The Directive on Security of Network and Information Systems (NIS Directive) is a European Union (EU) directive aimed at improving the overall level of cybersecurity within the EU. The NIS Directive outlines requirements for operators of essential services, such as implementing specific security measures and reporting significant cybersecurity incidents to relevant authorities. The NIS Directive was updated with the NIS2 Directive proposal, which strengthens and expands the scope of cybersecurity requirements. In this blog post, we’ll answer some frequently asked questions about the NIS2 Directive.
Who does the NIS2 Directive apply to?
The NIS2 Directive applies to any medium or large enterprises operating in the sectors listed below. Essential entities will be more tightly controlled and heavily sanctioned than important entities.
Essential entities are large companies operating in sectors on the high criticality list. A large entity is a company with at least 250 employees or an annual turnover of at least €50m, or an annual balance sheet total of at least €43m. Important entities are medium-sized, operating in sectors of high criticality, or medium or large enterprises operating in sectors not considered essential due to the entity’s size or type. A medium-sized enterprise is defined as one with 50 employees or an annual turnover or balance sheet total of at least €10m.
There are a few exceptions to these classifications. In some sectors, entities, regardless of their size, are designated as essential. Some of these include providers of public electronic communication networks, entities designated as critical at the national level under the Block Exemption Regulation, government services (at the central level), qualified trust service providers, and top-level domain name registries and DNS service providers. National authorities may also specifically designate entities as “essential” or “important” if they are the sole service provider or when a disruption in service could have significant consequences for public safety, public security, or public health.
What sectors are included in the high criticality list?
Below are the essential services included in the high criticality list:
- Energy (electricity, district heating and cooling, petroleum, natural gas, and hydrogen)
- Transportation (air, rail, water, and land)
- Banking
- Financial market infrastructure
- Health (which no longer includes only hospitals but also reference laboratories, medical device or pharmaceutical preparation manufacturers, and others)
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management
- Public administration (central and regional)
- Space
- Postal and courier services
- Waste management
- Manufacturing, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing (of medical devices and in vitro diagnostic medical devices; computer, electronic, and optical products; electrical equipment; machinery and equipment n.e.c., motor vehicles, trailers and semi-trailers; other transportation equipment)
- Digital providers
- Research
How can I use the Compliance Assessment Framework (CAF) to evaluate NIS2 compliance?
Providers of essential services falling within the scope of the NIS regulations are subject to audits by the competent authorities. The CAF was developed by the NCSC as a framework allowing competent authorities to determine if a provider has applied appropriate measures to protect the security of their network and information systems. The CAF can also be used for self-assessment purposes.
What are the pillars of the CAF?
- Managing security risk
- Defending against cyberattacks
- Detecting cybersecurity events
- Minimizing the impact of cybersecurity events
What are the key dates to know in relation to the NIS2 Directive?
Here is a quick timeline of the NIS2 Directive’s history and what is coming next:
- July 2016: NIS Directive introduced
- December 2022: NIS2 signed to expand scope
- October 18th, 2024: NIS2 transposition deadline into national law
- January 2025: NIS2 in effect and registration of entities
What are recommended ISO and other frameworks for compliance?
Relevant entities can consider one or more of the following frameworks to help achieve compliance:
- ISO 27001—Information security management
- ISO 22301—Business continuity management
- The European Union Agency for Cybersecurity (ENISA) guidelines
- Control Objectives for Information and Related Technologies (COBIT)
- Information Technology Infrastructure Library (ITIL)
- Business Continuity Management (BCM) standards
- Center for Internet Security (CIS) Controls
- NIST Cybersecurity Framework (NIST CSF)
Are there fines for NIS2 Directive violations?
Violations of risk management measures or incident reports can incur sanctions. We break down these penalties below.
NIS2 Directive fines for essential entities
Essential entities, specifically the company to which an essential entity belongs, will be charged administrative fines of up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year, whichever amount is higher.
NIS2 Directive fines for important entities
Important entities, specifically the company to which an important entity belongs, will be charged administrative fines of up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year, whichever amount is higher.
For the public sector, the transposing legislation may provide that the administrative fines do not apply to public administration entities. However, the other administrative sanctions will apply.
What are the primary controls of the NIS2 Directive?
There are different key and supplementary controls in relation to governance and process, organization and people, and technology and security capabilities.
Regarding governance and process, key controls include risk analysis and information system security policies, assessing the effectiveness of cyber risk management, and business continuity. Supplementary controls include policies and procedures, risk management, disaster recovery and business continuity, security requirements, and reference network architecture.
Regarding organization and people, key controls include ensuring the management board approves and oversees the cyber risk management approach, computer hygiene practices and cybersecurity training, and supply chain security. Supplementary controls include clearly defining roles and responsibilities, security training, and third party assessment.
Regarding technology and security capabilities, key controls include incident handling, cryptography and encryption, vulnerability handling and disclosure, access control policies and asset management, and use of multi-factor authentication and secure communication systems. Supplementary controls include asset inventory, network segmentation, patch and vulnerability management, and remote access security.
Other NIS2 Directive control details
- Risk management: Entities are expected to conduct risk assessments to identify and prioritize potential cybersecurity risks to their networks and information systems.
- Security measures: Entities are expected to implement appropriate technical and organizational measures to ensure the security of networks and information systems, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
- Incident detection and response: Entities are expected to establish incident detection and response capabilities to detect, handle, and respond to cybersecurity incidents in a timely and effective manner. This includes implementing security monitoring, incident response procedures, and mechanisms for reporting incidents to relevant authorities.
- Business continuity and disaster recovery: Entities are expected to develop and maintain business continuity and propose disaster recovery plans to ensure the availability and resilience of essential and digital services in the event of a cybersecurity incident or disruption.
- Information sharing and cooperation: Entities are expected to promote information sharing and cooperation between entities, competent authorities, and other relevant stakeholders to enhance cybersecurity resilience and response capabilities.
- Security governance and accountability: Entities are expected to establish clear governance structures, roles, and responsibilities for cybersecurity within organizations. They must ensure accountability at all levels to implement and maintain effective cybersecurity measures.
- Supplier and third-party management: Entities are expected to assess and manage the cybersecurity risks associated with third-party suppliers and service providers, including contractual arrangements, security requirements, and monitoring mechanisms.
- Security awareness and training: Entities are expected to provide cybersecurity awareness training and education to employees, contractors, and other relevant personnel to promote a culture of cybersecurity awareness and best practices.
- Encryption and access controls: Entities are expected to implement encryption and access controls to protect sensitive data and ensure that only authorized users have access to critical systems and information.
- Compliance and reporting: Entities are expected to maintain records of cybersecurity measures implemented and incidents experienced and report significant cybersecurity incidents to relevant authorities in accordance with legal requirements and guidelines.
How can Bugcrowd help with NIS2 Directive compliance?
Bugcrowd can help you achieve compliance with these regulations in several ways. Our Vulnerability Disclosure Programs (VDPs) support supplier and third-party monitoring and information sharing. Managed bug bounty programs are also key in vulnerability handling and disclosure. Pen testing as a service is another crucial general security measure that supports NIS2 Directive compliance.
Keep in mind that specific security controls and requirements may vary depending on the sector, size, and complexity of your organization. Organizations subject to the NIS Directive should closely monitor updates and guidance provided by relevant authorities to ensure compliance with legal obligations and best practices in cybersecurity.