NIS-2: An all-hazard approach

Late December 2022 saw the publication of the Network and Information Security Directive (NIS-2). All European Union member states have until October 2024 to implement the directive into national law. Compared to previous legislation, NIS-2 has added a substantial number of ‘mandatory’ sectors. What do you need to know? More importantly, what action do you need to take to comply with the NIS-2 directive?

Which organizations are covered under NIS-2?

NIS-2 is a framework within which the government must create a new cybersecurity law: “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union”. Unlike the current Network and Information Systems Security Act (WBNI), derived from the NIS-1 directive, NIS-2 is mandatory for hospitals, for example, which in my view is a necessary addition to safeguard public health. Ultimately, the government will determine which other sectors and subsectors will be added to the list drawn up by the EU.

Essential or important?

Within the mandatory sectors, a distinction is made between essential and important entities. Essential entities (large organizations) are subject to a more intensive regime of obligations and control. This applies to organizations with more than 250 employees and/or an annual turnover of more than €50 million and a balance sheet total of more than €43 million. Important entities (medium-sized organizations) have a minimum of 50 employees and/or an annual turnover exceeding €10,000,000.

The mandatory sectors under NIS-2 are:

1. Essential entities:
• Energy,
• Transport,
• Financial market infrastructures,
• Healthcare,
• Drinking water supply and distribution,
• Digital infrastructures,
• Wastewater,
• Public administration,
• Space,
• ICT services,
• Banking.

2. Important entities:
• Digital providers,
• Postal and courier services,
• Waste management,
• Food,
• Chemical products,
• Research,
• Manufacturers.

By using a ‘last resort’ arrangement (recital 133 NIS-2), authorities have been given the power to temporarily shut down essential entities. High-level commitment is enforced through liability for directors (Article 20(1) NIS-2) and the authority to impose fines up to €10 million or 2% of global turnover. Time to get cracking on this!

What is mandatory?

By and large, there are two mandatory requirements that organizations have to comply with. Entities have a duty of care, so they are required to carry out a risk assessment and, based on that, to take appropriate measures to safeguard their services as much as possible and protect the information used. A notification requirement stipulates that incidents must be reported to the regulator within 24 hours. I will explain in more detail below.

1. Duty of care

An important addition to the duty of care is the requirement for a Configuration Management Database (CMDB). This is a database with information about hardware and software items, the relationship between them, and a representation of the security measures applied to them, such as automatic patching and incident response policies.

One area of concern here is shadow IT, which refers to all IT resources that employees use within a company that are not managed by the IT department. In other words: all applications, cloud services and hardware that have not been approved by the IT department. Gartner estimates that 35% of all IT is shadow IT on average. Another important measure is setting up detection processes. This allows you to notice any abnormalities in a timely manner, for example, by deploying a SOC (Security Operations Center) and creating an incident response plan (how to deal with a disaster).

2. Duty to report

‘Significant incidents’ should be reported to Computer Security Incident Response Teams (CSIRT) or to the competent authority (regulator). There is no notification requirement for cyber threats. Reports need to be submitted by means of a process known as ‘stepped reporting’: starting with submitting an ‘early warning’ within 24 hours, followed by a more extensive report within 72 hours and a final report within a month.

All-hazard approach

The NIS-2 is based on an ‘all-hazard approach’ (Art. 21.2 NIS-2), which means a large-scale integrated approach. In order words, to protect your network and information systems, you must consider the total scope of factors that are key to the continuity of your services, which also includes physical security. The huge scale of an all-hazard approach can be paralyzing, because there is a vast amount of technical and organizational measures to consider. Fortunately, further EU regulations will follow within 21 months of NIS-2 coming into force, which will provide more information on the required technical and organizational measures (TOM) for e.g. DNS service providers, MSP/ MSSP and cloud computing services. It will be interesting for all sectors to analyze this list.

If you are looking for a checklist of technical and organizational measures, take a look at the General Security Requirements for Defense Contracts 2019 (ABDO)’. To get an idea of the eventual requirements in the new cybersecurity law, you can take a look at the former cybersecurity law (Wbni). This will be supplemented with the new requirements for NIS-2. This results in the following requirements, among others:
• Systematic administration of network and information systems;
• Taking inventory of information systems;
• Information security management (including risk analysis, HR, operational security, security architecture, lifecycle and secure data and systems, encryption);
• Physical and environmental security (system failures, human error, hostile actions and natural phenomena, supply security, access controls for network and information systems (physical and logical access).

The RDI also launched the self-assessment NIS2 this week. This tool provides more clarity as well.

Don’t delay

In particular, I expect that setting up a Configuration Management Database is going to take a significant amount of time, and also requires a lot of information from external sources. NIS-2 challenges you to subject your current measures to close scrutiny and to provide insight into the full scope of the IT environment. A rough estimate is that this process will take at least six months of implementation time. Parallel to this process, you can already start working on the technical measures, as are listed in current cybersecurity law and start drawing up an incident response plan.

Fortunately, many resources are available to facilitate NIS-2 implementation. We are happy to help you complete this transition as smoothly as possible.

Delftechpark 35 2628 XJ Delft +31 85 0068 310
EN NL