The European legislative landscape concerning cybersecurity measures is rapidly expanding. By implementing these legislative measures, European authorities aim to address the growing cybersecurity challenges and seek to ensure a higher level of protection across different sectors. The interconnectedness of these legislative acts creates a comprehensive but also complex framework that reinforces cybersecurity.
These measures emphasizing the need for robust security practices and technologies. They target medium and large companies and force them to implement cybersecurity measures to safeguard their operations, services and protect sensitive data. The overarching goal of these efforts is to try to establish a harmonized and robust cybersecurity ecosystem within the European Union. It sets common standards and promotes best practices; they aim to enhance the overall security posture and resilience of European entities operating in both the public and private sectors.
As the legislative framework continues to evolve, it becomes increasingly essential for organizations to stay updated and compliant with these cybersecurity measures.
What is the difference between a regulation and a directive
A regulation is a binding legislative act that becomes immediately applicable once it is published. It directly overrules national laws and is enforceable without the need for further action. A well-known example of a regulation is the General Data Protection Regulation (GDPR), which sets comprehensive data protection rules across the European Union. Remember the R of GDPR . R of Regulation.
On the other hand, a directive sets out general objectives that member states need to achieve within a specified timeframe. It allows flexibility for each country to determine how to implement those objectives into their national legislation. Member states have the freedom to add their own specific requirements or adapt the directive to suit their local needs. This can include additional security constraints or measures for specific products, services, or types of companies. Member states typically have around two years to transpose a directive into their national laws.
In summary, regulations are directly applicable and overrule national laws, while directives set objectives that require national implementation, allowing some flexibility for member states to adapt them.
NIS 1 a little bit of history
The NIS 1 (Network and Information Systems) Directive, officially referred to as EU 2016/1148, is one of the most significant legislative acts in EU cybersecurity. It was introduced in 2016 and required member countries to transpose it into their national laws within a two-year period.
The primary objective of the NIS Directive was to enhance cybersecurity measures for operators of essential services with a focus on their services that were deemed critical. The focus is on securing their service operations and avoid incidents that could have a significant impact.
NIS Directive (NIS 1) remains valid until October 2024. The directive has been transposed into the national laws of EU member states, and it continues to be an essential piece of legislation for operators of essential services.
NIS 2 Directive
The NIS 2 Directive, officially known as Directive (EU) 2022/2555, was published in the Official Journal of the European Union. This directive aims to establish measures for achieving a high common level of cybersecurity across the Union. It amends Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, while also repealing Directive (EU) 2016/1148 (NIS 1 Directive).
Following the challenges faced with the NIS 1 Directive, the European Commission recognized the need for an evolution in the existing legislation, leading to the introduction of the NIS 2 Directive.
The primary objectives of the NIS 2 Directive remain aligned with its predecessor. Firstly, it aims to ensure that national governments prioritize cybersecurity and allocate the necessary attention to address potential cyber threats.
Secondly, it seeks to strengthen cooperation among cybersecurity authorities across European countries.
Lastly, it mandates main operators in key industries to implement security measures and report any cybersecurity incidents they encounter.
Security requirements have been substantially strengthened and clarified, providing clearer boundaries and guidelines compared to the NIS Directive.
While some countries might implement more cybersecurity requirements, interpretations may still vary the baseline is set.
In addition, NIS 2 expands the scope by including additional sectors and subsectors. The rules for identifying those companies or entities subject to the directive have also evolved, with an emphasis on harmonization and simplification, although the level of simplification may vary.
Incident reporting notification guidelines and thresholds are a notable improvement. The directive provides clearer guidelines on when an entity should notify incidents and defines specific timeframes for notification. This aims to minimize discussions and ambiguities during the reporting process.
Member States are required to adopt and publish the necessary measures to comply with the NIS 2 Directive by 17 October 2024. These measures must be implemented starting from 18 October 2024, and Directive (EU) 2016/1148 (the NIS Directive) will be repealed on the same date.
By 17 October 2024, the Commission must adopt implementing acts that define the technical and methodological requirements of the measures applicable to various service providers, including DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, social networking service platforms, and trust service providers.
Important vs Essential entities
NIS 2. Introduces. the concept of. Important and essential entities NIS1 had the notion of Operators of essential services. NIS 1 had no clear identification mechanism; each member state came up with their own designation criteria’s.
Essential entities are large companies that are part of the sectors of high criticality listed in Annex I of the Directive. A large entity is defined as a company with at least 250 employees OR with an annual turnover of at least 50 million euros or an annual balance sheet total of at least 43 million euros.
Important entities are medium-sized enterprises operating in the sectors of high criticality of Annex I of the Directive, OR large or medium-sized enterprises in the sectors of Annex II of the Directive that do not fall into the essential entity category. A medium-sized enterprise is defined as one with at least 50 employees OR with an annual turnover (or balance sheet total) of at least 10 million euros, but with fewer than 250 employees AND no more than 50 million euros annual turnover or 43 million euros balance sheet total.
This is a complex system but at least there is a harmonised system in place. Remember, that this contains only the rules of European minimum harmonization, countries can add additional economical operators.
Barring exceptions, there is no longer active identification in NIS 2. An entity operating in the sectors listed above is in scope if it is a large or medium-sized enterprise.
Key obligations under the NIS 2 Directive
1. Governance (Article 20):
The management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, and can be held liable for any infringements.
2. Training (Article 20):
Member States must ensure that the members of the management bodies of essential and important entities receive training. Essential and important entities are encouraged to provide regular training to their employees, enabling them to identify risks, assess cybersecurity risk-management practices, and understand their impact on the services provided.
Management also has a responsibility towards the entire team, they should offer regular cybersecurity training to all employees, making sure everyone stays informed and equipped to tackle the ever-evolving cyber threats. Their personal knowledge on cybersecurity to ensure that they understand what measures they are adopting, members of the governing bodies of essential and important entities should follow cybersecurity training.
Managers must acquire sufficient knowledge and skills to identify risks to their organization and to assess cybersecurity measures and their impact on their organization. They carry a professional liability and could face fines if things go wrong as they will be held accountable for any non-compliance, the penalties might even go up to affect their right to exercise their duties. That's why it's crucial for them to stay updated and follow cybersecurity training.
3. Cybersecurity Risk-Management Measures (Article 21):
Essential and important entities must adopt appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of their network and information systems. These measures should prevent or minimize the impact of incidents on service recipients and other services. The measures should be based on an all-hazards approach, considering relevant standards, the cost of implementation, the entity's exposure to risks, size, and the likelihood and severity of incidents.
Essential and important entities falling under the scope must adopt appropriate and proportionate measures to effectively manage risks to the security of their network and information systems. These measures aim to prevent significant incidents and mitigate their impact.
It is possible that the measures for essential entities might even be more stringent complemented by additional requirements than for important entities however the regulation defines at a minimum, following measures to be required:
Conducting risk analysis and establishing information systems security policies.
- Implementing incident handling procedures to swiftly respond to and manage any security incidents.
- Ensuring business continuity through activities such as robust backup management, disaster recovery planning, and crisis management.
- Securing the supply chain by addressing security-related aspects in relationships with suppliers and service providers throughout the lifecycle of network and information systems, including vulnerability handling and disclosure.
- Establishing policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
- Promoting basic cyber hygiene practices and providing cybersecurity training to enhance awareness and preparedness.
- Formulating policies and procedures concerning the use of cryptography and encryption, as appropriate.
- Addressing human resources security, implementing access control policies, and effectively managing assets.
- Utilizing multi-factor authentication, secure voice, video, and text communications, as well as secured emergency communication systems within the entity, when relevant.
4. Incident reporting
Essential and important entities must report any significant incidents without delay to the competence authorities, those are also called CSIRTS in NIS 2 (Cybersecurity Incident response teams).
Significant incidents are defined by their (potential) impact on the provisioning of the critical services on availability, authenticity, integrity, and confidentiality of data processing in the broad sense (store, process, transmit).
1° Incident caused or is capable of causing serious operational disruption to services or financial losses to the entity concerned.
2° has affected or is capable of affecting other natural or legal persons (other companies) by causing considerable material or non-material damage.
So the fact of an incident which would lead to a serious disruption, even if it didn’t materialize yet would be a sufficient basis for reporting. When it comes to notifying about incidents, there will be several important steps to follow:
Early Warning: As soon as the company becomes aware of an incident, it should issue an initial notification within 24 hours. This notification should contain minimal information but should include whether the incident could potentially affect other sectors or even reach abroad. This should also mention if there's any suspicion of malicious intent.
Complete Incident Report: Within 72 hours of learning about the incident, we need to provide a comprehensive incident report. This report should cover all the necessary details and give a clear picture of what happened. Note the 72 hours and the GDPR obligations.
Interim or Progress Reports: If requested by the national CSIRT, the entity may need to provide interim or progress reports to update them on the situation.
These reports help in keeping everyone informed and maintaining transparency.
Final Report: Once the incident is resolved, the company should submit a final report. If the incident extends beyond one month, we should provide an interim report after the first month and a final report when everything is finally resolved.
Moreover, it's important to promptly inform the customers about any significant incidents that could potentially impact their services.
For more detailed information about reporting requirements, you can refer to Articles 23 and 30 of the Directive, among others.
Supervision and penalties
Supervision of essential entities will be more stringent and enforced than for Important entities.
To drive those entities towards adopting appropriate measures, competent national authorities will have the authority to take action going from issuing warnings or issuing binding instructions to rectify any shortcomings. The supervisory authorities, alongside these administrative measures, may impose administrative fines that are effective, proportionate, and serve as a deterrent.
Important entities will have a more reactive type of supervision by the national authorities
Violations of risk management measures or incident reports can be penalized:
For essential entities: with administrative fines of up to €10,000,000 or 2% of the total annual worldwide turnover
For important entities: administrative fines of up to €7,000,000 or 1.4%.
For the public sector, the transposing legislation may provide that the administrative fines do not apply to public administration entities. However, the other administrative sanctions will apply.
To enforce compliance with the obligations in this Directive from senior management, natural persons representing essential entities may be held liable for failure to comply.
Roles and responsibilities
The NIS Cooperation Group
The NIS Cooperation Group is a group that supports and facilitates the strategic cooperation and the exchange of information among EU Member States. Its overall mission is to achieve a high common level of security for network and information systems in the European Union. The meetings of the NIS Cooperation Group are chaired by the Member State holding the Presidency of the Council of the EU. The European Commission serves as the secretariat of the Group and prepares these meetings
The Cooperation Group, with the assistance of the Commission, ENISA, and the CSIRTs network, is responsible for establishing the methodology and organizational aspects of peer reviews by 17 January 2025. These peer reviews aim to facilitate shared experiences, strengthen mutual trust, achieve a high common level of cybersecurity, and enhance Member States' cybersecurity capabilities and policies. Participation in peer reviews is voluntary, and the reviews will be conducted by cybersecurity experts designated by at least two different Member States.
EU-Cyclone is a cooperation network for EU Member States national authorities in charge of cyber crisis management. It aims at enabling rapid cyber crisis management coordination in case of a large-scale cross-border cyber incident or crisis in the EU by providing timely information sharing and situational awareness amongst competent authorities. It is supported by ENISA, which provides the secretariat and tools.
EU-Cyclone is tasked with submitting a report assessing its work to the European Parliament and the Council by 17 July 2024, and every 18 months thereafter.
Member States must establish a list of essential and important entities, as well as entities providing domain name registration services, by 17 April 2025. This list should be regularly reviewed and updated at least every two years thereafter. The competent authorities must notify the Commission and the Cooperation Group of the number of essential and important entities in each sector by the same deadline and every two years thereafter.
The CSIRTs Network was established by the NIS Directive 1 and strengthened by the NIS Directive 2 which entered into force in 2023 "in order to contribute to the development of confidence and trust and to promote swift and effective operational cooperation among Member States"¹. The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023².
The Commission is responsible for reviewing the functioning of this Directive by 17 October 2027, and every 36 months thereafter. The findings will be reported to the European Parliament and the Council.
Your implementation track follows four simple steps:
1. Maturity measurement: after a thorough analysis of your current situation, you will receive a detailed report of the necessary steps to take to operate in compliance with NIS 2
2. Implementation: based on the initial maturity measurement, a plan is developed and monitored to get to the desired level.
3. Certification audit (optional)
Provided a little extra effort, you can also add ISO 27001, 27701, the data protection standard, which is a valuable addition in the European GDPR context.
We support you in various ways, ranging from coaching (a few hours per week) to implementation or even ISMS tooling.
This website belongs to CyberMinute BV (established in Brussels, Belgium). We do provide implementation, coaching, advice and training.