The European Union’s Network and Information Systems Directive (NIS2 Directive) is set to come into effect in October 2024.
Its aim is to enhance the resilience of private and public organisations throughout the EU and is a fundamental overhaul of the original NIS – and CSPs face more stringent regulation than under the previous directive. With strict penalties for non-compliance, is your organisation NIS2-ready? Find out how We Are CORTEX can help CSPs achieve the automation you need for compliance by downloading our latest paper.
On 16 January 2023, European Union (EU) Member States enacted a new version of the Network and Information Systems Directive (NIS2 Directive), which repeals and replaces the original 2016 NIS Directive. NIS 2 was brought into force following a growing number of well-documented cyberattacks throughout the EU and better defend “critical entities” against supply chain vulnerabilities, ransomware attacks and other cyber threats.
NIS2 expands the breadth and depth of the original NIS Directive, which means that some organisations previously exempt may now need to reassess their obligations, and those already included under the original NIS may now have been given an amended classification and responsibilities, which may require a revamp of security infrastructure and/or policies.
Europe overhauls cybersecurity practices and management with NIS2
Its aim is to enhance the resilience of private and public organisations throughout the EU. As well as applying to individual States, it also creates a European cybersecurity management framework with the aim of collectively strengthening security throughout by enhancing knowledge sharing and security frameworks between Member States.
Some of the most significant amendments outlined in NIS2 (over the original), include:
- The adoption of 10 core cybersecurity measures that all relevant organisations must implement.
- Ensuring the security of ICT supply chains and supplier relationships.
- Imposing direct obligations on “management bodies” in respect of an entity’s’ compliance with NIS2.
- Streamlining reporting requirements.
- Giving more power to national authorities to supervise companies, particularly in critical sectors.
- Strengthening sanctions and penalties for non-compliance.
- Enhancing co-operation and information sharing between EU Member States.
NIS2 is designed to cover multiple sectors – including, of course, providers of communications networks and services, which essentially means every telco and operator in the EU.
As Ernst and Young (EY) has noted, this means action needs to be taken, now. Among 5 key things organisations covered by NIS2 need to know, according to EY, or particular interest are the increased accountability and responsibility that vests with senior management. Failure to comply may hit organisations at the very highest levels.
And, there’s the threat of significant penalties – up to 2% of annual turnover, reinforced by a stronger regulatory and reporting regime.
All EU member states must incorporate NIS2 into their respective national laws by October 2024. Importantly, by association, non-member states such as Norway and the UK must ensure they are compliant due to strong trading links with nations within the EU.
New NIS2 classification rules: ‘Essential’ and ‘important’ critical entities
One of the main changes to the NIS2 over the original regulations is that it revises how companies are classified.
For example, CSPs and digital providers are now classed as “critical entities” – under NIS, entities were classified as either “operators of essential services” or “digital service providers” but this distinction did not reflect the importance of the entity to society and the economy.
That’s why NIS2 distinguishes between “essential” critical entities and “important” critical entities. The obligations are the same for both, but essential entities are subject to more stringent enforcement measures and sanctions. Notably, any entity providing critical services to the EU, regardless of where they are based, are also subject to NIS2.
CSPs fall under Digital infrastructure (essential critical entities), while providers of public electronic communications networks or services, such as social media, become included as important entities for the first time.
For both sets of entities, Article 21 of NIS2 directs member states to ensure that entities manage risk by implementing robust systems, policies and best practices covering a number of cybersecurity measures and disciplines, as outlined below:
- Risk handling, analysis and information system security.
- Incident handling and reporting.
- Business continuity, such as backup management and disaster recovery.
- Crisis management.
- Supply chain security.
- Systems acquisition, development, and maintenance security.
- Basic cyber hygiene practices (a common baseline set of practices to provide a proactive framework of preparedness) and cybersecurity training.
- Encryption technologies.
- Human resources security, access control policies and asset management.
- Zero Trust access (multifactor authentication, continuous authentication).
- Importantly, (unlike under NIS) NIS2 security requirements apply to the entire supply chain, including sub-contractors and CSPs supporting them.
Under NIS2, critical entities also have stricter obligations to report incidents, and must now:
- Provide initial notification of a significant security incident within 24 hours of detection.
- Deliver an initial assessment of the incident within 72 hours of detection.
- File a detailed final report within a month of detection.
NIS2 non-compliant organisations face significant financial penalties. Are you personally liable?
The importance of non-compliance cannot be understated. Member States can apply fines of up to €10 million or 2% of annual revenue for non-compliance, or certain breaches. In addition, critical entity management bodies (i.e., C-level executives can be held personally liable for failure to meet their obligations.
It means that organisations must prepare for NIS 2 compliance in a holistic manner that also considers other legislation and regulations, such as GDPR – for example, a GDPR-compliant incident response may not be sufficient to meet NIS 2 requirements. And time is of the essence.
So, how can CSPs meet these new, much stricter, requirements, while ensuring that they continue to meet other relevant laws?
While Article 21 of NIS2 provides a comprehensive outline of different responsibilities, from an operational point of view, it will require significant automation of both processes and infrastructure, particularly given the additional complexities of cooperating, and monitoring and sharing data, across borders throughout the EU. Manual processes will simply not be fit-for-purpose.
Operational and network automation is imperative for meeting NIS2 obligations
For example, a consultation by the European Commission between February and May 2023 explicitly states the vital role that automation will play. “Promoting cross-sectoral cooperation is critical, for stakeholders, because connectivity, cloud, and automation are key drivers for many vertical industries”, it says.
This is critical – automation is fundamental to ensuring compliance with NIS2. For example, automation can help:
- Reduce and restrict human access to critical systems and information
- Validate compliance alignment and reporting
- Audit systems, data and users to ensure correct operation
So, to meet the challenge of NIS2, you need to think now about your automation development and implementation plans – and the landscape you need to automate.
That’s where we come in. We Are CORTEX can help you manage compliance with NIS2, and importantly help to provide the significant additional benefits that automation brings – digital transformation, operational efficiency, competitive differentiation, cost savings, elimination of human error, and more.
Automation is a journey, and We Are CORTEX has years of experience in helping organisations of all sizes to implement automation technologies and platforms that enable compliance, as well as business success.
Put simply, automation has become a key imperative for all CSPs, particularly in the light of NIS2. As well as the internal benefits that real-time autonomous operations deliver, automation is essential for meeting the challenge of new regulations and ensuring compliance.
We Are CORTEX offers proven, network-hardened solutions that enable CSPs to navigate their automation journeys and ensure compliance with all relevant regulations. To find out more, download our latest in-depth paper below.