NIS 2 Directive published in EU Gazette, works on boosting cybersecurity and resilience across the Union

Following its adoption in late November, the NIS 2 Directive has been published in the Official Gazette of the European Union (EU) bringing in cybersecurity obligations for various companies across the region. The move introduces measures that work towards building a ‘high common level’ of cybersecurity to ramp up defenses against potential cyber-attacks. 

In the publication of Directive (EU) 2022/2555, the European agency requires member states to adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs). It also calls for cybersecurity risk-management measures and reporting obligations for critical entities, rules and obligations on cybersecurity information sharing, and supervisory and enforcement obligations on member states.

The directive aims to overcome the shortcomings of the differentiation between operators of essential services and digital service providers. The agency identifies that the distinction has been proven to be obsolete since it does not reflect the importance of the sectors or services for the societal and economic activities in the internal market.

The NIS 2 Directive comes into force on Jan. 16. Following that, member states will have until Oct. 17, 2024, to adopt and publish necessary measures that comply with the NIS 2 Directive. From the next day, they are expected to apply the measures.

“Member States should be able to take the necessary measures to ensure the protection of the essential interests of national security, to safeguard public policy and public security, and to allow for the prevention, investigation, detection, and prosecution of criminal offences,” the NIS 2 directive said. “To that end, Member States should be able to exempt specific entities which carry out activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences, from certain obligations laid down in this Directive with regard to those activities.” 

It added that entities falling within the scope of the directive for compliance with cybersecurity risk-management measures and reporting obligations should be classified into two categories, essential entities and important entities, reflecting the extent to which they are critical as regards their sector or the type of service they provide, as well as their size. 

In that regard, due consideration should be taken of any relevant sectoral risk assessments or guidance by the competent authorities, where applicable, the NIS 2 directive said. “The supervisory and enforcement regimes for those two categories of entities should be differentiated to ensure a fair balance between risk-based requirements and obligations on the one hand, and the administrative burden stemming from the supervision of compliance on the other,” it added.

The NIS 2 Directive lays down that the Commission, the European Union Agency for Cybersecurity (ENISA), and the member states should continue to foster alignments with international standards and existing industry best practices in the area of cybersecurity risk management. The entities must also address the areas of supply chain security assessments, information sharing, and vulnerability disclosure.

It also said that member states, in cooperation with ENISA, should take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. “As part of their national policy, Member States should aim to address, to the extent possible, the challenges faced by vulnerability researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilities could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities,” it added. 

The publication also called upon member states to contribute to the establishment of the EU Cybersecurity Crisis Response Framework through existing cooperation networks, in particular, the European cyber crisis liaison organization network (EU-CyCLONe), the CSIRTs network, and the Cooperation Group. 

It also added that the EU-CyCLONe should work as an intermediary between the technical and political levels during large-scale cybersecurity incidents and crises while enhancing cooperation at an operational level and supporting decision-making at the political level. In cooperation with the Commission, having regard to the Commission’s competence in the area of crisis management, EU-CyCLONe should build on the CSIRTs network findings and use its capabilities to create impact analysis of large-scale cybersecurity incidents and crises.

The NIS 2 Directive outlines that large-scale cybersecurity incidents and crises at the EU level require coordinated action to ensure ‘rapid and effective response’ because of the high degree of interdependence between sectors and member states. “The availability of cyber-resilient network and information systems and the availability, confidentiality, and integrity of data are vital for the security of the Union and for the protection of its citizens, businesses, and institutions against incidents and cyber threats, as well as for enhancing the trust of individuals and organisations in the Union’s ability to promote and protect a global, open, free, stable and secure cyberspace grounded in human rights, fundamental freedoms, democracy and the rule of law,” it added.

To facilitate the effective implementation of the NIS 2 Directive to the management of vulnerabilities, cybersecurity risk-management measures, reporting obligations, and cybersecurity information-sharing arrangements, member states can cooperate with third countries and undertake activities that are considered to be appropriate for that purpose. The move would also cover information exchange on cyber threats, incidents, vulnerabilities, tools and methods, tactics, techniques and procedures, cybersecurity crisis management preparedness and exercises, training, trust building, and structured information-sharing arrangements.

Addressing risks stemming from an entity’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providers and software editors, is particularly important given the prevalence of incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third-party products and services. 

The NIS 2 Directive said that essential and important entities should assess and take into account the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. “Essential and important entities should in particular be encouraged to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers. Those entities could consider risks stemming from other levels of suppliers and service providers,” it added.

Furthermore, essential and important entities should adopt basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity, and access management, or user awareness, organize training for their staff, and raise awareness concerning cyber threats, phishing, or social engineering techniques. Furthermore, the entities should evaluate their cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity-enhancing technologies.

Last October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released cross-sector Cybersecurity Performance Goals (CPGs) that provide an approachable common set of IT and OT (operational technology) cybersecurity protections to improve cybersecurity across the nation’s critical infrastructure. The CISA CPGs are written and designed to be easy to understand and communicate with non-technical audiences, including senior business leaders, and aimed at addressing some of the most common and impactful cyber risks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.