EU Tightens Cybersecurity Requirements for Critical Infrastructure and Services

The European Union's NIS2 Directive 2022/2555 is legislation aimed at improving the security and resilience of network and information systems across the EU. Although the legislation is already in effect, EU members have until October 2024 to transpose the directive into national law. Each organization encompassed by the directive will be legally obligated to live up to its requirements in less than a year's time. With the deadline coming up so soon, organizations must prepare themselves now to embrace these changes.

What Is NIS2?

In 2016 the EU introduced the Network and Information Security (NIS) Directive, which defined strict cybersecurity requirements for so-called essential (or critical infrastructure) companies. The aim was to strengthen security requirements by imposing a risk management approach, outlining core cybersecurity measures that organizations are expected to follow. NIS2 further extends this directive by designating more companies as essential and imposing stricter security obligations on entities that operate across these sectors.

Who Does NIS2 Apply To?

NIS2 applies to any organization that operates within the EU and provides what's considered to be essential services — a service whose disruption can lead to grave consequences for the country or society. Essential services include energy suppliers, drinking water and wastewater treatment, banks and financial market infrastructures, healthcare institutions, digital infrastructure, Internet service providers, public administration, transport, and factories that produce food or major household items. The legislation is believed to affect 160,000 companies across Europe, including organizations based outside of the EU that offer critical or essential services within the EU.

Who Is Exempted From NIS2?

Small companies are not required to adopt the NIS2 yet. The legislation applies only to organizations that have an annual turnover of €10 million (US $10.85 million) or more, with 250 or more employees. NIS2 classifies certain businesses as operating in "important" categories, which are expected to follow the same security protocols as essential entities. The key difference is that essential businesses fall under proactive supervision, while important businesses will be monitored only after a noncompliance incident is reported.

What Are the Key NIS2 Requirements?

Essential and important entities need to address four principal areas to protect critical assets and demonstrate compliance with the directive.

1. Training and awareness (Article 20): Organizations are liable for ensuring that employees "gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."

2. Cybersecurity Risk Management Measures (Article 21): Organizations are required to implement appropriate and proportionate technical, operational, and organizational safeguards to manage and mitigate risks on network and information systems. NIS2 recommends that organizations take an "all-hazards" approach and be prepared for a full spectrum of incidents and emergencies, both from cyber and physical sources, as spelled out in the documentation.

3. Reporting Obligations (Article 23): In case of a security incident, organizations are required to notify CSIRT or another reporting authority within 24 hours of the awareness of an incident or a suspected incident caused by unlawful or malicious acts or that could have cross-border impact. Within 72 hours of the incident, organizations must submit an initial assessment of the incident, including severity, impact, and indicators of compromise. Within a month of the incident, a final report must be submitted that outlines the root causes, the overall impact of the incident, and mitigation measures implemented. The legislation authorizes the reporting agency to request intermediate reports or relevant status updates whenever it deems necessary during the investigation period. Organizations are also required to inform affected customers (or users) and to provide remedies in response to the threat.

4. Use of EU Certification Schemes (Article 24): To demonstrate compliance with requirements in Article 21, member states may require organizations to employ or deploy specific information and communication technology products, services, and processes that are certified under European cybersecurity certification schemes.

Getting Started With NIS2 Compliance

NIS2 noncompliance can cost organizations dearly. Essential entities can be fined up to €10 million or 2% of their annual global revenue. Important entities are liable up to €7 million or 1.4% of their annual global revenue. If your organization falls within the scope of NIS2, then it is highly recommended that you begin with a NIS2 readiness assessment that can help identify your current state of cybersecurity, as well as the measures to take to successfully meet NIS2 requirements. Nonprofits such as the Information Security Forum and many vendors provide readiness assessment services.

Once the assessment is complete, your organization can formulate a prioritized road map to develop the mandatory protections, processes, and protocols required to demonstrate compliance with the legislation.