How will NIS 2 Change Cybersecurity for Critical Infrastructure?


by Anastasios Arampatzis 

Back in 2016, the European Union published the Network and Information System (NIS) Directive to confront the dense and advanced cyber-attacks against critical infrastructures. With the NIS Directive, EU wanted to direct its members to build requirements and rules regarding their national and cross-border cybersecurity capabilities. Although the plan was great, its implementation proved to be rough. The result was security fragmentation across the public and private sectors, which led to inefficient cybersecurity. 

During the last few years, more powerful and destructive cyber-attacks put again EU’s cyber health at risk. The catastrophic results that we have witnessed, confirmed the hard way that EU’s cyber defense needs at least a lifting. In 2020, the decision was taken to revise the Directive, to “further strengthen overall cybersecurity in the Union”. What changes will the new Directive, NIS2, bring? 

The NIS Directive 

The NIS Directive, which came into force in August 2016, provided norms about the minimum security measures the national Operators of Essential Services (OES) and Digital Service Providers (DSP) should have, and how these shall be supervised. The desired outcome was to improve the cybersecurity capabilities and cooperation within the EU, through proper risk management and incident reporting procedures among key OESs and DSPs.  

A National Cybersecurity Strategy, a Computer Security Incident Response Team (CSIRT), and a National Competent Authority (NCA) were set by every Member State; these mechanisms exchange risk information, cooperate on security incidents, and assure that the rules are duly applied by the national entities. Non-EU entities operating in the EU need to comply with the Directive as well. 

Operators of Essential Services (OES) 

The directive assists the Member States to define their OESs, based on specific criteria. Any private and public sector which relies on information networks can be an OES: utilities, transport, healthcare, but also public administrations, food sector, chemical and nuclear industry, and civil protection are some of them. 

Security measures shall be taken by OESs to manage their cybersecurity risk exposure, and minimize the impact of possible incidents that can jeopardize the security of their network and information systems. These measures need to be tailored, proportionate, compatible, concrete, verifiable, inclusive, and effective. 

Digital Service Providers (DSP) 

Search engines, cloud computing services, and online e-commerce marketplaces are defined by NIS as DSPs. Unlike OESs, Member States are not required to select their DSPs; the obligations of the Directive apply directly to every single DSP entity. Additionally, their security and notification requirements are solely determined by the European Commission, ensuring the integrity, availability, confidentiality, and compliance of the services provided. Monitoring, auditing, testing, handling of incidents and compliance with international standards are some of the measures. 

Both OESs and DSPs have more or less the same alarm and incidents notification system. The concept is to notify and report the incidents affecting the continuity of their essential services to the appropriate authority of their country, as soon as possible. To do so, data about the duration of the incident, the market value and the dependence of the affected entity, as well as the area size and population affected, are taken into consideration. 

Table 1: Sectors subject to the provisions of the Directive 
Table 1: Sectors subject to the provisions of the Directive 

The need for a change – NIS2 Directive 

Clarity and “entities’ coverage” issues, bound together with a “not as expected” NIS performance, led to an ineffective and insufficient Directive. Furthermore, the evolution of digitalization, the exponential increase in cyber threats, the extensive use of cloud services and the adoption of smart working caused by the pandemic, accelerated the procedures carried by the EU to revise the Directive in force. 

For the above reasons, the European Commission in December 2000, published a proposal for the revision of the NIS, named NIS2. The new Directive aims to strengthen the requirements, employ stricter control, audit and report measures, and homogenize sanctions regimes across EU countries. With NIS2, the EU intends to increase the cybersecurity and the resilience posture of specific private and public areas throughout the Union. 

OESs and DSPs designation won’t be used anymore. Instead, as outlined in Annex I and Annex II of the proposed Directive, the entities involved will be divided into two categories: “essential sectors” and “important sectors”. Essential sector entities include but are not limited to the health, energy, transport, banking, digital infrastructure, public administration, and space sector. Medical devices manufacturers, postal services, waste management, food production and processing, and digital providers are few entities of the important sector category. Size-cap rules will automatically include enterprises within the NIS2 scope of application. Also, small but high-risk profile companies have a lot of chances to fall under the NIS2 umbrella. 

nis 2

The Directive’s applicability will be broader, incorporating not only the sectors based on their economical and societal criticality, but also sectors for which cybersecurity concerns were increased due to the COVID-19 pandemic, such as the healthcare sector and critical devices manufacturers. 

NIS2 promises to enhance coordination aspects, in order to reduce the vulnerabilities of the sectors covered. Provisions about supply chain security and risk assessments, encryption and vulnerability disclosure, information sharing facilitation among covered entities, risk management, minimum set of mandatory security elements, and incidents’ timely reports will be included in the NIS2 bouquet. This will be tied together with a ribbon of administrative sanctions and fines of up to €10 million (similar to those of GDPR), for those who neglect their cybersecurity obligations. 

Cybersecurity of key communication and information technologies will be strengthened. Furthermore, the proposal for the establishment of a central agency, the European Cyber Crises Liaison Organization Network (EU-CyCLONe), will support the coordination of large-scale security crises at the EU level. 

Way ahead 

In the last trimester of 2021, the Council of the EU and the European Parliament adopted their approaches to the draft Directive. Amendments were introduced by both sides; these are examined during the trialogue negotiations procedure that started in January 2022. Considering the duration of the interinstitutional process to come up with a mutual agreed NIS2 text, and the estimated period needed for the members to transpose the Directive into their national laws, the deadline for NIS2 compliance is expected to be in 2024.  

ADACOM experts can guarantee your entity a smooth transition to the NIS2 era.