Preparing for NIS2: How Businesses Can Get Ahead of the Coming Legislation

As a result of increased attacks to supply chains and insufficient reporting obligations across the continent, the European Union announced last year that it would introduce a second cybersecurity directive to build on the back of its 2016 Network and Information Security (NIS). The new directive, known as NIS2, focuses on raising the bar for supply chain defense and security reporting for companies with significant operations in EU member states. The directive will also specifically target 15 sectors deemed “essential entities (EEs)” and “important entities (IEs).”

Over 160,000 businesses operating in Europe will now be tasked with committing substantial resources to ensuring their vendors, business partners, suppliers, and all other touchpoints within their supply chains are not creating vulnerabilities for them. It’s a tall order, and organizations will need to move quickly – Member States were given until October 2024 to adopt specific legislation that reflects the tenets in the NIS2 Directive.

We went into more detail on the specifics of the directive in a previous blog, as well as our comprehensive reference guide.

Many companies are not prepared to comply with the requirements of this directive. They will need to move rapidly to make any upgrades to their security postures before the directive goes into effect. Organizations operating in the EU will need to do comprehensive analyses of their supply chains to determine their standing and readiness. Those without the resources to analyze external vulnerabilities and cyber risks will struggle to reach compliance in time.

What Are the New Requirements?

The NIS2 directive has four overarching areas of focus that are broken down further into specific requirements:

• Risk management: Take measures to minimize cyber risk, including incident management, stronger supply chain security, enhanced network security, better access control, and encryption.
• Corporate accountability: Provide oversight and training on the organization’s cybersecurity measures, with fines issued for breaches to managers held liable.
• Reporting obligations: Enact processes for incident reporting that impact service provision or recipients, with specific notification deadlines for such events.
• Business continuity: Plan to ensure business continuity in case of major cyber incidents, considering system recovery, emergency procedures, and creation of crisis response teams.

Within the directive, there are 10 “Minimum Measures” that mandate baseline security measures for all EEs and IEs. These include:

1. Risk assessments and security policies for information systems
2. Policies and procedures for evaluating the effectiveness of security measures.
3. Policies and procedures for the use of cryptography and, when relevant, encryption.
4. A plan for handling security incidents
5. Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities.
6. Cybersecurity training and a practice for basic computer hygiene.
7. Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.
8. A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.
9. The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate.
10. Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.

Organizations that fail to comply with these requirements will be subject to significant fines. For EEs, the fines issued will be given €10 million or 2% of the company’s global annual revenue, whichever is greater. For IEs, the fines will be €7 million or 1,4% of global annual revenue.

How Can Organizations Prepare for NIS2?

Businesses with significant operations in Europe must take steps to prepare for compliance in advance of the 17 October 2024 deadline for EU member states to enact legislation. Some of the considerations organizations must make are:

• Determining if they fall under NIS2’s scope and which units are impacted
• Evaluating security measures, amend security policies and plan for NIS2 compliance
• Incorporating new security measures and incident reporting obligations in supply chain

The good news for many organizations: NIS2 requirements are largely in alignment with several existing compliance frameworks. For example, US-based companies that are already following the NIST Cyber Security Framework (CSF) will have significant crossover coverage with NIS2 requirements. Similarly, ISO27001 aligns with every key component of the NIS2 directive, so companies that have already mapped to that framework may be compliant with NIS2 before it even becomes law.

BlueVoyant can help your organization prepare for NIS2 by performing a technical diagnostic [solution brief link] that identifies any gaps and provides guidance on how to fulfill each of the requirements included in the directive. Our team can then work with you to identify the Microsoft and BlueVoyant solutions that can help position your organization for NIS2 readiness.

For more details on NIS2 readiness, stay tuned for the forthcoming third blog in this series, which will focus more on NIS2 assessments and implementation of technology solutions.