New NIS 2 Directive: New rules for enhanced cybersecurity

NIS 2: How companies need to prepare for its security imperatives

Cyberattacks are multiplying and becoming increasingly sophisticated. The attacks of 2022 made it clear that cyber threats such as ransomware, phishing and president scams make no distinction between small, medium-sized and large companies. This trend towards “supply chain attacks”, where subcontractors are targeted to infiltrate their customers’ networks, has been growing, with notable compromises such as that of SolarWinds. In 2020, SolarWinds, a company specializing in network management and IT security software, revealed that it had been infiltrated by cybercriminals who compromised its Orion software. This attack enabled the attackers to distribute malicious updates of this software to numerous client organizations. The attackers succeeded in inserting malicious code into updates for SolarWinds’ Orion software, leading to the compromise of the networks of numerous companies and government agencies using the software. This widely publicized attack was dubbed a “supply chain attack”, as it exploited users’ trust in software updates from a reputable source. The SolarWinds attack had far-reaching repercussions and highlighted potential vulnerabilities in the software supply chain, prompting many companies to strengthen their security measures to guard against such attacks. Rather than attacking companies directly, cybercriminals are increasingly choosing to go through their subcontractors to propagate more easily into their customers’ networks. All businesses are now susceptible to cyber attacks. Small and medium-sized businesses are 4.5 times more likely to fall victim to cyber attacks than larger companies combined. They are particularly targeted by malware capable of encrypting their information systems and destroying their backups. This modus operandi has demonstrated its ability to cause business failure in the most serious cases. This underscores the importance for every company to be prepared for any attack.

Against this backdrop, the NIS 2 Directive (Network and Information Systems Security Directive) is a major development aimed at strengthening the protection of digital infrastructures in Europe. The NIS 2 Directive, the successor to the NIS 1 Directive, is one of a number of major initiatives aimed at establishing a more robust and harmonized framework for network and information system security. For many companies, this new directive is the subject of much debate and questioning. What will be its impact and importance for companies and administrations in the EU?

What is the NIS2 directive?

The NIS 2 directive (Network and Information Security, version 2) is a European regulation designed to harmonize and strengthen cybersecurity within the European Union. It is the successor to the NIS 1 directive, and introduces new measures to ensure a high level of security for networks and information systems. The NIS2 directive was adopted in January 2023. EU member states will have a certain amount of time to transpose this directive into their national legislation.

Who is affected by NIS 2?

The NIS2 directive covers a wide range of business sectors. The NIS2 Directive is aimed at private companies, public administrations and other entities operating within the EU.
One of the strategic objectives of NIS 2 is to extend the scope of NIS to cover essential service operators and digital service providers in sectors deemed “critical to the economy and society”. NIS 2 will cover providers of public electronic communications services, digital services (covering social networking service platforms and data center services) and healthcare services, including entities operating in the medical device and life sciences sectors, in particular pharmaceutical research and development, as well as medical device manufacturers.

The NIS 2 Directive mainly concerns two categories of entities:

Operators of Essential Services (OSE): Essential Entities (EE), already present in the first version of the NIS1 Directive. OSEs / EEs are entities that operate services that are essential to society and the economy. This includes sectors such as energy, transport, healthcare, banking and financial services, water, digital infrastructure and digital services.

Digital Service Providers (DSPs): Significant Entities. DSPs / IEs are companies or organizations that provide digital services, such as cloud services, online platforms, search engines, e-commerce services, and other similar services. They are subject to the directive if they meet certain threshold conditions in terms of the number of users or the financial value of the services provided.

Under the NIS 2 directive, an entity qualifies as essential or significant on the basis of two criteria:

• The size of the entity (number of employees, sales, annual balance sheet);
• The criticality of the business sector: to what type of entity do the activities carried out by the entity refer?

What are the main changes compared to NIS1?

The NIS 2 Directive introduces several important changes compared to the NIS 1 Directive, including :

Broadening the Scope: NIS 2 extends the scope of the Directive to include a wider range of business sectors and digital service providers. Companies in new categories could therefore be subject to cybersecurity obligations.
Enhanced security requirements: The directive imposes enhanced security requirements, including more rigorous preparedness and incident management measures, as well as stricter incident reporting obligations.
Security Scoring: NIS 2 introduces a security scoring system to assess the resilience of PSDs and ESOs. This will enable competent authorities to identify players with higher levels of security.

The NIS 2 Directive introduces several new obligations for the entities concerned. For essential and important entities, new technical, organizational and operational measures will have to be put in place:

1. Contractual obligation for supply chain security. Entities must guarantee that information security is maintained throughout the supply chain. This means that suppliers, subcontractors and other partners must also comply with appropriate security standards.
2. Reporting obligation. The directive requires that security incidents with a significant impact on the continuity of essential services be reported to the competent authorities within a specified timeframe.
3. Management responsibility. Management is responsible for ensuring that security policies and procedures are implemented, maintained and regularly reviewed.

What steps must companies and local authorities take to comply with the NIS2 directive?

Businesses and local authorities will need to reinforce their security standards, set up incident reporting mechanisms, and possibly carry out risk assessments and security audits. They will also have to work closely with the relevant national authorities.

Implementation of specific cybersecurity measures:

• implementation of risk analysis and information systems security policies. Each entity will therefore have to audit its structure, in order to assess the cyber risk,
• incident management,
• establish business continuity plans (BCP) and disaster recovery plans (DRP). Measures to ensure business continuity in the event of an incident. This involves, for example, proper management of backups and crisis management measures.
• security in the acquisition, development and maintenance of networks and information systems,
• assessment of cyber-risk management measures,
• the application of cryptographic policies and procedures, and the use of cryptographic techniques to encrypt information for greater protection,
• asset management and access control policies: exemplary access control, to avoid intrusions and benefit from robust security,
• training employees in good cyber hygiene, including best practices to be systematized throughout the company,
• implementation of multi-factor authentication solutions. Multi-factor authentication (MFA) and strong authentication should be favored for greater security.
• the obligation for companies to issue an initial alert to ANSSI within 24 hours in the event of a security incident.

What does a company risk if it does not comply with this directive?

Companies that fail to comply with the NIS 2 directive could face financial penalties. NIS 2 will introduce a system of fines for non-compliance. Maximum potential fines for non-compliance could reach either 10 million euros or 2% of worldwide annual sales for “essential” entities, or 7 million euros or 1.4% of worldwide annual sales for “important” entities. Notably, where non-compliance with NIS 2 may also involve a personal data breach, no fine will be imposed under the EU’s NIS2 and RGPD regimes, if the breach results from the same security event. Furthermore, in the event of a security incident resulting from non-compliance, they could be held liable for any resulting operational or financial damage. Each member state has until October 2024 at the latest to transpose the NIS 2 directive into its national regulations. It is conceivable that some countries will accelerate the process, as the national versions of NIS 2 are based on the existing national versions of NIS 1.

Responsibility for top management

The NIS 2 Directive emphasizes the responsibility of top management within organizations. Top management must take an active role in cybersecurity management, and ensure that appropriate measures are in place to protect networks and information systems.

Raising awareness among teams and management

Cyber security awareness is essential to ensure compliance with the NIS 2 Directive. Companies need to invest in training their staff to recognize and prevent cyber threats. Management must also be made aware of the importance of cybersecurity and compliance with the Directive.

The NIS 2 Directive represents a major milestone in the strengthening of cybersecurity in Europe. Businesses and local authorities must take immediate steps to comply with these regulations, strengthen their resilience to cyber-attacks and prevent security incidents. Compliance with the directive is essential to avoid significant financial penalties and protect your organization’s reputation and trust. Numerous resources are available to help companies comply with the NIS2 directive, such as the guides and recommendations published by ANSSI (Agence nationale de la sécurité des systèmes d’information) in France. It is also possible to enlist the help of specialized cybersecurity service providers to support your company in its efforts.

Altospam’s solutions help companies to comply in part with the NIS 2 Directive by strengthening the security of their e-mail (the 1st attack vector) and protecting their information systems against cyberthreats. Altospam’s Mailsafe offers advanced protection against threats including phishing attacks, ransomware and malware. The solution’s anti-spam, anti-phishing, anti-ransomware and anti-malware filters block malicious e-mails before they reach users’ inboxes. Altospam solutions can form an important part of a company’s overall security strategy to meet NIS 2 requirements. However, full compliance requires a holistic approach to information security and risk management.

WHAT YOU NEED TO KNOW – The new obligations
Implementation of technical, organizational and operational measures:
Risk analysis, BCP, network security, employee training, use of cryptography, access control, multi-factor authentication, incident reporting.