These European-wide cybersecurity regulations are unprecedented. There are many requirements to ensure that European organisations can demonstrate a common high level of IT security. Companies will have to comply, and quickly. Here are the main changes in the new NIS2 directive.
NIS2 directive: extending the scope of NIS1
In 2016, the Network and Information Security (NIS) Directive was adopted by the European Parliament and the Council of the European Union. Its main objective was to increase the level of cybersecurity of major organisations in around ten high-risk business sectors. In France, this represented around a hundred players.
With the intensification of cyberthreats, in a tense geopolitical context, more and more companies and institutions are concerned by the risk of IT incidents. That’s why Europe has published NIS2, an extension of the NIS1 directive, to take effect at the end of 2022. The aim is to broaden the scope of the sectors concerned and to strengthen cybersecurity requirements.
The new directive employs an “all-risks approach”. In other words, it requires a wide range of organisations to better protect their networks and information systems, through a combination of multiple cyber strategies. These include:
- Risk analysis,
- incident handling,
- business continuity,
- supply chain security,
- and the use of secure emergency communication systems within the organisation.
Virtually all sectors affected
NIS2 will now affect thousands of entities in more than 18 business sectors. All private or public entities with more than 50 employees, or with a turnover in excess of €10 million, are affected. These include digital companies and certain public authorities, which have been particularly targeted by cyber attacks in recent months. These sectors are classified in two categories: highly critical sectors and critical sectors.
Sectors classified as highly critical include :
- energy
- transport
- banking
- financial market infrastructures
- health
- drinking water
- waste water
- digital infrastructure
- ICT service management
- public administration
- Space
The sectors considered critical are :
- postal and shipping services
- waste management
- manufacture, production and distribution of chemical products
- production, processing and distribution of foodstuffs
- Manufacturing
- digital suppliers
- Research
Two new entity categories (EE and EI)
The other new feature of NIS2 is the classification of entities into two distinct categories: essential entities (EE) and important entities (EI). This classification is based on the level of criticality, the number of employees and the global turnover of the companies concerned. A large company employs at least 250 people and/or has an annual turnover of at least €50 million. A medium-sized company employs at least 50 people and/or has an annual turnover of more than €10 million.
Thus, essential entities would mainly include large companies in sectors classified as highly critical. Important entities would mainly concern large and medium-sized organisations in sectors classified as critical and medium-sized organisations classified in highly critical sectors. This distinction will make it possible to tailor requirements and penalties for organisations in proportion to their resources and the stakes involved in protecting their data.
It should be noted that in certain sectors, the high level of criticality may justify designation as an essential entity, regardless of the size of the organisation. This is particularly the case for entities identified as critical at national level by the CER Directive.
Tougher penalties
Lastly, the NIS2 directive also strengthens the penalty system. An organisation that fails to put in place appropriate risk management measures or to notify a security incident quickly enough will risk a fine proportional to its turnover and level of criticality. Companies could therefore be subject to fines of between 1.4% and 2% of their turnover, up to a maximum of €10 million.
EU Member States are also able to require entities to carry out audits or inspections. If necessary, they can issue warnings and instructions.
Focus on two new obligations for organisations
Reporting security incidents
With NIS2, when a cyber security incident occurs, organisations will have 24 hours to report it to ANSSI. This deadline is not yet definitive and may be reviewed before the directive is transposed into national law. However, all the organisations affected by NIS2 will have to get organised in order to react quickly. This initial notification is similar to a preliminary report, which will have to be supplemented by a final report. The aim is to improve the responsiveness of the authorities in the event of an incident and to trace cyber attacks more accurately.
Cybersecurity training for executives, managers and employees
In-house training is a key point in this new directive, and is encouraging massive awareness of the subject of cybersecurity.
Indeed, the main challenge of NIS2 is to force the implementation of technical measures, but also and above all operational and organisational measures. The entire organisation must be mobilised for its cybersecurity, not just the IT department. That’s why the directive requires cybersecurity training for senior managers, who must systematically approve all security measures. What’s more, the directors representing the organisation could be held liable if they fail to comply with the directive’s obligations.
With a view to extending cybersecurity to all functions, the NIS2 directive could redefine the role of the DPO (Data Protection Officer) by giving him or her tasks relating to the application of this directive. These new tasks will be consistent with those required to comply with the General Data Protection Regulation (GDPR). It’s a way of looking at cybersecurity as a legal risk, and no longer as the preserve of CISOs.
When will organisations have to comply?
Firstly, the directive will be transposed at national level in 27 countries from 17 September 2023. Then, from October 2024, it will be mandatory for all companies and administrations concerned. However, organisations need to start preparing for these new cybersecurity standards now, by increasing their level of security. In this way, they will be able to counter the growing number of cyber threats.
How do you prepare for the NIS2 directive?
As of now, organizations affected by the NIS2 Directive can be assisted by experts to assess the security level of their information system and receive recommendations.
As a trusted service provider, certified and qualified by the ANSSI, Tixeo supports essential service operator and operator of vital importance in their NIS2 compliance. The use of secure communication systems is one of the recommendations to ensure business continuity in the event of a crisis. Protecting online communications is therefore a guarantee of cyber resilience for organisations.