The Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) have entered into force on January 16, 2023, bringing a new set of rules for cybersecurity for organisations operating within the European Union. This post provides an overview of the key changes introduced by the directives and explains what organisations must do to comply with the new requirements.
Expanding the Scope of NIS2 Directive
One of the most significant changes is replacing the term “operators of essential services” with the concept of “essential entities.” The NIS2 Directive now includes a broader range of organisations and businesses under this category. The NIS2 Directive applies to organisations that operate critical services for maintaining essential societal and/or economic activities. This includes, but is not limited to, energy, transportation, banking, finance, health, water supply and distribution, and digital infrastructure.
However, the NIS2 Directive has expanded to include many organisations not previously subject to the NIS Directive. For example, organisations in the pharmaceutical industry that supply critical medical products, including vaccines and medicines, are now subject to the rules. The Directive also applies to hydrogen production, storage, transmission operators, and digital providers such as online marketplaces, search engines, and cloud computing services.
The NIS2 Directive imposes specific security and notification obligations on essential entities, including implementing appropriate and proportionate technical and organisational measures to manage cybersecurity risks, report significant incidents, and ensure that they have an incident response plan.
Strengthened Obligations under NIS2 Directive
Under the NIS2 Directive, essential entities must implement technical, operational, and organisational measures to manage the risks posed to the security of their network and information systems and prevent or minimise the impact of incidents. This includes implementing appropriate measures for incident handling, business continuity, encryption, and secure authentication and regularly training employees on cybersecurity best practices.
Incident Handling: Essential entities must implement appropriate measures for incident handling, including detection, analysis, and response to security incidents. They must also develop and regularly test their incident response plans to ensure they are effective and up-to-date.
Business Continuity: Essential entities must ensure the continuity of their essential services during a security incident. They must develop and implement business continuity plans that include appropriate measures to ensure they can continue providing their services during an incident.
Encryption: Essential entities must implement encryption measures to protect the confidentiality and integrity of their network and information systems. They must use encryption when transmitting or storing sensitive information.
Secure Authentication: Essential entities must implement secure authentication measures to ensure only authorised personnel can access their network and information systems. They must use strong passwords and two-factor authentication to protect against unauthorised access.
Training: Essential entities must regularly train employees on cybersecurity best practices. This includes educating employees on identifying and responding to security incidents and ensuring they understand their roles and responsibilities in maintaining the security of the organisation’s network and information systems.
Reporting Incidents (obligations under NIS2 Directive)
Under the NIS2 Directive, essential and important entities must report any incidents that could significantly impact the security of their network and information systems. The Directive requires that incidents be reported to the national computer security incident response teams (CSIRT) or the competent authority without delay. This reporting obligation is essential to ensure that relevant authorities can take appropriate action to manage the risks and prevent further damage.
The NIS2 Directive requires essential and important entities to submit several reports, including an early warning report, an incident notification report, an intermediate report, and a final report. These reports must be submitted to the relevant authority without undue delay.
Early Warning Report: Essential and important entities must submit an early warning report to the competent authority when they become aware of a significant change in the security of their network and information systems. This report must provide an overview of the incident and any actions taken to address the issue.
Incident Notification Report: Essential and important entities must submit an incident notification report to the competent authority without undue delay once they become aware of a security incident that significantly impacts the continuity of their essential services. The report must provide detailed information on the incident, including its cause, the scope of the incident, and the potential impact on the continuity of essential services.
Intermediate Report: Essential and important entities must submit an intermediate report to the competent authority when there is a significant change in the situation or when the incident is resolved. The report must provide an update on the status of the incident and any actions taken to address the issue.
Final Report: Essential and important entities must submit a final report to the competent authority within three months of the resolution of the incident. The report must provide a comprehensive overview of the incident, including the cause, scope, and impact, as well as any lessons learned and recommendations for future incident management.
In certain situations, essential and important entities must also notify recipients of their services of any incidents that could significantly impact the provision of those services. This notification must be provided without delay and include information on the incident, its potential impact, and any actions taken to address it.
Enforcement Powers under NIS2 Directive
The NIS2 Directive aims to improve the EU’s cybersecurity preparedness and response by strengthening the security of network and information systems across all sectors. One significant aspect of the Directive is its reinforcement of enforcement and investigation powers for competent authorities.
Competent authorities have been given a robust set of enforcement and investigation powers under the NIS2 Directive to ensure that essential entities comply with the obligations set out in the Directive. These powers include:
Conducting Raids: Competent authorities can conduct on-site inspections or raids to investigate potential breaches of the NIS2 Directive. During a raid, the authority may seize and preserve evidence of the breach.
Ordering the Suspension or Limitation of Services: Competent authorities have the power to order essential entities to suspend or limit their services in cases where there is an imminent and significant threat to the security of networks and information systems. The suspension or limitation of services may be ordered for a specific period.
Imposing Administrative Fines: Competent authorities can impose administrative fines on essential entities for non-compliance with the obligations set out in the NIS2 Directive. The fine amount will depend on the breach’s severity and the organisation’s size.
Other Powers: Competent authorities may also require essential entities to provide additional information, such as access to systems, data, and facilities, to investigate potential breaches of the NIS2 Directive.
Critical Entities (CER Directive)
The CER Directive is a European Union (EU) directive that replaces the European Critical Infrastructure Directive (ECI) and brings more vital rules for critical entities and networks’ cyber and physical resilience. The CER Directive ensures that critical entities have adequate measures to withstand cyber and physical attacks, including risk management, incident handling, business continuity, and training.
Critical entities are defined as organisations that provide essential services or that are part of critical infrastructure. These entities include but are not limited to, energy providers, water suppliers, transport operators, digital service providers, and public administrations. The CER Directive applies to critical entities in all sectors.
The CER Directive requires critical entities to assess and manage their cyber and physical risks and to implement measures to ensure their resilience against potential threats. This includes implementing appropriate technical and organisational measures to prevent, detect, respond to, and recover from incidents that could affect their services or infrastructure.
Risk Management: Critical entities must assess and manage their cyber and physical risks to identify potential threats and vulnerabilities. They must implement appropriate risk management measures to minimise the likelihood and impact of incidents.
Incident Handling: Critical entities must have appropriate measures for incident handling, including detection, analysis, and response to security incidents. They must also develop and regularly test their incident response plans to ensure they are effective and up-to-date.
Business Continuity: Critical entities must ensure the continuity of their essential services during a security incident or disruption. They must develop and implement business continuity plans that include appropriate measures to ensure they can continue providing their services during an incident.
Training: Critical entities must regularly train employees on cybersecurity best practices. This includes educating employees on identifying and responding to security incidents and ensuring they understand their roles and responsibilities in maintaining the security of the organisation’s network and information systems.
The CER Directive also requires critical entities to notify the competent authority of any incidents that could significantly impact their essential services or infrastructure provision. This notification must be provided without delay and include information on the incident, its potential impact, and any actions taken to address it.
Compliance Checklist to Ensure Compliance
The NIS2 and CER Directives are critical steps in strengthening cybersecurity and resilience in the European Union (EU). Organisations operating in the EU must comply with the new requirements and ensure adequate measures are in place to manage the risks posed to their network and information systems. Organisations should follow the compliance checklist outlined below to ensure compliance with the directives.
Conduct a Risk Assessment: Organisations should conduct a risk assessment to identify potential threats and vulnerabilities to their network and information systems. This assessment should be conducted regularly to ensure it remains up-to-date and relevant to the organisation’s operations.
Implement Appropriate Security Measures: Based on the results of the risk assessment, organisations should implement appropriate technical and organisational measures to prevent, detect, respond to, and recover from incidents that could affect their services or infrastructure. These measures may include firewalls, encryption, access controls, and incident response plans.
Develop Incident Response Plans: Organizations should develop and test their incident response plans to ensure they are effective and up-to-date. Incident response plans should include incident detection, analysis, containment, and recovery measures.
Train Employees: Organisations should regularly train employees on cybersecurity best practices. This includes educating employees on identifying and responding to security incidents and ensuring they understand their roles and responsibilities in maintaining the security of the organisation’s network and information systems.
Appoint a Person Responsible for Compliance: Organisations should appoint a person responsible for compliance with the NIS2 and CER Directives. This person should have the necessary knowledge and resources to ensure that the organisation complies with the directives.
In conclusion, the NIS2 and CER Directives are essential steps in strengthening cybersecurity and resilience in the EU. Organisations operating in the EU must comply with the new requirements and ensure adequate measures are in place to manage the risks posed to their network and information systems. By following the compliance checklist outlined above, organisations can better protect themselves against cyber threats and avoid potential penalties for non-compliance. Stay up-to-date with the latest developments and compliance requirements of the NIS2 and CER Directives by signing up for our newsletter today.