Last month, the European Commission (Commission) released a draft Implementing Regulation (IR) under the revised Network and Information Systems Directive (NIS2).
NIS2 is a new EU cyber security law that builds on the original network and information systems directive (NIS1). NIS2 has an expanded scope that requires more entities in a wider range of sectors to take minimum cyber security risk management measures (Article 21(1)) with the ultimate goal of enhancing the EU’s cybersecurity. NIS2 also introduces an onerous multi-stage incident reporting regime which will apply to “significant” incidents (Article 23).
NIS2 requires in scope entities to take appropriate (this involves taking into account: (a) the state-of-the-art; (b) relevant European and international standards (where applicable); and (c) the cost of implementation) and proportionate (this involves taking account of: (a) the entity’s exposure to risks; (b) the entity’s size; and (c) the likelihood of occurrence of incidents and their severity, including their societal and economic impact) technical, operational and organisational measures to manage the risks posed to the security of network and information systems (NIS) which those entities use for their operations or for the provision of their services; and prevent or minimise the impact of incidents on recipients of their services and on other services.
NIS2 sets out a baseline list of focused cybersecurity risk management measures which in scope entities must implement as a minimum in connection with a range of specified matters including incident handling, business continuity, supply chain security etc (Article 21(2)).
Article 21(5) NIS2 requires the Commission to adopt implementing acts laying down the technical and methodological requirements of the NIS2 minimum security measures with regards to certain digital infrastructure providers (e.g. cloud computing service providers); providers of ICT service management (B2B) (e.g. managed service providers) and digital providers (e.g. online marketplaces/social networks) (Relevant Entities) by 17 October 2024 (NIS2 must also be implemented into Member State national laws by this date).
The IR mandates the technical and methodological requirements of the NIS2 baseline cybersecurity risk-management measures which Relevant Entities must implement based on EU and international standards and technical specifications relevant to the security of NIS. It also sets out the criteria for determining when an incident is deemed “significant” with regard to Relevant Entities under NIS2. The finalised IR and NIS2 national laws will take effect on 18 October 2024.
Cybersecurity Risk-Management Measures
The technical and methodological requirements mandated by the IR include:
- Policies and Procedures: The development of comprehensive policies on various security matters, including an appropriate risk management framework and process to identify and address NIS risks, policies on access control, incident handling, security testing, patch management and supply chain security.
- Policy Approval: Management bodies must approve overarching security policies, with all policies requiring periodic review and updates.
- Incident Handling: Detailed incident handling policies must be established, including categorisation systems, escalation plans and role assignments for incident response.
- Business Continuity and Crisis Management: Relevant Entities must ensure business continuity plans/disaster recovery plans and backup and crisis management processes meet specified minimum requirements.
- Supply Chain Security: Contracts with suppliers and service providers must ensure high security levels and Relevant Entities must maintain an up to date registry of direct suppliers/service providers.
- Monitoring and Logging: Processes must capture specific events for incident identification and response, including application control on workstations and email/web filters.
- Cyber Hygiene and Training: Basic data hygiene practices and cybersecurity training for all employees, including management, are required.
- Insider Threat and Access Control: Employee security management measures, such as background checks and awareness programs, should be considered.
- Asset Management: Relevant Entities must create a detailed asset inventory, classifying risk levels for hardware, software, services and facilities; ensure they are handled appropriately and are returned upon termination of employment.
- Governance and Compliance: Defined governance structures must include cybersecurity roles, with regular updates to management bodies based on independent reviews.
- Independent Reviews: Regular independent reviews of security measures by qualified auditors are mandated.
- Protection Against Hazards: An “all-hazards approach” must be taken to protect NIS from failures, human error, malicious acts or natural phenomena.
Definition of a “Significant” Incident
The IR clarifies that an incident is considered “significant” under Article 23(3) NIS2 with regard to Relevant Entities if it meets any of the following criteria:
- Financial Loss: incidents causing financial losses exceeding €100,000 or 5% of the entity's annual turnover.
- Reputational Damage: incidents causing considerable reputational damage, especially if reported in the media or leading to customer loss or regulatory non-compliance.
- Trade Secret Exfiltration: incidents leading to the theft of trade secrets.
- Health Impact: incidents causing death or health damage to individuals.
- Unauthorised Access: malicious and unauthorised access to NIS.
- Recurring incidents: non-significant incidents with the same root cause which occur at least twice within six months are collectively considered as one “significant” incident.
In addition, specific incidents with regards to certain types of Relevant Entities (e.g. cloud computing/data centre/content delivery network/managed service/managed security service providers and digital providers such as online marketplaces/social media platforms) are deemed “significant” - e.g. cloud service disruptions for over 10 minutes; data centre service unavailability or service level breaches affecting over 5% or more than 1 million users for more than an hour etc.
If your business is likely to be a Relevant Entity in scope of NIS2, you should carefully consider the IR’s cyber technical and methodological requirements in the context of your wider NIS2 cyber security risk management measures assessment/gap analysis and liaise with your security team to ensure that your business can comply with these new requirements and the associated reporting obligations re “significant” incidents when NIS2 national laws and the IR start applying on 18 October 2024.
Feedback on the draft IR can be submitted via the Commission’s Have Your Say portal until 25 July 2024.
For more information regarding the NIS2 Directive, see our article here. If you require any advice re NIS2, such as assessing whether you are in scope and/or how it might impact your business, please contact Mary Traynor or Ali Vaziri.