The next 12 months will see organisations that do business in and/or are based in the European Union (EU) make significant steps to increase their cybersecurity resiliency. The desire for the EU to collectively enhance the cyber resilience of organisations critical to the delivery of services for its citizens has resulted in legislation at an EU-wide level that will trickle down to Member States and thus the organisations that operate within them.
Directive (EU) 2022/2555, more commonly known as Network & Information Systems (NIS) Regulations ‘NIS 2 Directive’ will be enshrined into national laws in October 2024. Regulation (EU) 2022/2554, for digital operational resilience for the financial sector, known as ‘DORA’, will apply as of January 2025.
Your organisation should seek to prepare as best as possible, given the information that is available right now and the requirements that can be anticipated in the forthcoming 12 months. We’ll explore what this means for your organisation’s mechanisms for detecting, responding, reporting and recovering from cyber incidents. More specifically, this guide highlights:
-
The new obligations that will be placed on organisations and EU Member States such as incident reporting, staff training and third-party risk management.
-
The increased coverage of the Directives and Regulations.
-
EU-wide Directives that will be enshrined in national law and the repercussions for the failure to comply.
-
The application of DORA Regulation to the financial sector as well as ICT service providers.
What’s changing?
Does the NIS 2 Directive affect your organisation?
The NIS 2 Directive largely focusses on the responsibilities that Member States must implement in their national strategies and processes. Additionally, it fosters a collaborative incident response group across the European Union.
NIS 2 Directive expands the organisation sectors that are in scope in the earlier NIS Directive of 2016 (Directive (EU) 2016/1148). Eleven “Sectors of High Criticality”, known as essential entities in NIS 2, include those already referenced in NIS Directive such as energy, transport, financial and health but will now also include waste water, public administration and space among others. Further, seven “Other Critical Sectors”, known as important entities, are now in scope such as Postal & Courier Services and Manufacturing. The size of the organisation plays a factor in scope as does the impact that disruption of a given entity would have on public safety, security or health.
Risk-management measures
Article 21 of NIS 2 Directive lists ten areas that organisations must incorporate into their cybersecurity risk management measures. These include policies on risk analysis, incident handling, crisis management, supply chain security, cybersecurity training and the use of multi-factor authentication (MFA).
We expect that most organisations are seeking to bolster their security around these ten areas and will be looking to Member States to guide what is expected.
Reporting
NIS 2 Directive stipulates that (1) significant incidents should be reported within 24 hours to the appropriate CSIRT or competent authority as a form of “early warning” (2) within 72 hours an assessment including severity and impact should be submitted, and (3) a more detailed report including root cause analysis be submitted not later than one month after the assessment. See Article 23 of NIS 2 Directive for further information.
Penalties & fines
NIS 2 Directive provides for Member States to impose fines up to the higher of EUR 10,000,000 or 2% of total worldwide annual turnover for essential entities, or EUR 7,000,000 or 1.4% of total worldwide annual turnover for important entities. See Article 34 of NIS 2 Directive for further information.
Accountability
Article 32 of the NIS 2 Directive highlights why an entity must take ownership of their decisions and behaviour around cybersecurity risk reduction. The Article provides that competent authorities of Member States have the power to temporarily suspend an entity’s certification that would otherwise permit them to offer a service or conduct an activity. Further, competent authorities could prohibit a person such as a CEO or legal representative from conducting their managerial duties. Embedded in the Directive is a requirement for organisations to accept on-site inspections, regular security audits and to provide evidence of implementation of cybersecurity policies when requested. A further way to encourage best practice is that authorities can order an effected organisation to make infringements of the Directive public.
Third-party risk
Many organisations now understand the risk presented through relationships within supply chains. NIS 2 Directive puts the focus firmly on supply chain security suggesting that risk assessments of ICT products supply chains may be carried out and the relationship between an entity and its suppliers or service providers be held under scrutiny. The Directive also offers a means for information exchange between communities of entities and their suppliers and service providers, supported by ENISA. This information exchange can include threat intelligence, IOC (indicators of compromise), threat actor tactics and tool configuration recommendations thus raising the resilience of industries across their supply chain and geography.
Specificity
Article 35 of NIS 2 explains that if the infringement entails a breach of personal data (information relating to an identified or identifiable natural person) then the supervisory authorities are to be informed in line with Regulation (EU) 2016/679, also known as GDPR. This shows a) the relationship between NIS 2 Directive and the General Data Protection Regulation and b) the importance of protecting personally identifiable information. You may already have processes in place to help with the protection of personal data – now is the time to dig deeper and evaluate where NIS 2 may offer additional opportunities to enhance your security posture.
NIS 2 explains how the presence of sector-specific Union legal acts should be taken into account (see Article 4) when applying NIS 2. One such sector-specific Union legal act called out in NIS 2 is DORA as applicable to Financial entities and the ICT service providers of those entities. It explains how the provisions relating to risk management, incident management, incident reporting, operational resilience testing, information sharing and third-party risk as specified in DORA shall apply instead of NIS 2.
When do you need to be ready?
NIS 2 Directive was entered into the Official Journal of the European Union in December 2022. Member States are required to adopt and publish the measures necessary to comply with the NIS 2 Directive by 17 October 2024 and apply those measures from 18 October 2024.
If your organisation is in scope of DORA you will already know that the Regulation was entered into the Official Journal of the European Union in December 2022 and will apply from 17 January 2025.
What can you do right now?
It can be challenging to determine whether an organisation has done enough to comply with the anticipated measures – however the ethos and emphasis of the Directive is clear, and you should be working to understand your current capabilities and gaps and explore what could be done to better your cyber resilience and security posture.
The Proofpoint team is here to help you improve your cybersecurity resilience by improving your incident prevention, detection and response. We can help you gain visibility into attacks conducted by external cybercriminals, internal employees (insider threats) or threats originating within your supply chain. We can help you to train your staff raising their level of security awareness.
For more information, or to discuss your requirements, reach out to your Account Manager, Channel Partner, or if you’re new to Proofpoint get in touch with us.
References
NIS 2 Directive: https://eur-lex.europa.eu/eli/dir/2022/2555/oj