NIS 2: what cybersecurity challenges for companies?

The Network and Information Security (NIS) Directive is a European cybersecurity directive adopted on July 6, 2016. Its goal is to ensure a high and common level of security for networks and information systems across the European Union.

A revision of the text was planned by 2021 at the latest to clarify the scope of the initial text and to strengthen the level of cybersecurity requirements within the EU. Presented to the European Parliament on October 28, 2021, the vote for this new directive, "NIS 2," is expected in the second half of 2022. Once the directive enters into force, EU member states will have 21 months to transpose the text into their national legislation. What will the practical implications be for businesses?

NIS Directive: A Common European Framework for Cybersecurity

This directive establishes a cooperation framework between EU member states, notably through information sharing and best practices. This is materialized by the establishment of the European CSIRT (Computer Security Incident Response Team) network, a cybersecurity incident response center.

Within each member state, it also sets up a framework of security requirements for:

• Operators of Essential Services (OES): operators dependent on networks or information systems who provide an essential service, the interruption of which would have a significant impact on the functioning of the economy or society.
• Digital Service Providers (DSP): legal entities that provide any information society service.

The requirements for OES and DSPs cover the management of information systems (IS) and the risks related to IS, the establishment of security governance, as well as protection and incident response/resilience measures.

NIS 2: An Expanded Scope of Application

List of Essential Service Operators Concerned

For OES, the security requirements of NIS 1 were applicable to the following sectors:

• Supply and distribution of drinking water;
• Energy: Electricity, Oil, Gas;
• Digital infrastructure;
• Banking and financial market infrastructures;
• Health: Healthcare establishments;
• Transport: Air, rail, road, waterways.

NIS 2 adds the following sectors to this list:water and waste management, manufacturers of "critical products" (e.g., medical, electronic products), postal and courier services, and public administrations (primarily central administrations, excluding defense, national security, public safety, legal, and judicial systems).

The only sector removed from the NIS scope is banking and financial market infrastructures, which are covered by the European DORA regulation, with interactions between NIS and DORA yet to be clarified.
 

List of Digital Service Providers Concerned

For DSPs, in addition to search engines, cloud services, e-commerce sites, and online marketplaces, the NIS 2 Directive will now also apply to DNS providers and trust services.

Moreover, the NIS 2 Directive will apply more broadly than before. While the first version of the directive only applied to major economic players, NIS 2 stipulates that while small businesses remain excluded, the directive will apply to all medium and large enterprises in the affected sectors.

Stronger Security Requirements

The NIS 2 Directive also raises the level of security requirements for the affected entities. 23 security rules are set, categorized into 4 themes: Governance, Protection, Defense, and Resilience. Each rule must meet specific objectives.

Notably, graduated requirements are introduced under the new directive. Depending on their size and criticality, the entities concerned by the directive will be classified as "essential" or "important" actors, with differentiated requirements.

The companies affected by the NIS 2 Directive must, in particular:

• Implement a risk-based approach;
• Designate a Single Point of Contact (SPOC) with national agencies for information systems security (e.g., ANSSI in France), particularly responsible for reporting security incidents. Similar to data breach notifications under the General Data Protection Regulation (GDPR), organizations must report cybersecurity incidents to authorities within 24 hours (rather than 72 hours as required under NIS 1) and submit a final report on the incident within a maximum of one month.

Stronger Control and Sanction Powers

The NIS 2 Directive also introduces enhanced control powers. National authorities will be able to inspect compliance with NIS requirements at any time, via on-site or off-site inspections, as well as requests for access to evidence.

In case of non-compliance, financial penalties can be imposed, ranging from up to 10 million euros or 2% of the annual global turnover of the previous year (whichever is higher). Additionally, the liability of individuals holding representative or management positions may also be engaged.

The new NIS 2 Directive, much like the GDPR, clearly demonstrates the European Union’s commitment to enhancing its security requirements. Economic players of all sizes, particularly those affected by the directive, must now begin strengthening their security posture by leveraging security management frameworks. In this regard, the ISO 27001 standard is an essential foundation for NIS compliance. Our ISO 27001 experts are available to assist you.