NIS2 Overview: History, key contents and significance for top management

NIS2 (The Network and Information Systems Directive 2) is EU's new regulatory framework for information security on important industries.

It sets a new bar for information security standards, extends the scope from original NIS, introduces strict supervisory activities for compliance, and also potential penalties for violations. Goal is to safeguard Europe's information infrastructure better.

Especially important to note is, that NIS2 doesn’t just set the standards for organizational cybersecurity; it holds top management accountable for reaching them. Negligence or insufficient engagement with these regulations could have significant legal repercussions. If you do not demonstrate due diligence in implementing robust cybersecurity measures consistent with NIS2 standards, top management may be personally held responsible for any resulting security failures.

Organization's top management should see a strategic opportunity to level up in terms of their cyber defense and vigilance - not just risks and to-do's.  This post will discuss NIS2 in general and why embracing it as a top management commitment can be the way to sustainability and success of your operation in the digital era.

NIS2 background

The NIS2 directive, which succeeds the original NIS directive, is part of the European Union's ambitious plans to ensure a high common level of cybersecurity across member states. Initially proposed back in 2013, NIS sought to achieve a unified approach to cybersecurity. But as cyber threats became more complex and widespread, the need for a more robust framework became clear, leading to the introduction of NIS2. This upgraded directive targets a broader range of sectors, and it places heavier responsibilities on top management to ensure the implementation of higher cybersecurity standards, reflecting the significance of cybersecurity in the modern digital age.

Despite its well-intentioned beginnings, the original NIS directive struggled with several shortfalls that hindered its efficacy in achieving a unified approach to cybersecurity across the EU. Among these shortcomings were:

• Insufficient scope: The original NIS directive only applied to a narrow range of sectors, leaving significant areas of the digital economy vulnerable to cyber threats.
• Inactive enforcement: Enforcement of the directive was largely inconsistent, which resulted in equally inconsistent cybersecurity standards across different states.
• Inadequate focus on top management: There was insufficient emphasis on the responsibilities of top management in ensuring cybersecurity, which led to a lack of ownership of cyber risks at a strategic level.
• Lack of clarity: Many organizations found the vague definitions and unclear guidelines difficult to interpret, leading to inconsistencies in application.

All these shortcomings are addressed and "fixed" in the NIS2. This has also meant that many things are in detail now defined in the actual directive and less manouvering for member states is possible in the national legislation.

What are key NIS2 contents?

The NIS2 Directive doesn't list detailed security requirements for organizations, but it does list 13 main areas of information security, for which organizations need to have documented procedures for. These are the key NIS2 topics for regular organizations. These procedures can then be asked to be delivered for authorities or examined for implementation e.g. in a security audit.

NIS2's key contents: 13 security areas to document and implement

NIS2 requires organizations to have documented measures for:

• Risk management and information system security: How your organization actively analyzes potential threats to identify, evaluate and theat security risks. This might include the use of risk assessment templates, identification of suitably competent risk assessors, and documentation of risk mitigation strategies.
• Incident management and reporting: The operations your company has in place to identify, manage, and mitigate any potential security incidents that may be encountered. Communication plays a pivotal role here, as it's not just about detecting an issue, but also being able to promptly share the required information with the right teams to speed up the response time. NIS2 also necessitates reporting major incidents to the national supervisory authority.
• Logging and detection: How your organization systematically captures, analyzes and addresses cybersecurity-related events. Your logs should not only register and document security incidents but should also provide enough detail to facilitate event correlation, anomaly detection, and incident investigation.
• Business continuity and backups: How your organization intends to ensure that critical business operations can continue without interruption, even during adverse events. This might include developing comprehensive continuity plans, testing them regularly, and training your staff. Implementing and regularly testing robust backup process are also a critical part of this process.
• Supply chain security & monitoring: How your organization's procurement agreements and partner choices ensure an acceptable level of security. For instance, it's crucial to carefully assess the security measures provided by third-party service providers before entering any outsourcing deals. It's also equally important to regularly monitor the security of your supply chains – and ensure that any partners can report about their NIS2 measures.  
• Secure system acquisition and  development: How your organization acquires, develops, and manages the security of systems, applications, and infrastructure throughout their lifecycle. Actions should include e.g. adoption of methodologies and architectures that minimize vulnerability and security risks, utilization of robust security testing, guidelines for secure coding and practices for controlled changes.
• Assessing effectiveness of security measures: How you monitor and test your organization's cyber defenses, as well as improvements done to your information security. This can include auditing, following metrics, management reviews or more technical approaches like vulnerability or penetration testing. Key is to assess both the implementation of your security measures and their effectiveness in actually safeguarding your organization.
• Cyber hygiene practices and training: How you implement effective cyber hygiene practices across all levels. This should include things like keeping devices safe, enforcing good password practices, and using e-mail securely to prevent phishing attacks. The point is to guide all employees to secure ways of working and thus create a culture of information security. Regular and comprehensive training sessions can help in ensuring all staff understand cyber risks and their role in mitigating them.
• Encryption: How digital information, particularly sensitive data, will be transformed into code to prevent unauthorized access. It's crucial for you to understand that encryption doesn't merely involve secure communication across various digital platforms, but also efficient management of the encryption keys.
• Human resource security: How your organization ensures employees, contractors and third-party users understand and get committed to their responsibilities related to information security. It's integral that businesses develop robust recruitment processes, including background verification checks, to have a secure staff-base right from the start. A culture emphasizing the necessity of information security, proportionate monitoring and e.g. non-disclosure agreements can further safeguard an organization from internal threats.
• Access control: These actions describe how your organization decides who will gain access to what information. This includes setting up protocols such as role-based access management and regular access reviews. Role-based access control can help ensure only necessary personnel have access to sensitive data, reducing the likelihood of accidental or deliberate data misuse.
• Asset management: How your organization identifies and classifies its information assets. Important as it is, clarifying asset ownership and ensuring the owner is responsible for safeguarding that asset is part of this process. It's also vital to make certain that all crucial information assets are classified and protected appropriately.
• Multi-factor authentication (MFA): How your organization uses added layers of protection to standard password protocols. This increased confirmation aims to reduce the likelihood of network disruptions and unauthorized access. Used methods may include biometric verification, security tokens, or text messages in addition to regular password entry. Using MFA broadly also often requires educating employees in related tools.

Specific requirements for incident reporting and supply chain security

Also NIS2 provides additional measures for incident management and supply chain management.

Incident reporting requirements from NIS2

Importantly, NIS2 acknowledges that incidents happen and will continue to do so. The directive’s purpose is not to apportion blame but to ensure transparency, maintain trustworthiness, and promote the sharing of information and best practices to boost overall security resilience.

Organizations are required to report any significant security incidents that could jeopardize its operation or the data it holds to authorities and service users 24h, 72h and 30days after detecting the incident.

First reports need to include basic info along with an assessment of the extent of the effects. The latter notification needs to include a detailed description of what happened, along with a root cause analysis and actions made due to the incident.

Supply chain monitoring requirements from NIS2

NIS2 puts it on you to ensure that your supply chain is not the weakest link in the larger cybersecurity matrix. It's no longer just about your immediate operations; your regulatory mandate extends to your third-party suppliers and service providers as well.

Organizations need to have a good understanding of their own supply chains especially answering questions like who are the critical players in delivering our services, what kind of assurance we have of their security level and how are we monitoring their security and committing them to certain actions?

This effect will also broaden the NIS2 effect to not just companies who are directly in NIS2's scope, but also to their key suppliers.

NIS2 supervision in a nutshell

The original NIS had clear shortcomings when it comes to supervision. NIS2 tries to avoid this be defining clear minimum methods for supervision on the directive level and leaving only the possibility for adding more to the national laws.

National legislations implementing NIS2 will of course define, who are the authorities supervising the implementation of NIS2 in the following country, and is the supervision e.g. separated to different authorities by industry.

Directive defines minimun methods for carrying out the supervision to be:

• Requests for information
• Requests for more detailed evidence
• On-site or off-site checks
• Detailed security audits

If non-compliance is observed, e.g. the following methods will be used:

• Warnings
• Binding instructions with deadlines
• Fines (max. 10M€ or 2% of global annual turnover)

Why is NIS2 straregically significant for top management?

NIS2 is very clear in saying the organization's top management can be held responsible for non-compliance with the article 21's security requirements. So according to NIS2, top management's role in information security is at least to:

• Accept the security measures for the 13 listed themes - and confirm they're good-enough to keep information security risks in control
• Monitor and ensure the implementation of those security measures
• Overseeing supply chain security measures and incident reporting

To put it plainly, under NIS2, top-management's responsibility is significantly more than just being informed about cybersecurity. It's about action and accountability - implementing regulations, managing risks, and leading the charge in responding to cybersecurity incidents.

In addition to this, in good information security work top management usually participates at least by allocating resources, setting security objectives and demonstrating commitment to information security in general.

This all means top management's role comes with both a regulatory and ethical responsibility. NIS2 deems top management's active involvement and commitment crucial in achieving its goals.

How should you prepare your organization? 3 levels for action.

Light level: Document your procedures by cherry-picking suitable measures from best practices

One way you can approach NIS2 is to benchmark most common best practice standards (e.g. ISO 27001 or NIST CSF) and look for more detailed controls from there on how to implement the 13 security areas.

You can approach by looking from the perspective of "what have we already done", at least partly, to get up to speed quickly.

Clear downside in this approach often is, that this won't lead to any kind of sustainable long-term development of your information security and will end up being a documentation exercise.

Medium level: Start building your ISMS (based on best practices)

Having an ISMS (information security management system) creates a systematic approach to information security by gathering information security related into a single place, helping you understand your current security level and enabling a thorough monitoring of security actions.

This way you can maintain compliance in the long run and reduce cybersecurity risks by continuously improving your security actions.

Strong level: Certify your ISMS against ISO 27001

Certifying your ISMS (e.g. against ISO 27001) means that an external, accredited auditor has gone through your ISMS and ensure that it complies with the requirements and controls of the selected framework.  

This approach offers benefits like undeniable proof of good security level, which you can not only utilize for NIS2 supervision efforts, but also for any kind of sales or collaboration efforts involving information security perspectives.

Conclusion

As we conclude, it's good to understand that the NIS2 directive forms a part of the larger digital transformation growth in the European Union. It demands clarity from organizations - documenting how they have implemented different aspects of information security, and standing behind those choices. It also commits the top management to information security in a totally new level.

The directive's broad security measures and incident reporting requirements underscore a priority shift towards improved transparency, accountability and overall resilience against cyber threats. While implementing NIS2 undoubtedly entails substantial commitment, the benefits far outweigh the expenses.

Establishing an Information Security Management System (ISMS), whether you're grounding it on other best practices or aiming for ISO 27001 certification, is a battle-tested way for success. Yet, remember that it's a journey, not a race. Adopting a phased strategy that adheres to your organization's context, capacity, and capabilities will offer sustainable results and contribute to your long-term digital integrity.