Cybersecurity hasn’t always been a major focus for organizations and regulatory bodies. But unlike in decades past, the security risk that attacks and breaches present to society at large is now impossible to ignore. These cyber threats attack the critical infrastructure of important information systems.
The wrong kinds of threats pose an existential risk to entire industries, infrastructures, service provider information systems, and many other important entities. In some cases, actual lives are endangered.
As a result, numerous governmental bodies and organizations are either implementing new security requirement regulations for their information system or updating old cybersecurity risk management requirements to try and get ahead of any potential incident. In the US, the NIST cybersecurity framework represents one facet of those efforts. In the European Union, the leading protective measure is the NIS Directive—soon to be replaced with the NIS2.
This article provides an overview of the NIS/NIS2, what organizations need to adhere to it, and what to expect from compliance requirements.
What Is NIS2?
The European Union has had broad-scope cybersecurity measures outlined in a policy that's been in place since 2016. This policy, known as the NIS (Network and Information Security) Directive, required “essential services” to adhere to a set of security guidelines or face penalties. During the height of the COVID-19 pandemic, however, the sharp increase in cyber threats made clear that additional security measures were necessary moving forward.
The NIS2 Directive update was designed to compensate for the shortcomings and gaps in the previous version of the directive. With a broader scope, stricter regulations, and harsher penalties for violations, the EU intends to use the NIS2 to protect the general public and the critical entities and systems they depend on in their daily lives.
What Does the NIS2 Directive Entail?
First and foremost, the updated directive has three main goals:
- Increase security posture and preparedness among all applicable organizations
- Facilitate cooperation and joint efforts across the EU in both prevention and response
- Promote a culture of security and data privacy in every essential industry in the Union
How it pursues these goals is by creating and updating cybersecurity requirements and regulations in four areas:
- Risk Management
- Corporate Accountability
- Incident Reporting Obligations
- Business Continuity
Finally, the directive requires organizations to “implement baseline security measures” to guard against the greatest and most pervasive threats. These “Minimum Measures” focus on ten core topics:
- Risk Assessments
- Cryptography
- Procurement, development, and operation of systems
- Sensitive data protection and access management
- Multi-factor authentication
- Measuring the effectiveness of security efforts
- Security incident response and handling
- Cybersecurity training and computer hygiene
- Right of boom response and operations continuity
- Supply chain and vendor security
Like most frameworks and regulatory systems found in other locations or industries, the NIS2 directive is expansive (and more than can be comprehensively covered here). Rest assured, it represents a major step up in security requirements for affected organizations.
Who Does the NIS2 Apply to?
Speaking of which, the NIS2 also expands the number of verticals that have to adhere to the regulations. Determining whether the new directive applies to your organization or not depends on three factors: geographic location, services provided, and entity size.
Is the NIS2 Exclusive to Businesses in the European Union?
While the NIS2 is EU legislation, and ostensibly only applies to an organization or entity based within those geographic boundaries, that’s not all it covers. An overseas business may be considered an essential service provider to portions of the Union’s economy or population, and this entity would be covered by the directive.
Similarly, suppliers and vendors that fill critical roles in the supply chain also fall into a middle ground where the NIS2 can be enforced on behalf of the EU at large. In other words, organizations that interact in meaningful ways with European markets should pay attention to the NIS2 Directive and the upcoming changes to cybersecurity obligations it brings.
What Industries Are Affected?
In the original NIS Directive, the regulations and penalties applied to services provided by “Essential Entities” (EE), including:
- Energy
- Transport
- Finance
- Public Administration
- Health
- Space
- Water Supply (both drinking and wastewater)
- Digital infrastructure
NIS2 expands the scope to include “Important Entities” (IE), including:
- Postal Services
- Waste management
- Chemicals
- Research
- Foods
- Manufacturing
- Digital Providers
Are Any Organizations Exempt?
Finally, the directive typically only applies to regulated entities above size thresholds based on headcount, annual revenue turnover, and balance sheet figures. The thresholds for EEs are higher than for IEs, but organizations in EE sectors that meet IE size requirements are still subject to the directive based on IE regulations.
What’s more, the size thresholds vary by industry, and some smaller providers may still have to comply with the directive if they serve as a critical link in the chain of infrastructure (such as a sole energy provider in a location with a smaller population).
Simplifying Security Compliance with RiskRecon
Regulations like the NIS2 can be complex and difficult to navigate, but just because it makes the work harder doesn’t mean it isn’t helpful. Like safety standards, these cybersecurity requirements and regulations are designed with best practices in mind and are intended to increase data protection for both organizations and the communities or markets they serve.
Even societal goodwill aside, the increased penalties for violations make compliance a smart business decision at the very least.
RiskRecon by Mastercard is here to help. By providing you with reliable and actionable insight into your security posture, and the posture of your third-party partners, you can more easily assess and manage the risks involved with doing business, wherever that business happens to be. Beyond that, RiskRecon can help you prioritize security efforts, ongoing system monitoring, incident response, and more.
Start a 30-day free trial today, and get the intel you need to win your battles in Information Security and be better prepared for any cybersecurity incident.
