The EU Directive on security of network and information systems (NIS Directive), which mandates providers of critical infrastructure and other services to comply with a range of cyber security requirements, is anticipated to be replaced with a new directive, NIS 2.
Read our guide to learn about the latest proposals and how they could affect your organisation.
What is the NIS Directive?
Enacted in 2016, the NIS Directive is the first EU-wide legislation on cyber security. It requires member states to ensure that providers of critical infrastructure and services have appropriate security measures in place to manage cyber risk and maintain resilience in the event of an incident.
Its four top-level objectives are:
- Managing security risk
- Protecting against cyber-attack
- Detecting cyber security events
- Minimising the impact of cyber incidents
NIS2 – why is an updated standard needed?
While the current NIS Directive can be considered a success in terms of raising the importance of cyber security to operators of critical infrastructure and services, many people question its impact in ensuring consistent standards across Europe. One of the main reasons for this is because each member state has made its own interpretation of the requirements.
Since the NIS Directive was enacted, unprecedented digitalisation, including a huge rise in the use of IoT devices, has substantially increased cyber security risks. The adoption of mass remote working caused by COVID-19 has also led to a significant growth in the use of the cloud. A revised Directive, NIS 2, the draft of which was published on 6th December 2020, is part of a trifecta of current and new directives that have been brought forward in response to the COVID-19 crisis and changes in the cyber security landscape.
The digital transformation of society (intensified by the COVID-19 crisis) has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses
What are the proposed changes?
The aim is for NIS 2 to be broader-reaching and more comprehensive, with changes that include:
New sectors based on critical role
An expanded scope will include more sectors and services, defining them as either ‘essential’ or ‘important’ entities, based on how critical they are to the economy and society, with a size cap to ensure all medium and large companies in selected sectors are included. New sectors covered by NIS 2 could include postal and courier services, waste management, food and manufacturing of certain critical products such as pharmaceuticals. However, the NIS 2 will also provide a level of flexibility to allow member states to identify smaller entities they see as having a high security risk profile.
Stronger security requirements
The proposals aim to strengthen security requirements by imposing a risk management approach with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cyber security testing and the eﬀective use of encryption.
More secure supply chain relationships
NIS 2 is also intended to address the security of supply chains through the requirement for individual companies to address cyber security risks in supply chains and supplier relationships. The proposed changes also aim to strengthen supply chain cyber security for key information and communication technologies at European level.
Supervisory measures and sanctions
NIS 2 is likely to include more stringent supervisory measures for national authorities, with stricter enforcement requirements, and will also aim to harmonise sanctions regimes across EU member states.
Information sharing and cooperation
The new Directive is intended to enhance the role of the current NIS Cooperation Group in shaping policy on emerging technologies and new trends. It aims to increase information sharing and cooperation between member state authorities and enhance operational cooperation through the establishment of the European Cyber Crises Liaison Organisation Network (EU- CyCLONe). This will support coordinated management of large scale cybersecurity incidents and crises at EU level.
The proposal for NIS 2 establishes a framework for coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and the creation of an EU registry.
What happens next?
The proposal will be subject to negotiations between the co-legislators and it is therefore likely to be take some time before a final draft is agreed. Once it is agreed and adopted, member states will have 18 months to transpose it.
At this point, it remains unclear as to whether the requirements of NIS 2 will be adopted by the UK. The requirements of the NIS Directive are currently transposed into UK law by the NIS Regulations and it is unknown whether there will be future alignment post-Brexit.