What is the NIS2 Directive?
First proposed in 2020 and implemented on 16 January 2023, NIS2 stands for Network and Information Security 2 Directive, officially known as Directive (EU) 2022/2555. The European Commission (EU) proposed NIS2 to build on the original NIS Directive, or Directive (EU) 2016/1148), by rectifying its deficiencies. The NIS2 Directive aims to enhance cybersecurity in the EU and prepares organizations to be ready for any potential cyber threats.
EU member States must incorporate the NIS2 Directive into their national law by 17 October 2024, and measures will begin to take effect on 18 October 2024. Upon enforcement, every organization covered by the Directive will have to legally follow the security requirements by next year. In Eversheds Sutherland's white paper, the new legislation will help around 160,000 entities improve security, making Europe a safe place to live and work.
Why did NIS2 come into effect?
Considering increasing cyber threats such as phishing, malicious software, and DoS attacks, several governments around the world enforced cybersecurity regulations. In August 2016, the EU introduced the NIS Directive, a regulation aimed at improving member states' ability to handle cyber-attacks. The initial focus was on incident reporting and implementing cyber measures. The NIS Directive applied to two groups: essential service operators and digital service providers that were relevant.
Nonetheless, the initial NIS Directive encountered numerous obstacles in its goal to improve the cybersecurity standards of EU nations. These obstacles include failed implementations, inconsistent efforts, and differing standards, and requirements. The recent digitalization, accelerated by the global pandemic, inevitably fueled the growth of cyber threats. Therefore, to better tackle such attacks and ensure uniform cybersecurity across EU states, a call for improving the NIS Directive came to light.
What is the difference between NIS and NIS2?
As aforementioned, NIS2 is an expansion of the original NIS Directive. The latest directive succeeds the previous directive in wider coverage, larger scope of obligations, and more stringent penalties. It also aims to smoothen the difference in implementation and cyber reporting across the EU states.
Furthermore, NIS2 bolsters the regulations for cybersecurity adherence, encompassing compulsory initial incident reporting, expanded risk management, and a freshly defined role of C-level cybersecurity accountability.
What is new in the NIS2?
To better prepare EU states against cyber threats, the NIS2 directive included new extensive organizational requirements in four areas. The areas are risk management, corporate accountability, reporting obligations, and business continuity.
- Risk Management: NIS2 requires organizations to take security measures to reduce cyber risks. A few measures include having stronger network and supply chain security, improved access control, and encryption.
- Corporate Accountability: Organizations must train competent authority to oversee, approve security measures, and address and mitigate cyber risks.
- Reporting Obligations: Simpler reporting obligations enter into force with the new directive. Entities under NIS2 should possess prompt incident reporting. In addition, the latest Directive imposes specific notification deadlines, such as a 24-hour “early warning”.
Organizations must issue an alert to the relevant authority or computer security incident response team (CSIRT) within 24 hours. This alert should encompass preliminary suppositions about the incident.
A comprehensive report needs to be sent out after 72 hours (about 3 days). This report should encapsulate the assessment of the occurrence, its severity, impacts, and indicators of compromise. After a month, a final report must be conveyed.
- Business Continuity: NIS2 compliance also includes planning business continuity even in the face of strong cyber incidents. This includes system recovery, emergency procedures, and setting up security incident response teams.
The NIS Directive started with 7 sectors considered as critical infrastructure, but the new Directive includes 8 more, totaling 15. It divides the sectors into two entities - Essential Entity (EE) and Important Entity (IE). Some of them include Digital Infrastructure such as cloud service providers, Space, Energy, Manufacturing, Health, and Finance.
Besides the stringent requirements, NIS2 needs organizations to have minimum cyber security measures in place. This includes conducting risk assessments, making backups, training for cyber security, using multi-factor authentication, using cryptography and encryption, and more.
To promote consistent sanctions across EU member states, NIS2 has brought in new uniform penalty rules. EU Organizations that fail to comply with the NIS2 Directive may be subject to three types of penalties. These penalties include non-monetary remedies, administrative fines, and criminal sanctions.
Essential Entities may face administrative fines of up to €10M or 2% of their global annual revenue, whichever is higher. Important Entities may face a fine of up to €7M or 1.4% of their yearly revenue, whichever is higher.
Who does NIS2 apply to?
Along with the 7 sectors from the previous Directive, NIS2 is applicable to 15 sectors, classified as Essential and Important Entities. The division is based on the sector's criticality and organizational size.
Essential Entities (EE)
NIS2 classifies 8 categories as Essential Entities. These are Energy, Transport, Finance, Public Administration, Health, Space, Water Supply, and Digital Infrastructure. NIS2 is applicable to organizations from these sectors with over 250 employees, an annual turnover of at least € 50 million, or a balance sheet of at least €43 million.
Important Entities (IE)
7 sectors fall under Important Entities. They are Postal Services, Waste Management, Chemicals, Research, Foods, Manufacturing, and Digital Providers. NIS2 applies to companies from these sectors with between 50 to 250 employees and an annual turnover not exceeding €50 million, or a balance sheet not exceeding €43 million.
How to prepare for the NIS2 Directive?
- Recognition of Critical Processes: To get ready for the NIS2 Directive, start by identifying the important processes in the organization that could be attacked. One must implement strong security measures to ensure the safety of such processes. Top-notch cybersecurity measures should protect the network and information systems in the company.
- Anticipation and Preparation: While it is impossible to predict future attacks, organizations can anticipate any potential threats based on previous history. Based on this data, they can build a cyber defense strong enough to mitigate any such cyber attacks. Any possible vulnerable point of attack, such as endpoint remote devices must be identified and secured.
- Education and Awareness: An organization's cybersecurity is everyone's responsibility within it. Everyone must be aware of cyber attacks, security measures, and emergency plans. Therefore, upper management must make sure that everyone is well-trained in cybersecurity, such as incident handling and reporting in a timely manner.
How Italy Plans to Implement NIS2: A Brief Study
Italy aims to achieve national and European strategic autonomy by focusing on the digital domain. The country launched the National Cybersecurity Strategy (NCS), which aims to implement 82 measures by 2026 across three key objectives - Protection, Response, and Development.
The National Cyber Crisis Management Framework is divided into three levels - political, operational, and technical. At each of these levels, a governing body is responsible for overseeing issues and implementation. For instance, at the technical level, CSIRT Italia is responsible for relevant crises. The country will follow a tiered approach to risk management measures and reporting obligations.
How can Sangfor Help your Organization with NIS2 Compliance?
Sangfor Technologies is a leader in cybersecurity and cloud infrastructure solutions with 20+ years of experience. Sangfor assists organizations in adhering to the NIS2 Directive by offering a comprehensive suite of security solutions. These include:
- Network Secure: A next-generation firewall designed to safeguard networks.
- Endpoint Secure: An endpoint protection platform ensuring device security.
- Internet Access Gateway: A secure web gateway for safe internet access.
- Cyber Command: A Network Detection and Response (NDR) solution focused on the detection of advanced network threats in the form of abnormal behavior.
- Access Secure: A Secure Access Service Edge (SASE) solution for secure remote access to network and cloud resources.
- Cyber Guardian Services: A range of services, including Managed Detection and Response (MDR), Incident Response, and Security Risk Assessment, for enhanced security.
The integration of these products under the eXtended Detection, Defense, and Response (XDDR) framework provides a robust security ecosystem. This integration aligns with the NIS2 Directive’s requirements for comprehensive risk management. It helps organizations gain real-time insights into potential risks such as vulnerabilities, configuration errors, and weak passwords, which are prime targets for cyber threats.
Utilizing Artificial Intelligence (AI) and Machine Learning (ML), our solutions offer precise and rapid threat detection. The interconnected nature of these products enables an automated and coordinated response, significantly reducing the impact of security incidents and supporting the NIS2 Directive’s emphasis on proactive and responsive security strategies.
Sangfor’s products also enhance threat detection by correlating data across different security layers, providing detailed context for network events. This feature is also key to fulfilling the comprehensive reporting obligations of the NIS2 Directive, while Sangfor’s built-in reporting tools aid in generating the necessary reports for regulatory compliance.
For business continuity, Sangfor incorporates recovery capabilities within its products. For instance, Endpoint Secure includes ransomware recovery features, allowing the restoration of data in case of an attack. Additionally, the Cyber Guardian Incident Response (IR) service offers expert assistance for timely response to security incidents to help businesses return safely to operations.
To discover how Sangfor can help you enhance your cybersecurity and ensure compliance with NIS2, please visit us on our website www.sangfor.com or reach out to us with your enquiries.