Reading Time: 5 minutes Difficulty: AdvancedThe NIS and NIS 2 Directives were created to incentivize EU states to adopt national cybersecurity strategies in response to security incidents affecting essential services. Compared to the first Directive in 2018, let us see what the NIS 2 Directive specifies, with entry into force scheduled for October 18, 2024, and what to do to prepare for the upcoming transposition.
The NIS and NIS 2 Directives were created to incentivize EU states to adopt national cybersecurity strategies in response to security incidents affecting essential services. Compared to the first Directive in 2018, let us see what the NIS 2 Directive specifies, with entry into force scheduled for October 18, 2024, and what to do to prepare for the upcoming transposition.
The first NIS of 2018
The NIS (Network and Information Security) Directive is the legislation on cybersecurity for network and information systems that was created to achieve a high common level of cybersecurity throughout the European Union.
Member states had until May 9, 2018 to transpose the NIS Directive into national law and set fines for non-compliance with the Directive. In Italy, this step was marked by Legislative Decree No.65 of May 18, 2018.
The NIS Directive addressed all entities required to implement effective cybersecurity programs:
- Operators of essential services (OES) located in the EU, including providers of drinking water, energy, healthcare, transport
- Digital service providers (FSDs) offering services to people in the EU, excluding companies with less than 50 employees and a turnover of less than €10 million, including search engines and cloud computing services
NIS 2 expands the scope to include other entities. Read on to learn more.
The NIS 2 Directive for Essential Entities
The NIS 2 Directive stems from the revision of NIS to ensure the effective continuity of essential services in case of critical events; services over time that have become indispensable to accelerate digital transformation at the societal level, and, inexorably, increasingly targeted by malicious intrusions.
Hence the NIS 2 Directive was created as a deterrent with the aim of unifying within EU states the level of awareness and knowledge of cybersecurity strategies, already covered by the NIS Directive while broadening its scope.
Having said that operators under NIS are also to be considered essential entities for the purposes of NIS 2, the updated Directive considers critical sectors to be all organizations that are larger than medium-sized enterprises and provide services in the sectors listed in Annex I, namely:
- Energy (electricity, oil, gas)
- Transport (air, rail, water, road)
- Healthcare
- Drinking water
- Wastewater
- Public Administration
- Space activities
Within the sector, and pending the transposition of NIS 2, ATECO codes must be applied. Note that each Member State may decide to apply the concept of essentiality to other organizations, based on different security criteria (e.g., in the case of a sole provider or significant impact).
The NIS 2 Directive for Important Entities
NIS 2 also adds medium-sized enterprises providing services in the sectors listed in Annex II, referred to as “important entities,” to the list of stakeholders.
It covers the following:
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing, and distribution of food
- Manufacture of medical devices and in vitro diagnostic medical devices
- Manufacture of computers and electronic and optical products
- Manufacture of electrical equipment
- Manufacture of machinery and equipment n.e.c.
- Manufacture of motor vehicles, trailers and semi-trailers
- Manufacture of other transport equipment
What obligations does the NIS 2 Directive impose
Stakeholders should apply the measures listed in Article 21 (2).
The directions are the same for essential entities as much as for important entities, but with different levels of risk management and measures required.
The measures in Article 21 (2) include:
- Risk analysis and systems security policies
- Incident management
- Operational continuity
- Supply chain security
- Systems acquisition, development and maintenance security
- Strategies and procedures for evaluating the effectiveness of risk management measures
- Basic computer hygiene practices and training
- Human resource security, access control strategies and asset management
- Use of multi-factor authentication or continuous authentication solutions
All stakeholders (essential and important) will have an obligation to report incidents to and will have to cooperate with institutional bodies, by sharing information about their systems and the security measures in place.
What to do pending the transposition of NIS 2
The options available today to stakeholders, pending the transposition of the NIS 2 Directive, are the reference to international schemes: NIST CSF or IEC 62443 for the adoption of the Cyber Security Management System.
Our advice is to implement proven schemes taking into account the obligations required nationwide by the authorities; and here is what we can do for you:
- NIS 2 consultation, governance support and technical support, thanks to our advanced knowledge of OT systems.
- Time & Material mode, support and integration with your team responsible for obligations, or on project tasks, according to shared planning.
Do you want to help our page grow?
Follow us on LinkedINDo you need more information to prepare for the NIS 2 Directive?
Our support for stakeholders affected by the NIS 2 Directive
Our consultancy service on the points to be addressed with respect to the obligations required under NIS 2 (Article 21) begins with the GAP Analysis, which is a quick and focused initial audit activity.
The GAP Analysis:
- The purpose is to analyze the status of the measures required by Article 21, the level of maturity and coverage, with reference to the cyber perimeter to be protected
- What we do is evaluate the obligations under NIS 2 and how you respond to them
- End result will be your awareness of the GAPs in NIS 2, for which we will help you estimate and plan adaptive measures
From there, the next stages of work will follow, according to your needs.
With Governance Support we work alongside you to do the following:
- Suitable reference framework, support in choosing between NIST and IEC 62443
- Definition of responsibilities, organizational charts, and job descriptions for cybersecurity
- Definition of methods, criteria and methods for risk and security analysis of systems
- Definition of procedures for incident management, impact mitigation, and notification system
- BIA analysis (ISO 22317) for operational continuity, business continuity and disaster recovery plans
- Analysis and securing of the supply chain, definition of vendor qualification criteria
- Change management, security in the acquisition, development and maintenance of systems
- Definition of strategies, KPIs/KRIs and evaluation of the effectiveness of risk management measures
- Definition of Policies for OT Systems
- Training of staff involved in cybersecurity
- Procedures for managing assets and documentation
- Procedures for managing vulnerabilities and updating OT systems
- Development of manuals for safety management systems and related documentation
- Performing periodic audits on the level of compliance and security
With Technical Support we do the following:
- Cybersecurity Risk Assessment
- Cybersecurity Site Assessment and vulnerability analysis
- High Level Design on site architectures, addressing plans, segmentation and segregation of networks
- Support for managing vendors and integrators, technical specification development, vendor verification and monitoring, FAT/SAT testing procedures on cybersecurity
- Development of device Hardening plans
- Patch Management, support in choosing the most suitable technical solutions according to the applications and vendors used
- Support in choosing IDS, remote access, access management solutions
Do you want to help our page grow?
Follow us on LinkedINTo act immediately on NIS 2, and achieve your compliance goals
Go back to the blog