmap to ensure uninterrupted business performance and promote a properly trained workforce capable of ensuring proper digital posture in any work organization.
It does so by pursuing several objectives, from broadening the scope of applicability to eliminating the – now obsolete – differentiation between essential service operators and digital service providers, from improving coordination in terms of security measures provided and resources available to supervisory authorities to reduce the discretion of member states.
To achieve its objectives, NIS2 has planned several actions including:
- The implementation of resource management practices to identify and protect critical information systems and resources.
- The communication to relevant authorities and maintenance of incident response capabilities.
- The implementation of cybersecurity strategies and risk management protocols.
- The establishment of incident management protocols, reporting mandates and response plans.
- The development of a strategy to ensure the continuity of critical services during cyber incidents.
- The implementation of supply chain security measures to examine and ensure the security of third-party vendors.
- The training and sensitization of employees on optimal cybersecurity protocols.
- The quick reporting of incidents to the appropriate bodies.
- The elimination of inconsistencies and the strengthening of communication and cooperation among member states.
Actors and sectors involved in NIS2.
One of the most important new features introduced by the NIS2 Directive is the wide pool of product sectors involved.
The distinction, considered obsolete, between Essential Service Operators and Digital Service Providers is abandoned in favour of that between
Essential Subjects (the subjects of high-criticality sectors such as for example, public administrations and companies involved in energy, transportation, banking, health sector, digital infrastructure, etc.;)
and Important Subjects (all subjects in the other critical sectors, from the size of medium-sized enterprises upwards, such as postal and courier services, waste management, digital service providers, etc.).
The scope of NIS2 thus expands to include other entities, encompassing sectors such as chemical production, medical device manufacturing, food processing, and social networking services, which were not within the jurisdiction of NIS.
Although these classifications share similar obligations, essential entities will be subject to stricter regulatory scrutiny and enforcement actions.
Under the sizing criteria, all large enterprises in the identified sectors are automatically involved, i.e., those with more than 250 employees or annual sales of more than 50 million euros or an annual balance sheet total of more than 43 million euros.
Medium-sized enterprises i.e., those with between 50 and 250 employees or an annual turnover or balance sheet total between 10 and 50 million euros or an annual balance sheet total not exceeding 43 million euros, operating in the identified sectors are also involved.
The criteria for identifying public administrations are different, leaving more room for the member states evaluation during transposition. Finally, many specific categories of entities, including small businesses, identified more specifically in the Directive are added.
The result is the broadening of the range of subjects impacted by the Directive: about 110,000 organizations will be directly involved, divided, indicatively, between 67,000 essential and 43,000 important subjects. At the Italian level, the number could be around 15,000 subjects in total.
Also important, of course, are the effects on the supply chain.
Supply Chain Protection.
The new directive requires organizations to address supply chain security, including the risks created by supplier relationships.
A crucial aspect, is the latter, as many attacks occur due to vulnerabilities of third-party suppliers. Organizations must therefore assess the quality and resilience of the products and services they use to ensure they are not vulnerable to essential service providers. It is also important for organizations to assess how their third-party vendors manage cybersecurity and whether the measures they use are robust enough to protect the entire supply chain.
To ensure a common level of cybersecurity with all providers and reduce the chances of cyber incidents, essential service providers should include the required measures in their contracts with third-party providers.
Cooperation and coordination at the European level: EU-CyCLONe
Much emphasis is placed on the NIS2 Directive on cooperation between member states.
Indeed, provision has been made for the formation of the EU-CyCLONe Organization composed of representatives of EU countries in charge of cyber crisis management and, if necessary, representatives of the European Commission.
The main objective of EU-CyCLONe is to coordinate how different countries deal with major security issues by ensuring that they are well prepared to handle cyber incidents and crises; that a shared understanding of what happens during these incidents and crises is developed; that the impact of incidents is properly assessed; and that political leaders are guided to make the best decisions about them.
EU-CyCLONe will report regularly to the Cooperation Group on major cybersecurity incidents and trends, particularly those affecting critical organizations and services.
By July 17, 2024, and every 18 months thereafter, the organization will submit a report to the European Parliament and the Council outlining its recent activities.
Emergencies
To ensure a rapid response, NIS2 requires affected organizations to send a quick notification to the Computer Security Incident Response Team (CSIRT), or an appropriate national authority, within 24 hours of a significant cyber incident, i.e., one that causes a major disruption of processes or financial loss to the organization or causes substantial tangible or intangible harm to another person. If necessary, organizations may also request assistance in implementing any mitigation measures. Authorities will respond to the notification, offer guidance on how to handle the incident, and inform other affected countries if necessary.
Within 72 hours of learning of the incident, the affected organization must provide details of the attack as well as an initial assessment of the damage. Finally, within one month of notification of the incident, the affected organization must provide a report with a detailed description of the severity, impact, root cause, and mitigation measures applied by the organization.
Cyber hygiene
With cyber threats becoming increasingly complex and sophisticated, organizations must maintain a basic level of security and cyber hygiene practices to protect essential infrastructure: regular software and hardware updates, periodic password changes, management of new installations, administrator-level access account limitations, and data backups.
In addition, since many attacks occur through connected devices, employee training and user awareness of common cyber threats are critical to strengthening the security chain.