EU NIS2 Directive

nick

EU NIS2 Directive

EU NIS2 Directive

by

The digital landscape is vast and continually evolving, prompting the need for comprehensive security measures. With the rise in cyber threats, the European Union (EU) has pushed for stronger cybersecurity directives, most notably the Network and Information Systems 2 (NIS2) Directive. This article delves into the EU NIS2 Directive, its distinction from the original NIS, and who it impacts.

Understanding regulations and legislation is crucial background knowledge for threat modeling. It can dictate security requirements.

The Network and Information Systems 2 (NIS2) Directive (EU NIS2 Directive) will improve the level of cyber security and resilience of critical organizations within the European Union.

NIS2 compared with the prior NIS version (initially released in 2016) requires that more organizations are in scope of the directive and must therefore adhere to its requirements. Further, NIS2 consolidates and standardizes the directive where NIS was fragmented between members states of the EU.

NIS2 will have a big impact on companies operating within the EU because it will make new (cyber)security requirements mandatory. This will solidify the requirements across the entire EU.

Further, there are EU wide initiatives that will improve the overall security posture: Better cooperation between national CSIRTS, more strategic thinking at the EU level, and support for large-scale incidents (via CyCLONe).

EU NIS2 Directive Overview

NIS2 will take effect from 18 October 2024 across the EU. Although, member states still need to transpose the directive and adopt many of the measures (such as setting up national bodies). Read this article if you’d like to see the latest NIS 2 adoption data.

The NIS2 Directive is part of a mix of new EU regulations that will impact technology, banking and critical infrastructure companies.

What it means for member states and organizations:

Member states will need to draft legislation to incorporate the directive into law, set timelines for implementation and provide oversight and enforcement capabilities.

Public & private organizations and companies in critical sectors will need to adhere to the NIS2 requirements.

The four major NIS2 themes are:

  • Board ownership & responsibility for risk: The board is responsible for (security) compliance and risk management. They must also have relevant training in order to effectively perform these duties. The board can be held personally liable if not performing theseduties.
  • Minimum security requirements & processes: Organizations in scope must implement minimum security controls. Examples include basic cyber hygiene, network security, vulnerability handling & disclosure, security training and the use of encryption.
  • Managing supply chain risk: The supply chain must be managed securely. The supply chain risks must be understood and documented, along with identification of supplier vulnerabilities, cyber security processes & practices, and secure development.
  • Incident handling & reporting: Significant incidents must be reported to the relevant Computer Security Information Response Team (CSIRT). This must occur within 72 hours (and early warning within 24 hours). Customers must also be informed if impacted.

Fines in case of non-compliance:

  • NIS2 fines can reach €10 million or 2% of total worldwide turnover. Further, enforcement can be preceded or included with warnings, mandatory instructions. Personal fines & liabilities can also be enforced in case of (major) board shortcomings.

Which sectors are in scope:

  • High criticality sectors: ICT
 Services Management (B2B), Space, Transport, Digital Infrastructure, Public Administration, Financial
 Markets Infrastructure, Drinking Water, Banking, Health, Waste Water, Energy.
  • Other critical sectors: Manufacture, Production and Distribution of Chemicals, Manufacturing, Research, Postal and Courier Services, Waste Management, Production, Processing and Distribution of Food, Digital Providers.

Both High Criticality Sectors, and Other Critical Sectors must adhere to the NIS2 (security) requirements. High Criticality Sectors are subject toimmediate supervisory oversight, whereas Other Critical Sectors are subject to supervision in case there is some evidence of non-compliance or gaps.

Note that there are some other minimum scoping rules that determine whether an organization is in scope of NIS2. For example, large sized organizations (minimum of 250 employees or 50 million revenue), and medium sized organizations (minimum of 50 employees or 10 million revenue) in the critical sectors are in scope. Smaller organizations may be out of scope (depending on some other factors).

Conclusion

The NIS2 Directive signifies the EU’s commitment to enhancing cybersecurity across its member states. By expanding its scope, introducing stricter measures, and broadening its applicability, NIS2 presents a more robust framework for addressing the complex cybersecurity challenges of today’s digital landscape.

For entities that fall under the NIS2 Directive, it is crucial to understand its requirements and implement the necessary measures to ensure compliance. Failure to do so can result in severe penalties, making it imperative for organizations to prioritize cybersecurity now more than ever.

Threat Modeling and Security by Design

Powered by Aristiun.com

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework

© Threat-Modeling.com powered by Aristiun.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!