NIS2: Stronger Cyber Defense for Europe

We live in a world where banking, healthcare, public transportation, and other critical services and agencies rely on computer systems. Computer systems which make them vulnerable to cyberattacks. To counter these threats, the European Union has introduced NIS2, a set of rules designed to strengthen cybersecurity across Europe.

The Growing Threat of Cyber Attacks

Cyberattacks have become more frequent and more dangerous. Attackers can infiltrate computer systems, steal information, and disrupt critical infrastructure such as electricity or healthcare. Those disruptions are crippling. The ransomware attack against The Irish Health Services Executive (HSE) network on May 14, 2021 resulted in a months-long nationwide shutdown of its IT systems.

The European Union Agency for Cybersecurity (ENISA) is taking steps to stop those cyberattacks. ENISA identified eight prime cyber threat groups in the eleventh edition of their Threat Landscape (ETL) report.

Source: ENISA Threat Landscape 2023

Ransomware was the largest threat group in the study, affecting all sectors. The largest targets included organizations in manufacturing, health, public administration, and services.

The report also shows malware attacks targeted individuals, public administration, digital infrastructure, banking and finance, and digital service providers.

Cyberattacks are immediately damaging, but we also need to consider the long-term impact. ENISA concluded the attacks in the ETL report resulted in six types of impact:

• Digital: damaged or unavailable systems, corrupted data files, or exfiltration of data
• Economic: direct financial loss or damage to national security
• Social: effect on the general public or a widespread disruption
• Reputational: the potential for negative publicity or an adverse public perception
• Physical: injury or harm to employees, customers, or patients
• Psychological: confusion, discomfort, frustration, worry, or anxiety

Unfortunately, public release of information related to cyberattacks is often delayed or never happens. This makes assessing the true impact of the incidents almost impossible to calculate.

NIS2 was created to help organizations in the EU prevent or mitigate the impact of these threats and to improve reporting so ENISA and other agencies can understand the true impact of cyberattacks as they work to stop them.

NIS2 and its Impact

Understanding NIS2

How will the NIS2 legislation protect organizations in the EU from cyberattacks? By focusing on improving the cybersecurity of high-value and critical targets.

The Directive will

• Strengthen imposed security requirements
• Focus on addressing supply chain security
• Streamline reporting obligations
• Tighten supervisory measures
• Introduce enforcement requirements in all Member States

NIS2 also addresses the importance of information sharing and cooperation as part of crisis management.

The new rules improve the way the EU prevents, handles, and responds to large-scale cybersecurity incidents and crises by introducing clear responsibilities, appropriate planning and more EU cooperation. According to Dutch MEP Bart Groothuis, “This European directive will help around 160,000 entities to strengthen their grip on security and make Europe a safe place to live and work. The law should also allow for the sharing of information with the private sector and partners around the world. If we are attacked on an industrial scale, we have to react on an industrial scale.”

NIS2—Regulatory Reach Increased

NIS2 impacts more organizations than the original NIS directive, imposing regulations on medium and large operating in critical sectors.

The new directive focuses on both “very critical sectors” (banking, digital Infrastructure, drinking water, energy, financial market infrastructure, government, healthcare, ICT (B2B) management, space, transport, and wastewater) and “critical sectors” (chemicals, digital provider and research, food, manufacturing, postal and courier services, and waste management).

Enforcement depends on an organization’s category. All organizations in these sectors will be labeled as either essential or important. The classification depends on the organization’s status as critical or very critical and the size of the company. Only large organizations that fall under very critical sectors are considered essential. Note: Organizations may automatically be classified as essential, regardless of size, if a service outage would have serious consequences.

Compliance

The primary differentiator between essential and important entities is how compliance is monitored. Supervision is proactive for essential organizations and entities. Those organizations will actively be monitored. Supervision for important entities begins as soon as an incident occurs. If the organization is not taking the required mitigation and reporting steps, the organization will be seen as non-compliant. The management of the organization is responsible for all compliance.

Financial Impact

The NIS2 directive is requiring industries to adopt more extensive cybersecurity requirements. Essential organizations are also required to proactively manage security risks.

In addition to existing risk-management, organizations might now be required to make more frequent file backups, perform risk analysis assessments, and report incidents in a timely manner. This will result in an increase in administration and financial responsibility for most impacted organizations. Organizations not yet covered by the directive will see a 22 percent increase in information and communications technology (ICT) expenditures. Companies already in compliance with NIS will see increases of up to 12 percent.

How do Organizations Meet NIS2 Requirements?

Duty of Care

All organizations covered under NIS2 are required to comply with a duty of care. The Directive is specific about the types of measures you will have to comply with. Included in that list is:

• Crisis management and operational continuity in the event of a cyber incident
• Human resources security—access policies and securing digital assets
• Maintaining digital hygiene and implement cybersecurity education
• Multi-factor authentication and secure internal communication
• Policies and procedures for assessing the effectiveness of risk management measures
• Policies on risk analysis and information system security
• Security of network and information systems
• Supply chain security
• Use of cryptography and encryption

Reporting

NIS2 outlines a three-stage approach for reporting significant incidents. This reporting applies to both essential and important entities.

Early Warning

The organization must report the incident within 24 hours to limit the potential spread of incidents and to allow entities to seek support. The reporting organization must indicate if the incident resulted from an unlawful or malicious act and if it could have a cross-border impact.

Incident Notification

Within 72 hours of becoming aware of a significant incident and incident notification, the organization must update the information provided with the early warning with 1) an initial assessment of the incident, 2) the severity and impact of the incident, and 3) the indicators of the compromise.

Final Report

Within one month of the incident notification, the organization will need to submit a final report. That report will contain 1) a detailed description of the incident, its severity, and impact, 2) the type of threat or cause of the incident, 3) mitigation measures—used and ongoing, and 4) any cross-border impact of the incident.

These reporting rules apply to significant incidents, meaning incidents that result in significant operational disruption or financial losses or if the incident might cause material or immaterial damage to individuals. Organizations are also required to report significant threats they encounter that might lead to a significant incident in the future.

Sanctions and Fines for Non-Compliance

NIS2 isn’t a toothless directive. It’s backed up by strict enforcement, fines, and penalties. The Directive lists mandatory sanctions (these may differ by country), including on-site inspections, requests for access to data, requests for information, security audits, and security scans. Each country is mandated to ensure effective, proportionate, and dissuasive sanctions.

In addition to the sanctions, NIS2 also outlines permissible administrative fines. Infringements might result in fines of up to 10 million euros or 2% of the company’s annual worldwide turnover, whichever is higher.

Moving Toward a More Secure EU

NIS2 requires Member States and critical organizations to increase cybersecurity and respond to threats immediately, making sure attacks are detected and stopped quickly. Their goal is to keep the EU safe and running smoothly. Our goal is to help you do the same.

If you’d like to learn more about how BullWall can help your organization prepare for and finance NIS2 compliance, please don’t hesitate to request a demonstration.