EU rolls in improved cybersecurity rules to strengthen critical, digital infrastructure against threats

Two key European Union (EU) directives on critical and digital infrastructure have come into force on Jan. 16, strengthening the region’s resilience against online and offline threats, from cyberattacks to crime, risks to public health, or natural disasters. The directives include the NIS 2 Directive covering measures for a high common level of cybersecurity across the Union and the resilience of critical entities (CER) directive that works to widen their scope across critical sectors and bring about more unified cybersecurity rules in the region.

The NIS 2 Directive provides member states time till Oct. 17, 2024, to bring the new provisions into their national legislation. During this time, member states shall adopt and publish the measures necessary to comply with them. 

The NIS 2 Directive was officially adopted on Nov. 28 and subsequently published in the Official Gazette of the EU on Dec. 27, providing cybersecurity regulations for multiple companies within the region. The move introduces measures that work towards building a ‘high common level’ of cybersecurity to ramp up defenses against potential cyber-attacks.

London-based law firm Travers Smith wrote in a post this week that “seeking to harmonise requirements across Member States, NIS2 will leave less discretion to Member States than its predecessor, setting out minimum rules for regulatory frameworks and establishing more stringent cybersecurity measures that must be implemented.”

The post said that it requires in-scope entities to implement ‘appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services,’ in connection with a list of specified matters, such as incident handling, business continuity, supply chain security, encryption, access control, the use of multi-factor authentication, and vulnerability handling and disclosure.  

Travers Smith further pointed out that NIS 2 will impose responsibilities on ‘management bodies’ of essential and important entities to approve cybersecurity measures and supervise their implementation. In addition, management may also be held liable and temporarily banned if the organization does not comply with cybersecurity requirements.

The post added that the U.K. will take a different and more flexible approach. “Competent authorities responsible for regulating each sector will continue to set the cybersecurity measures which regulated entities will have to implement. The UK Government also sees ‘outcomes-focused tools such as the Cyber Assessment Framework [as providing] a measure of flexibility for companies.’”

The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 to achieve a common high level of security of network and information systems across the EU. As part of its policy objective to make Europe fit for the digital age, the Commission proposed the revision of the NIS Directive in December 2020. The EU Cybersecurity Act that is in force since 2019 equipped Europe with a framework of cybersecurity certification of products, services and processes and reinforced the mandate of the EU Agency for Cybersecurity (ENISA). 

Last September, the Commission adopted the proposal for Cyber Resilience Act, which lays down cybersecurity requirements for products with a digital element, covering both hardware and software.

In a post for SOCWISE, the International Security Operations Center (SOC) of EURO ONE, Tamás Tóth wrote that “all organisations are advised to first check whether they are subjects of the Directive. If the answer is yes, it is strongly recommended to start preparing for compliance as soon as possible and not waiting for the deadline for transposition of the Directive into the national law in 2024.” 

Tóth further added that if an organization has low maturity cybersecurity capabilities, it will take time to reach the expected level of compliance and there is no shortage of requirements.

The NIS 2 Directive expanded the sectors and types of critical entities falling under its scope to cover providers of public electronic communications networks and services, data center services, wastewater and waste management, manufacturing of critical products, postal and courier services, and public administration entities, and the healthcare sector more broadly. Furthermore, it also strengthens cybersecurity risk management requirements that companies are obliged to comply with while streamlining incident reporting obligations with more precise provisions on reporting, content, and timeline. 

Based on Directive (EU) 2022/2555 requires entities belonging to the digital infrastructure sector to take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems and to notify significant incidents and cyber threats. Since threats to the security of network and information systems can have different origins, it applies an all-hazards approach that includes the resilience of network and information systems, as well as the physical components and environment of those systems.

Considering the importance of the services provided by entities belonging to the digital infrastructure sector to critical entities belonging to all other sectors, member states should identify, based on the criteria and using the procedure provided for in this Directive, entities belonging to the digital infrastructure sector as critical entities. Member states should be able to adopt or maintain provisions of national law to achieve a higher level of resilience for those critical entities, provided that those provisions are consistent with applicable Union law.

Entities belonging to the digital infrastructure sector are in essence based on network and information systems and therefore the obligations imposed on those entities according to the directive should address comprehensively the physical security of such systems as part of their cybersecurity risk-management measures and reporting obligations. 

The NIS2 Directive expands the scope of the previous rules by adding new sectors based on their degree of digitization and interconnectedness and how crucial they are for the economy and society while bringing in a clear size threshold rule in selected sectors will be included in the scope. At the same time, it leaves certain discretion to member states to identify smaller entities with a high-security risk profile that should also be covered by the obligations of the new directive.

The NIS 2 Directive also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance and divided into essential and important entities, which will be subjected to different supervisory regimes. It strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. The directive introduces more precise provisions on the process for incident reporting, the content of the reports, and timelines.

Furthermore, NIS 2 Directive addresses the security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships. At the European level, the directive strengthens supply chain cybersecurity for key information and communication technologies. Member states in cooperation with the Commission and ENISA may carry out EU level coordinated security risk assessments of critical supply chains.

It also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between member state authorities. It also builds operational cooperation within the Computer Security Incident Response Team (CSIRT) network and establishes the European cyber crisis liaison organization network (EU-CyCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises.

The evaluation of the current rules on security and incident reporting requirements found that in some cases member states have implemented these requirements in significantly different ways. Such adoption has created an additional burden for companies operating in more than one member state. Additionally, when dealing with cybersecurity requirements all companies must address the necessary core set of elements in their cybersecurity risk management policies.

With this in mind, NIS 2 includes a list of 10 key elements that all companies have to address or implement as part of the measures they take, including incident handling, supply chain security, vulnerability handling and disclosure, use of cryptography, and where appropriate, encryption. When it comes to incident reporting, there should be a clear balance between the need for quick reporting, to strive against the occurrence and expansion of incidents and detailed reporting which can draw helpful knowledge from singular cases.

The NIS 2 Directive foresees a multiple–stage approach to incident reporting. Affected companies have 24 hours from when they first become aware of an incident to submit an early warning to the CSIRT or competent national authority, which would also allow them to seek assistance if they request it. The early warning should be followed by an incident notification within 72 hours of becoming aware of the incident, and a final report no later than one month later.

The CER directive replaces the European Critical Infrastructure Directive of 2008 to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The 11 sectors covered include energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member states will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.

The directive also calls upon critical entities to carry out risk assessments of their own, take appropriate technical and organizational measures to boost resilience, and report disruptive incidents to national authorities. Critical entities providing services to or in at least one-third of member states would be subject to specific oversight, including advisory missions organized by the European Commission.

Additionally, the Commission would offer different forms of support to member states and critical entities, a Union-level risk overview, best practices, methodologies, cross-border training activities, and exercises to test the resilience of critical entities. Regular cross-border cooperation concerning the implementation of the directive would be facilitated through an expert group, the Critical Entities Resilience Group.

In December, the European Council adopted an October recommendation on a Union-wide coordination approach to strengthening the resilience of critical infrastructure where member states are invited to accelerate preparatory work for the transposition and application of NIS 2 directive and the CER directive.

The draft recommendation aims at maximizing and accelerating the work to protect critical infrastructure in three priority areas – preparedness, response, and international cooperation. For that purpose, it foresees a stronger support and coordination role by the Commission to enhance preparedness and response against the current threats as well as strengthened cooperation among member states, and with neighboring third countries. Priority should be given to the key sectors of energy, digital infrastructure, transport, and space.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.