View Posts
Ciberseguridad europea

NIS 2: Keys to Resilient Cybersecurity

 

The European Directive NIS 2 comes into force in 2024 to provide the keys to promoting cybersecurity and resilience throughout the European territory through legislation and cooperation between states.

Background: The NIS 1 Directive

More than a decade ago, the European Union was aware of the need to develop a common legal framework on cybersecurity to establish a strategy shared by the Member States against cybercrime. NIS 1, the EU’s first legal framework for cybersecurity, was born.

NIS 1 sought to establish standard minimum requirements for capacity building and planning, information sharing, cooperation, and standard security requirements to eliminate unequal cyber protection between member states.

However, it soon became insufficient to encompass the growing complexity of cybercrime due to several converging factors:

  • Limited scope: It left out essential services and types of businesses increasingly vulnerable to cyberattacks.
  • Lack of harmonization: It failed to unify cybersecurity approaches across Member States.
  • Emerging threats: Failed to effectively address sophisticated cyber threats, such as ransomware, distributed denial-of-service (DDoS) attacks, or large-scale data theft.

These shortcomings highlighted the need to update the legal framework to address cybersecurity challenges. As a result, the European Union began drafting the NIS 2 Directive, a new directive that expanded and improved on the critical aspects of its predecessor.

Objectives of NIS 2

NIS 2 seeks to address the shortcomings of NIS 1 by broadening its scope, promoting the harmonization of cybersecurity approaches among Member States, and addressing emerging threats more effectively. This update reflects the recognition of the rapid evolution of technology and cyber threats and the need to adapt the legal framework to address these challenges more effectively.

Therefore, its main objective is to improve cybersecurity across the European Union by implementing common standards and promoting cooperation between Member States.

To achieve this, NIS 2 proposes:

  • Ensure a high standard level of cybersecurity across the European Union.
  • Eliminate divergences between Member States in terms of cybersecurity.
  • Define minimum standards for the functioning of a coordinated regulatory framework.
  • Establish mechanisms for practical cooperation between the competent authorities of each Member State.
  • Update the list of sectors and activities subject to cybersecurity obligations.
  • Provide remedies and effective enforcement measures to ensure compliance with those obligations.

Obligated companies and sectors

The NIS 2 Directive is mandatory for companies in 18 sectors that exceed the expected levels of the following sectors:

  • Highly critical sectors Eleven sectors that are considered essential for the functioning of society: energy, banking, financial markets, healthcare, transport, digital infrastructure, drinking water, wastewater, public administration (except for the judiciary, parliaments, and central banks), B2B ICT service management, and space.
  • Critical sectors: Research, chemical industry, food, postal services, digital suppliers, manufacturing, and waste management.

Those expected levels are more than 250 employees and an annual turnover of €50 million and upwards.

It also distinguishes between essential entities and important entities The former must comply with the requirements of regulated supervision. The latter will be subject to ex-post supervision, meaning that when authorities have or receive evidence of non-compliance, action will be taken.

The 5 Best Practices of Resilient Cybersecurity

  1. Continuous assessment of risks and vulnerabilities: This involves developing a corporate Cyber Intelligence strategy to identify and monitor potential threats, evaluate their impact and probability of occurrence, and analyze weaknesses in Cybersecurity. Within this principle, the Directive makes it mandatory to include the value chain in this continuous assessment.
  2. Proactive mitigation of detected risks and vulnerabilities: Focused on preventing and reducing the impact of potential cyberattacks rather than simply responding to them after they occur. Once risks and vulnerabilities have been detected through continuous assessment, security measures must be adopted by the identified risk levels.
  3. Crisis management and business continuity: Organizations must develop well-defined incident response plans and procedures and have them tested and updated. This ensures that in the event of a cyberattack or security incident, there is a rapid and coordinated response to mitigate the impact and restore normal business operations as soon as possible
  4. Rapid communication of risks and incidents: Entities are obliged to notify the relevant authorities of any significant incident:
    – Initial notification – Early warning: 24 hours.
    – Interim notification – Update: after 72 hours.
    – Final notification – Report submission: maximum period one month.
  5. Cyber hygiene and training: The NIS 2 Directive focuses on increasing EU citizens’ and organizations’ awareness and capacities to protect themselves against cyber threats and contribute to a safer and more resilient digital environment.

Keys to NIS 2

The keys to NIS 2 focus on increasing the awareness and capacities of EU citizens and organizations:

  • Promoting proactivity: NIS 2 focuses cybersecurity on controlling and preventing threats and risks, urging people to get ahead of cyberattacks as the primary measure to avoid their consequences. It involves implementing proactive measures, such as constant network monitoring, early identification of potential vulnerabilities, and adopting rapid incident response strategies.
  • New threats and advanced technologies: The Directive considers emerging threats and evolving technologies, such as artificial intelligence and the Internet of Things (IoT), and seeks to address the challenges they present for cybersecurity. It involves staying on top of the latest trends in cybersecurity and continuously adapting your security strategies and controls to deal with new threats and technologies.
  • Third-party risk assessment: NIS 2 integrates the obligation to control supply chain risks as one of the pillars of the effectiveness of any cybersecurity strategy. It involves assessing and managing the risks associated with vendors, business partners, and other third parties accessing the organization’s systems or data, ensuring they meet the required security standards.
  • Figure of the CISO:NIS 2 establishes the obligation of the companies to have a security manager, a duly qualified and full-time person who manages corporate cybersecurity, is part of the management team, and adopts the role of a leader in technical and business decisions.
  • Responsibilities and sanctions: The NIS 2 Directive introduces the responsibility of the management body to approve and supervise the cybersecurity strategy, risk management, and compliance with the standard. There may be sanctions ranging from disqualification to administrative sanctions. In addition, NIS 2 increases penalties for offending organizations.

 

Thus, by eliminating divergences between Member States in terms of cybersecurity, establishing minimum standards for functioning a coordinated regulatory framework, and promoting practical cooperation between the competent authorities of each Member State, the NIS 2 Directive is expected to improve cyber-resilience across the European Union. This, in turn, will contribute to the protection of network and information systems, as well as the prevention of cyber-attacks, which will positively impact the security and stability of the European Union economy.

If you would like more information about the content of NIS 2, the regulation’s keys, scope, and compliance, you can download the whitepaper Objective Cyber Resilience: Good Practices, Keys, and Compliance with NIS 2 that we have written for this purpose.