New Directive NIS2

With awareness of the extensive use that society makes of networks and information systems (IS), the European Union launched on July 6, 2016, Directive (EU) 2016/1148 of the European Parliament and Council for measures aimed at guaranteeing a high common level of security of networks and information systems in the Union”, known as the NIS directive.

The NIS Directive aims to standardize the general level of security of networks and IS in the European Union. To this end, it establishes obligations and measures for entities on cybersecurity risk management, notifications, etc., together with supervision and enforcement applicable to member states.

These measures were applied for the first time in 2016. Still, the increase in remote transactions during the COVID-19 pandemic led to the rise of cyber-attacks, revealing the regulations specified in the NIS directive to be insufficient or lax. For this reason, the European Union reformed the Directive, tightening cybersecurity measures in networks and systems, obliging the norm’s application to specific entity types, and establishing fees.

Ultimately, on December 27, 2022, the new directive 2022/2555, known as NIS2 and which applies to all member states, was published in the official journal of the European Union (DOUE).

In the case of Spain, NIS2 will coexist with the current Royal Decree 43/2021 on the security of networks and information systems until its full implementation on October 17, 2024.

In the previous NIS directive, the EU listed evaluation criteria and designated the companies that fell within the applicable standard, which was limited to the group “essential service” companies. NIS2 expands the scope of entities that must comply with its guidelines, including a new group, “Important entities”.

Let’s see what the requirements are for each group:

Essential entities

• They are those companies with more than 250, with a turnover of more than 50 million euros and a balance sheet of more than 43 million euros.
• The sectors included in this category are; Energy | Health | Banking Entities | Transportation | Financial Markets | Drinking water suppliers and companies | Wastewater Suppliers and Companies | Digital (cloud computing service providers, content delivery networks, Qualified Trust Service Providers) | ICT service management | Space and Public Administration.
• Essential entities will be subject to active supervision
• The administrative sanctions for a non-compliance increase until reaching the penalty of the highest amount, or 2% of the annual turnover, or 10 million euros.

Important entities

• Companies from 50 to 250, with a turnover of between 10 and 50 million euros and a balance sheet of fewer than 43 million euros.
• The sectors included are Postal services | Courier services | Waste management | Chemical substances | Food | Industry | Digital services (online marketplaces, online search engines, social networks), | Investigation.
• Essential entities will be subject to passive supervision
• Administrative sanctions for non-compliance will be lighter than those for essential entities.

Even though the new NIS2 directive defines the groups of entities and sectors impacted by the directive, it also includes an extension to the scope of its application. It allows member states to include sectors not covered, regardless of the company’s size.

NIS 2 excludes from the scope of application companies that work in defense or national security, such as the police or judiciary service.

Other measures adopted by the new NIS2 directive are:

• The reconciliation of the regulations. The European Union Agency for Cybersecurity (ENISA) must provide Member States with the necessary guidance to adjust their cybersecurity protocols at national level according to the requirements of the new directive.

• New security requirements. New security requirements include software updates, device configuration, network segmentation, adoption of zero trust measures, identity management, supply chain security, encryption, vulnerability disclosure, and incident response.

In addition, as a preventive measure, the new NIS2 directive requires entities to raise user awareness and organize training for their staff to inform and raise awareness about cyber threats.

• Notification of security incidents. To favor communication between the Member States and create a more efficient cooperation environment and trust among the member states, NIS2 establishes the creation of a Network of Computer Security Incident Response Teams (CSIRT network).

At a national level, the new NIS2 directive maintains the freedom of each member state to regulate incidents that do not have any repercussions for other countries of the Union. In the event of #CyberSecurity incidents, companies must inform the authorities within 24h and prepare a detailed report within 72h (shortening the reporting period).

• Organizational obligations. Companies must have a document specifying their digital security policy and, from this, generate security protocols that apply the NIS2 regulation.

• Inclusion of the supply chain. Companies must comply with the new security measures and, in turn, demand them from their suppliers and third parties.

• Coordination between European and national institutions.
  Public-private collaboration for creating cooperation networks by establishing associations in the field of #cybersecurity that favor the exchange of knowledge and good practices.
  

For its application in the field of coordination between European and national institutions, the directive highlights the following points:

• • The designation of a single contact person, being the person in charge of security (CISO) and who is responsible for coordinating issues related to the #security of network and information systems and cross-border cooperation at the Union level.
  • Technically equipping yourself with using the latest technologies, such as #ArtificialIntelligence, and organizing concerning the prevention, detection, and response to incidents and risks of #cyberattacks, to reduce them.

At Víntegris, as Trusted Service Providers and a company considered “essential” by the NIS2 Directive, we have security policies to guarantee our networks and the information we keep, prevent cyberattacks, and detect risks. To accomplish this, we have our cybersecurity manager, Victoria Hernández (CISO), and her team, who are responsible for creating and applying zero-trust security policies to guarantee the integrity of networks and information, as well as attending external audits, which must be said, we have been doing with excellence since we became Qualified Trust Service Providers in 2016.