NIS directive – NIS 2 on cybersecurity
Sep 16, 2022
5/5 - (18 votes)

Cybersecurity is an issue of particular concern to European countries. The number of cyber attacks against companies, local authorities and hospitals is increasing every year. In order to combat this phenomenon, the European Union (EU) has legislated to establish a reliable and secure digital environment on its territory In particular, this institution adopted the Network and Information Security (NIS) Directive on 6 July 2016. The revised version of this law (NIS 2) is currently being adopted by the European Parliament. ONE GDPR provides all the important details you need to know about the NIS Directive and NIS 2, a European regulatory text dedicated to cyber security.

What is the NIS Directive ?

The Network and Information Security (NIS) Directive is a European directive that deals with the security of networks and information systems. Its main objective is to guarantee an optimal and common security level for all networks and information systems in the EU. In concrete terms, the text aims to create a strong Europe capable of reacting in the event of a cyber attack or threat.

To achieve this, the NIS Directive relies on two important levers :

  • the national cybersecurity capabilities of EU Member States ;
  • the establishment of a European cooperation framework on policy and operational aspects of cyber security.

As with all EU acts, the NIS Directive has been transposed into the national law of each member state. This means that the regulation is effectively applied in all EU countries.

Who is affected by the NIS Directive ?

The NIS Directive applies to two main actors. They are therefore obliged to take the necessary measures to comply with this standard.

Essential Service Operators

All Essential Service Operators (ESOs) located in EU countries are affected by the NIS Directive. In reality, an ESO is a public or private company that has an important role in society and the economy. The latter may carry out one or more activities in the following areas :

  • banking ;
  • financial markets ;
  • the water sector ;
  • energy ;
  • health ;

SSOs can also operate in the field of digital infrastructure. In concrete terms, these include companies that provide services relating to domain name systems.

Digital service providers

The NIS Directive also applies to digital service providers (DSPs) who offer services to persons resident in the European Union. DSPs are companies that specialize in the provision of digital services. They include search engines, cloud computing service providers and e-commerce sites such as Amazon, Expedia or eBay.

However, the Directive only applies to those DSPs that are considered medium or large enterprises. Small and micro companies are therefore not obliged to comply with this standard.

The main issues of the EU NIS Directive

The NIS Directive on cybersecurity has several issues at stake in the European area. In any case, this regulation mainly seeks to harmonize the European legal framework on cybersecurity.

Strengthening national cybersecurity capabilities

The strengthening of national cybersecurity capacities is one of the major challenges of the European NIS Directive. As a result, the text requires EU Member States to set up national authorities responsible for cybersecurity issues. Similarly, states must also set up national cyber incident response bodies. Each EU country is also required to develop effective strategies to combat cyber attacks and threats.

Of particular importance are the Computer Security Emergency Response Centres (CSIRTs) and Computer Emergency Response Centres (CERTs). They are responsible for alerting, monitoring and analyzing cyber incidents at national level.

Strengthening cooperation between countries on cyber security

The NIS Directive established a framework for voluntary cooperation between EU Member States. This is manifested in the creation of a cooperation group that addresses the policy aspects of cyber security. The standard also established a European network of CSIRTs of the EU member states.

This body is composed as follows :

  • representatives of each EU state ;
  • representatives of the European Commission ;
  • representatives of the European Network and Information Security Agency (ENISA)…

The strengthening of cooperation between European countries aims to facilitate the exchange of technical data on IT security risks and vulnerabilities.

Optimizing the level of security for businesses

The NIS Directive encourages each EU country to significantly improve the cybersecurity of ESOs and digital service providers established on its territory.

To this end, states must impose certain cybersecurity rules on companies. The latter are also required to notify the competent authorities when they detect incidents that affect the continuity of their services.

Non-compliance with the NIS : penalties

SSOs and CSPs that fail to comply with the EU NIS Directive risk several financial penalties. For essential service operators, the fines are higher than those for PSDs. Specifically, OESs that violate their obligations under the Directive are liable to a fine of €100 000.

€75,000 if they fail to report security incidents that they have identified. If an OES is guilty of obstructing the control operations carried out by the ANSSI, it risks a fine of €125,000.

Digital service providers (DSPs) face a fine of €75,000 for non-compliance with the obligations set out in the directive. Failure to report security incidents exposes them to a fine of €25,000. In the same way as the OESs, the DSPs responsible for obstructing ANISSI’s control operations must pay a financial penalty of €125 000. To avoid these financial penalties, each organization can call on the experts at ONE GDPR. Specialized in cybersecurity in particular, our team will be able to respond to its clients’ requests by proposing a toolbox. They then accompany them to advise them and give them complete satisfaction.

What is the NIS 2 Directive?

The NIS 2 Directive is a new European directive scheduled to be adopted by the end of the year. It will replace the NIS Directive that has been in force since 2016. It aims to correct the shortcomings of this regulation to strengthen cybersecurity within the European Union. This European legal instrument is ambitious and balanced in order to respond to the current state of the cyber security threat.

The adoption of this directive is well underway since the draft has been validated by the Permanent Representatives Committee (Coprer). In the coming months, the text should therefore be definitively adopted by the European Union Parliament. As soon as it is adopted by the Parliament and the Council of the EU, the Member States will have to transpose it into their national law within a maximum of two years.

The new directive incorporates several innovations compared to the NIS directive. Amongst these, we can mention the extension of the fields of activity and organizations subject to cybersecurity obligations. The NIS 2 Directive also contains more stringent and strict security requirements.

What are the obligations of the NIS 2 Directive ?

Private companies, public administrations and governments have several obligations under the NIS 2 Directive.

Risk management obligations

The new European directive on cybersecurity reinforces the existing obligations and integrates new ones. Initially, the obligations laid down relate to risk management. In fact, the text supplements the old regulation by defining a precise list of requirements that impose measures affecting various aspects :

  • risk analysis ;
  • information systems (IS) security policies ;
  • incident management procedures ;
  • business continuity measures during crisis periods ;
  • the use of cryptographic tools for data encryption…

In accordance with the new rules established by the NIS 2 Directive, the reliability and effectiveness of the various procedures will be subject to periodic monitoring. This control will be carried out by means of audits. The new regulation also imposes an obligation to manage the risks associated with all third-party organizations belonging to the supply chain of the players concerned by the directive.

Reporting obligations

The NIS 2 Directive has also strengthened the obligations to report possible incidents that could cause significant operational or financial damage. In concrete terms, organizations subject to the NIS Directive now have 24 hours to report cyber security incidents to the competent authorities.

The text also includes specific provisions on the modalities for reporting incidents. These concern in particular the timetable and the content of the reports. In addition, companies and local authorities are now required to have an incident management team.

The duty to disclose vulnerabilities

The new EU Cybersecurity Directive supports the vulnerability disclosure process that was already in place with the NIS Directive. This mechanism plays an important role in the fight against cybercrime and cyberattacks. It consists of the fact that IT security experts and ethical hackers are encouraged to report vulnerabilities they discover in information systems.

This promotes a quick and efficient handling of these vulnerabilities by digital service providers. To facilitate this, the Directive provides for the creation of a database listing all known vulnerabilities. This database of vulnerabilities will be administered by the European Union Agency for Cyber Security (ENISA).

The NIS 2 Directive also extends the powers of control available to the authorities in each EU country. This text thus recommends ex ante control for essential operators and ex post control for important operators. It also incorporates more demanding monitoring mechanisms for national authorities. The implementation requirements of the NIS 2 Directive are more stringent and are mainly aimed at harmonizing the sanctions regimes in all EU Member States.

The scope of the NIS 2 Directive

The NIS 2 Directive clarifies and extends the scope of the IT security obligations it contains. First of all, the sectors or actors concerned by the strict measures have been greatly increased compared to the first directive. The new text retains the areas already targeted by the NIS Directive and adds other sectors such as :

  • public administration ;
  • space ;
  • waste and waste water management ;
  • provision of drinking water ;
  • postal services ;
  • research…

The directive states that all medium and large organizations operating in these strategic areas will be subject to cybersecurity obligations. However, it leaves the possibility for member countries to choose smaller entities to be included in the directive. Each country is thus allowed to apply the text to its regional administrations. However, the new directive excludes certain sectors or organizations from its scope. These include national defense, national and public security, the judiciary, parliaments, central banks, law enforcement, etc.

One of the specificities of the new text on cybersecurity is that it classifies the organizations concerned into two different categories. A distinction is made between critical operators and significant operators. In concrete terms, critical operators are subject to much stricter and more comprehensive obligations than significant operators. This is justified by the fact that the security risks incurred by these different actors are not identical.

For example, in the field of digital infrastructure, DNS operators and cloud solution providers will only be considered as significant operators. As for search engines (Google, Bing…) and social networks (Facebook, Instagram, LinkedIn…), they will be classified as significant operators.

How to prepare for the NIS 2 Directive?

In a few weeks or months, the new NIS 2 Directive will be voted in plenary and finally adopted. It will enter into force in the national legislation of each EU Member State after 21 months. After this period, organizations that are not in compliance with the text will be fined heavily.

Compliance with the NIS 2 Directive consists of adopting appropriate operational and technical measures to manage the risks to which information systems are exposed. This concerns both essential and important operators. To best prepare for this deadline, organizations need advice, training and some of the tools needed to comply with the directive.

In any case, ONE GDPR offers its services to all companies wishing to comply with the NIS 2 directive. Its expertise helps to carry out all the necessary steps to comply with the provisions of this legal text.

Appointing a correspondent with the ANSSI

The first step is to choose the representative of the company or local authority to the ANSSI. This then makes it possible to determine the organization’s information systems. It is according to the nature of these that the security rules will be implemented.

Monitoring and evaluation of networks or information systems

Compliance with the NIS 2 Directive requires monitoring and assessment of networks or information systems. Specialized companies usually use two methods to achieve this: active scanning and passive monitoring. The latter offers the possibility of detecting security flaws on a continuous basis.

Reporting on incidents

Organizations need to produce compliance reports for submission to the relevant national authorities. To simplify this task, NIS 2 deployment specialists use reporting and dashboard templates. These are useful for creating customized reports for each compliance obligation.

NIS 2 compliance: the importance of a cybersecurity expert

Compliance for critical and large operators is far from being an easy task. That is why it is recommended to entrust this project to a professional like ONE GDPR. They have excellent technical expertise and proven experience in the field of international management system standards.

Most service providers on the market have already managed hundreds of NIS compliance projects across Europe. Specialized companies are therefore able to manage this project from start to finish with great success.

In general, they have multidisciplinary teams. These teams are responsible for, among other things :

  • developing a compliance strategy, taking into account the budget, sponsorship and overall development plan ;
  • conducting rigorous and reliable penetration testing ;
  • implementing executive expertise and building an effective risk mitigation plan…

Ultimately, a specialist is able to help companies understand and implement the NIS 2 directive. This support not only helps to avoid the sanctions provided for by the European Union, but also helps to establish a lasting relationship between the organization and its various partners. Every organization affected by this directive would therefore be well advised to delegate its compliance project to a cybersecurity expert accustomed to this type of mission.

Sanctions for non-compliance with NIS 2

The NIS Directive has harmonized and strengthened the penalties for breach of cybersecurity obligations by the organizations to which it applies. In any case, non-compliance with this legislation exposes companies or public authorities to a fine. The fine can be as high as €10 million or 2% of the organization’s annual worldwide turnover.

However, companies that frequently violate cybersecurity obligations are not immune from other sanctions. Individuals in representative or managerial positions may be held liable.

The NIS 2 Directive also places certain supervisory and enforcement obligations on Member States. Therefore, it cannot be excluded that states that violate these rules will be prosecuted and sanctioned by the European authorities.

NIS Directive and GDPR: two identical realities ?

Some people confuse the NIS Directive with the GDPR. However, these two European standards on cybersecurity refer to different realities. Indeed, the GDPR (General Data Protection Regulation) is a European legal instrument whose objective is to optimize the protection of European citizens’ personal data. It came into force on 28 May 2018.

The GDPR focuses on the transparency of data collection and use. It makes all public or private actors who collect or process personal data accountable. This regulation replaces the 1995 directive, which showed some weaknesses. The authority responsible for its proper application in France is the CNIL (Commission Nationale de l’Informatique et des Libertés).

The GDPR applies to public or private organizations that collect or process personal data on their own behalf or not. The two requirements are that these organizations are based in EU countries and that their activity is directly targeted at people living in the EU.

In concrete terms, a company based in France that exports its products to Algeria, for example, and for its Middle Eastern customers is subject to the GDPR. In addition, a Chinese company that has an e-commerce platform in French and delivers products in France is required to comply with the GDPR. This legislation also applies to subcontractors who carry out personal data processing on behalf of other companies.

Ultimately, the NIS Directive and the GDPR diverge in several respects. While the former is a directive, the latter is a regulation. La directive NIS régit ensuite les problématiques de cyberattaques ou cybermenaces tandis que le RGPD s’applique essentiellement à la collecte et aux traitements des données personnelles. To better understand these two terms, a company such as ONE GDPR can be called in. They will help every organization to better understand the NIS Directive on cybersecurity and the GDPR.