Be ready for upcoming NIS2 Directive

By Fleur de Belloy

NIS2 proposal under EU Parliament scrutiny

On April 13 2021, the European Commission (EC) has presented to the European Parliament its proposal for a revised NIS Directive (NIS2), the Directive on measures for high common level of cybersecurity across the Union. The Commission is willing to revise the NIS Directive[1] to tackle the lack of harmonisation among the Member States. It also addresses a series of shortcomings highlighted following the transposition of the Directive into EU Member States national legislations[2]. According to the Commission, the three main challenges are:

  • The low level of cyber resilience of businesses operating in the EU;
  • The inconsistent resilience across Member States and sectors;
  • The low level of joint situational awareness and lack of joint crisis response.

Source: Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.

At the EU Parliament, the Industry, Research and Energy (ITRE) Committee will be responsible for the proposal’s negotiation until the vote and adoption of the legislation. The next step would be for the 27 EU Member States to transpose the NIS 2.0 into their national legislations.

From NIS to NIS2, what’s new?

Since the publication of the original NIS Directive, the Covid-19 Pandemics accelerated the digitalisation of organisation processes to ensure business continuity. This worldwide trend is further exposing organisations to cyber security risks. NIS2 intends to go a step further on the path to a more cyber resilient European Union. Building on the progresses made with the first Directive[3], the new piece of legislation[4] aims at providing a bolder framework to better protect the EU economy and society.

Harmonisation of vital sector & critical entities, more actors concerned

The Directive proposal has an expanded scope to cover more sectors and entities:

The new sectors to be covered are Space, Food, Public administration, Postal and courier service, Waste water & waste management, Manufacturing of certain critical products (i.e pharmaceuticals, medical devices, chemicals);

The new essential actors are providers of public electronic communications networks or services, Digital services providers (social networking services platforms, data centre services).

Stronger enforcement capabilities & security requirements for risk management and incident response

The proposal introduces stricter supervision measures for national Competent Authorities, which will be able to conduct on-site inspections and security audits within operator of essential services (OES). Authorities will be able to request from OES documentation and information to assess the correct implementation of cybersecurity measures or to perform their supervision task in case of incident.

The proposal also provides stricter enforcement measures for national Competent Authorities. Competent Authorities will be able to issue warnings and binding instructions to remedy deficiencies on the entities’ non-compliance with the obligations laid down in the Directive; Authorities would be able to order organisation non-compliant:

  • to cease the deviations from the obligation and to bring their risk management measures or reporting obligations;
  • to inform their clients affected by a significant cyber threat of any possible protective or remedial measures which can be taken;
  • to implement the recommendations provided as a result of a security audit within a reasonable deadline.

The proposal gives to National Competent Authorization the right to impose or request the imposition by the relevant bodies or courts according to national laws of an administrative fine. The NIS2 proposal creates a list of administrative sanctions including fines for breach of the cybersecurity risk management and reporting obligations, etc.) of a maximum of at least 10 000 000 EUR or up to 2% of the total worldwide annual turnover;

The proposal includes a list of focused security measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.

The proposal streamlines incident-reporting obligations with more precise provisions on the reporting process, content and timeline.

Improved cooperation & information sharing

The proposal establishes a European Cyber crises liaison organisation network (EU- CyCLONe) to support coordinated management of large scale cybersecurity incidents and crises at EU level.

The proposal supports increased information sharing and cooperation between EU Member States authorities with enhanced role of the Cooperation Group.

The proposal promotes coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU is established.

New obligations for Belgian entities

The NIS2 proposal states that all large and medium-sized companies within the critical sectors covered by the regulation[5] will have to be compliant with the obligations of the Directive. Micro and small companies are excluded except if they are considered as high-risk profiles.  This is a major evolution compare to the original Directive where Member States could unilaterally notify the companies considered as Operator of Essential Services.

All Belgian mid to large companies within the above-mentioned sectors will therefore have to comply with the framework of NIS2. To anticipate this upcoming challenge, targeted medium and large companies could already initiate changes to be compliant to the Belgian legislation transposing the original NIS Directive[6]. This transposition requires from OES to comply to ISO 27001 standard. Once notified, OES will have 12 months to elaborate their Information Security Policy and 24 months to implement it, a good incentive to initiate .

Rely on Beijaflore’s smart compliance expertise

Support for large to small companies to comply with the NIS Directive being a key offer of Beijaflore, the firm has a proven expertise in assisting OES and entities. Beijaflore can support future OES in adapting their processes and procedures to the mandatory requirements of the legislation. Beijaflore developed a dedicated innovative compliance modelisation solution to facilitate the alignment of organisations with legislative requirements.

Bibliography

  1. https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-review-of-the-nis-directive
  2. https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union
  3. https://digital-strategy.ec.europa.eu/en/library/revised-directive-security-network-and-information-systems-nis2

[1] See Introduction to NIS Directive  (translated to English from the original in French)

[2] See Assessment report from the EU Commission

[3] See ENISA’s NIS Investment Report

[4] See Proposed directive on measures for a high common level of cybersecurity across the Union

[5] Healthcare, transport, banking & financial market, digital infrastructure, water supply, energy, DSPs, space, postal&courier service, food, public administration, manufacturing of critical products, water&waste water management, electronic communications networks, digital services.

[6] Loi établissant un cadre pour la sécurité des réseaux et des systèmes d’information d’intérêt général pour la sécurité publique, 7 avril 2019

Leave a Reply