More organizations face incident reporting requirements under revised rules

Industry experts welcomed the provisional acceptance of NIS2, an EU security directive that will extend breach reporting requirements

Criminal hackers, nation states, and other malicious actors are constantly changing their targets and methods. Legislation, though, often takes years to draft, putting law enforcement on the back foot when it comes to keeping pace with emerging cybersecurity threats.

The European Union (EU), though, is moving relatively quickly towards new, common cybersecurity regulations for the bloc. The Network and Information Systems Directive (NIS2) was proposed by the European Commission in December 2020. This month, the proposed rules gained provisional approval from the EU Parliament and EU member states (through the Council of Ministers).

NIS2 paves the way for “measures for a high common level of cybersecurity across the Union”, according to the European Commission. Once NIS2 is approved by the Council of Europe and the European Parliament, countries in the bloc will have 21 months to turn the directive into national law.

NIS2 will supplement the original Network and Information Systems Directive, which came into effect in 2018. Measures include a requirement for EU member states to adopt a national cybersecurity strategy, and a requirement to apply cybersecurity regulations on firms covered by the regulation, including a 24-hour incident reporting obligation.

RELATED European Council extends sanction regime to deter future cyber-attacks

NIS2 also calls for improved cooperation and information exchange between member states and more information sharing between firms covered by the directive. NIS2 covers two categories of organizations, or ‘entities’: ‘essential’ entities, including energy, transport, health, water, space, public administration, digital infrastructure, and banking and financial markets, and ‘important’ entities, which cover postal services, manufacturing, and food production, among others.

Although small firms will be excluded from the regulation, most firms in both essential and important sectors will be covered, giving NIS2 far wider scope than its predecessor.

The move towards NIS2 is being broadly welcomed by the cybersecurity sector. The Daily Swig polled a selection of experts for their views.

Jon France, CISO of (ISC)2

“NIS2 as an evolutionary move on from NIS is welcomed, especially in light of the rapid digitization of many industries and their increased reliance on communications infrastructure. NIS2 is bringing things up to date, with the inclusion of a number of additional technologies, such as telecoms, and sectors, all in support of good security outcomes.

Its adoption into legislation amongst the various EU member states in the coming months and years will further embed cybersecurity considerations and requirements to the benefit of all EU citizens.”

Steve Cottrell, EMEA CTO at threat detection and response company Vectra

“Under the previous NIS directive individual states were able to exercise a level of discretion when defining which organizations fell into the category of essential service operators. This led to states adopting and applying different interpretations, which in turn made it difficult to achieve a standard baseline of cyber maturity across the EU. The NIS2 directive directly addresses this as it lays out and details a size cap criterion to ensure medium and large organizations are within scope.

“During any large-scale cyber incident, it’s critical that authorities within EU states and across the continent have the ability to efficiently coordinate efforts and share information in as near to real time as possible. It’s extremely positive to see that the directive calls for the establishment of EU-CyCLONe [a cyber crisis management hub], which will coordinate the effective management of major pan-EU cyber incidents across its member states.”

The EU Parliament gave NIS2 provisional approval earlier this monthThe EU Parliament granted NIS2 provisional approval earlier this month

Phil Robinson, founder of Prism Infosec

“[The] NIS2 directive will extend the original legislation to include [organizations] that are critical for maintaining a healthy economy and functioning society. NIS2 will also focus on improving the resilience of supply chains and supplier relationships by ensuring that risk is managed within these processes.

“The evolution of cybersecurity legislation is to be welcomed. It will drive regulation and compliance and ensure that identification and management of risk is high on boards’ agendas. That said it is important to ensure that the compliance process is appropriate and pragmatic and that it continues to evolve to meet the changing cybersecurity threats that organizations face.”

Martin Walsham, director of cybersecurity at AMR CyberSecurity

“The NIS2 proposal provides a systematic and structural change to the NIS Directive, broadening the scope of organizations under its remit. It provides better supervision and more consistency in its implementation with the aim to improve the Union’s cyber resilience.

“The merits of NIS2 should be clear to see at a national level for member states and for industry within relevant sectors, [creating a] stable, secure, resilient digital ecosystem to counter an increasingly hostile cyber threat context.

Catch up with the latest cybersecurity policy and legislation news

“Looking at the initial NIS Implementation across the UK, it’s clear there have been significant differences in how effective implementation is, across various sectors. This depends on the specific regulator and their adopted approach for controls, assessment, and compliance auditing.

“However, we expect industry will be cautious on the adoption of this new legislation, especially considering the many business challenges that many sectors are already facing. Specific areas where industry is likely to be impacted include additional costs and administration burdens, inconsistencies in implementation between member states, and overly burdensome fines.”

Trevor Dearing, EMEA director of critical infrastructure at Illumio

“It is encouraging to see EU countries and lawmakers acknowledging the catastrophic impact of successful cyber-attacks across industries, by agreeing to tougher cybersecurity rules for businesses ranging from large energy and transport firms to digital providers and medical device makers.

“Now that the NIS2 directive has been agreed, the next step is to build it into law in each individual member state. This should not take too long because in theory it only requires an update to each country’s cybersecurity strategy. However, because NIS2 may not come into law in all countries at the same time, there is the potential for a temporary inconsistent enforcement of the new regulations, which countries will have to navigate.

“On a positive note, NIS2 includes making senior management more responsible for the cybersecurity within their organizations and making sure that appropriate risk analysis is carried out. Placing culpability on each individual organization should encourage stricter adherence to the regulations because of the consequent fines and reputational damage for neglecting to do so.

“Moreover, whilst NIS2 is a European [Union] directive, the UK is updating its rules in parallel.”

Chris Dimitriadis, chief global strategy officer at ISACA

“The provisional agreement of the EU Parliament and Council is a very positive step towards finalizing the legislative text of a new Directive that is both modernized and wider in scope.

“Widening the scope based on a proportionality rule both helps implement a more holistic approach covering additional sectors and their supply chains and, at the same time, maintains a balance towards the realistic implementation of the directive.

Harmonization of member states through setting the minimum rules for a regulatory framework, as well as strengthening the cooperation mechanism between those member states are key for both implementing and, most importantly, monitoring the maturity of implementation throughout Europe. It is also important to highlight that, according to NIS2, inspection and supervision shall be carried out by trained professionals.

“In practice, and in order for the legislation to be effective, Europe is in need of a highly skilled workforce to exercise the tasks designated by the NIS2. Targeted internal and independent security audits, risk assessment, cybersecurity architecture design and implementation, and incident management and reporting need to be carried out by certified professionals in risk, cybersecurity, and audit that both understand emerging technologies but also how to measure cyber maturity in a continuous manner.

“I am looking forward to the completion of the overall security framework that incorporates all updated regulations and directives, including NIS2, DORA, CER, and the Cyber Resilience Act, that work toward a more secure EU.”

DON’T FORGET TO READ UK government sits out bug bounty boom but welcomes vulnerability disclosure