NIS2 is a new EU cyber security law that builds on the original network and information systems directive (NIS1). Member States have until 17 October 2024 to adopt and publish their corresponding NIS2 national laws but it looks like several Member States might miss this deadline as they have yet to publish their draft laws.
NIS2 has an expanded scope that requires more entities in a wider range of sectors to take minimum cyber security risk management measures (Article 21(1)) with the ultimate goal of enhancing the EU’s cybersecurity. NIS2 also introduces an onerous multi-stage incident reporting regime which will apply to “significant” incidents (Article 23).
Amongst other things, NIS2 requires in scope entities to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems (NIS) which those entities use for their operations or for the provision of their services; and prevent or minimise the impact of incidents on recipients of their services and on other services.
What is appropriate depends on factors such as: (a) the state-of-the-art; (b) relevant European and international standards (where applicable); and (c) the cost of implementation; what is proportionate depends on: (a) the entity’s exposure to risks; (b) the entity’s size; and (c) the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
NIS2 also requires in scope entities to implement a baseline list of 10 cybersecurity risk management measures at a minimum (Minimum Measures) (Article 21(2)) which must include at least the following:
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management; and
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
NIS2 also requires the European Commission to adopt implementing acts laying down the technical and methodological requirements of these Minimum Measures with regards to certain entities offering cross border digital services (Relevant Entities) by 17 October 2024 – Relevant Entities include digital infrastructure providers (e.g. cloud computing/data centre service providers); providers of ICT service management (B2B) (e.g. managed service providers) and digital providers (e.g. online marketplaces/social networks).
Last month, the Commission released a draft Implementing Regulation (IR) which mandates the technical and methodological requirements which Relevant Entities must implement based on EU and international standards and technical specifications relevant to the security of NIS. The finalised IR and NIS2 national laws will take effect on 18 October 2024.
To further complicate matters, Member States may also impose additional requirements when implementing NIS2 and may specify obligations above and beyond the Minimum Measures, so they may become even more prescriptive or onerous in the future.
How to prepare your cybersecurity posture in anticipation of NIS2
If your business is likely in scope of NIS2, you should perform an initial gap analysis and maturity assessment of your current cybersecurity posture against the Minimum Measures (and the IR’s mandatory technical and methodological requirements, if applicable) – this should help to identify any areas that require further investment and prioritisation, and inform any reshaping of your current cyber security programme to plug any identified gaps.
Even if your business is not in scope of NIS2 but your customers are likely to be caught, you should anticipate requests to evidence your cybersecurity risk management measures to enable them to demonstrate compliance with their NIS2 supply chain risk assessment obligations (under Article 21(3) NIS2 in scope entities must “take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”).
For more information regarding NIS2, see our article here. If you require any advice re NIS2, such as assessing whether you are in scope and/or how it might impact your business or your customers, please contact Mary Traynor or Ali Vaziri.