Getting ready for the next Network and Information Systems Directive (NIS2)
By Tony Burton, Managing Director – Cyber Security and Trust at Thales UK
With cybercriminals increasingly targeting critical national infrastructure, in July 2016 the European Commission adopted the Network and Information Systems Directive (NIS1).
NIS1 represented the first step in enacting EU-wide cybersecurity legislation, which became national law in the UK, aiming to improve cybersecurity standards across the EU for vital industries. NIS1’s remit covered the energy, transport and healthcare sectors; intending to not only address the threats posed to information systems, but wider incidents that disrupted these critical services such as floods.
The EU adopted the next iteration of cybersecurity regulations, which will replace NIS1, in November 2022. NIS2 aims to modernise cybersecurity and keep up to date with an evolving threat landscape as more businesses digitalise, work remotely and handle increasingly mission critical data. Ultimately, NIS2 will help to combat increasingly sophisticated cyberattacks on sensitive and important infrastructure.
Organisations have been given a deadline of 2024 to reach compliance and, whilst the UK won’t directly adopt NIS2, organisations that provide services to the EU must ensure they remain compliant with the latest security standards. We also expect to see the UK introduce its own regulations that are broadly similar to NIS2 in the near future.
The need to move beyond NIS1
The EU is keen to bolster the cybersecurity of critical infrastructure within member countries. Critical infrastructure encompasses sectors that are essential to the functioning of society, whereby damage to their networks or systems has the potential to cause long lasting, devastating effects on public health and safety, or the economy. Societal dependence on these industries is the very reason they are an attractive target for cyberattacks. As a result, cybercriminals and state sponsored hackers are shifting their attention away from the more traditional targets, such as financial institutions and professional services, to exploit the industries and operational technologies at the core of society.
With the targets of cybercriminals and state sponsored hackers shifting, the consequences of attacks have also changed. Whereas the biggest concern previously was ransomware and data being sold on the dark web, cyberattacks against vital infrastructure and operational technology have the potential to halt entire manufacturing processes or cut power to hospitals, transportation, homes and communications.
The key components of NIS2
Whilst NIS1 covered the energy, transport, and healthcare sectors, NIS2 has an expanded remit to include wastewater and waste management, FMCG, postal services, space, public administration, and the manufacturing of critical products such as medicines and chemicals. Its expanded remit also establishes minimum cybersecurity standards that must be adhered to and ensures that organisations meet certain reporting requirements when it comes to breaches and incidents, including disclosing them within a 24-hour period. It’s important to note that under NIS2, impacts of cyberattacks will now be determined by whether there was a disruption to critical services, or financial or material loss.
Another important aspect of NIS2 is the increased focus on supply chain security, recognising the impact of attacks that are directed towards product and service providers that may be multiple levels down in supply chains. The Directive requires organisations to perform risk assessments of the security of their supply chains and ensure that suppliers are taking appropriate measures to protect against cyber threats. Recent high-profile attacks evidence the significance and importance of this element of the Directive and how far reaching its influence carries.
In addition to widening the reach of industries to include all essential activities, NIS2 aims to reduce inconsistencies, where there has previously been a fragmented approach to cybersecurity under NIS1.
Where cybercriminals and other threats are focused on key infrastructure, the possible impacts could result in a large-scale crisis. NIS2 aims to boost information sharing and establish procedures to work together to plan and respond to an incident collectively.
What NIS2 means for businesses
With the Thales Data Threat Report 2023 finding that nearly half of respondents (47%) have felt an increase in the volume and severity of cyberattacks, there is a heightened risk of cyberattacks against key services. NIS2 requires companies to strengthen their cybersecurity measures, including risk analysis; incident handling; business continuity and crisis management; security in network and information systems; policies and procedures for cybersecurity risk management measures; and the use of cryptography and encryption. Failure to adhere to NIS2 could result in sanctions against the organisation in question, including fines; management liability; bans; and the designation of a monitoring officer.
All industries now handle huge volumes of sensitive data. With the adoption of both information technology (IT) and operational technology (OT) there is increased automation and connectivity between various systems, networks and organisations. One of the key considerations for businesses and institutions when it comes to cybersecurity is that NIS2 holds them directly responsible. This includes outsourcing – whether that’s data stored in the cloud, subcontractors or service providers –to ensure supply chain security is addressed.
How organisations can prepare
With NIS2, all organisations are now directly responsible for cybersecurity, and organisations have to start meeting the new standards. Cybersecurity is now a board and senior management issue, rather than being delegated and falling under the responsibility of technical teams.
Organisations can seek out information and guidance from industry experts and national authorities to ensure they have the right processes and foundations in place. However, there are a number of things organisations can do to start preparing:
Understanding how NIS2 expands upon NIS1: From an expanded scope, to covering more industries and their supply chains, enhanced security requirements, and greater levels of accountability, NIS2 greatly increases the compliance burden on an organisation.
Implementing cryptography and encryption: With a greater expansion of IT into the cloud, organisations remain responsible despite outsourcing. Encryption and Key Management Systems (KMS) are managed by organisations as a way to enforce additional controls over their cloud-based assets.
Patch updates: Software updates let attackers know that there may be systems that have not yet been updated, resulting in vulnerabilities that remain open to exploitation from cyber criminals. Consistent patch updates across the company enhance security.
Verification: Public key infrastructure (PKI) certificates identify devices, and multi factor authentication identifies that a person is who they say they are. PKI certificates should be regularly changed.
Operational Technology: Owners and operators of businesses subject to NIS2 must also address operational technology threats, risks and vulnerabilities. They can do so by understanding their deployed estate, assessing the risk position and then developing detection, response and recovery capability in alignment with their wider business resilience programmes.
NIS2 will strengthen organisations’ cybersecurity capabilities, helping to enhance cyber resilience across the EU and beyond. With authorities able to hand out fines and other sanctions for breaches to vital services, there’s a huge incentive for organisations to ensure they meet the security obligations.
With cybersecurity risks continuing to grow and evolve, encompassing the majority of industries across the globe, future legislation will follow suit. Organisations must keep up to date with new iterations and see cyber resilience as an ongoing project that everyone has responsibility for.
Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.