Navigating NIS2: A Comprehensive Guide to the EU's Cybersecurity Directive

The NIS2 Directive [(EU) 2022/2555] is a legislative framework designed to enhance cybersecurity across the European Union by establishing a high common level of security for network and information systems. It builds upon the original NIS Directive, expanding its scope and strengthening requirements to address evolving cyber threats. Member States have until October 17, 2024, to transpose the Directive into national law, legally obligating organizations to meet its requirements by Q4 2024. The NIS2 Directive entered into force on January 16, 2023.

The Role of Internal Audit in Responsible AI and AI Act Compliance

Introduction As Artificial Intelligence (AI) becomes increasingly integrated into organizations, the need for responsible AI practices and compliance with regulations like the AI Act is growing. Internal audit (IA) departments can play a crucial role in guiding organizations toward responsible AI implementation and ensuring compliance. The AI Safety Report The

Compliance Hub WikiCompliance Hub

Key Objectives and Components of NIS2

• Enhanced Cybersecurity: NIS2 aims to improve cybersecurity risk management and introduce reporting obligations across sectors like energy, transport, health, and digital infrastructure.
• Broader Scope: NIS2 applies to a wider range of entities than the original NIS Directive, including essential and important entities. It introduces a size-cap rule, meaning that all medium-sized and large entities operating within covered sectors fall within its scope.
• All-Hazards Approach: Essential and important entities must adopt appropriate measures to manage cybersecurity risks, protecting network and information systems and minimizing incident impacts. The directive mandates an "all-hazards" approach, preparing entities to address a wide range of threats, from cyberattacks to physical disruptions.
• Incident Reporting: Companies are required to notify incidents within specific time frames.
• Risk Management: NIS2 imposes a risk management approach, outlining minimum basic security elements.
• Accountability: Top management is accountable for non-compliance.

AI Risk Repository: Meta-Review, Database, and Taxonomies

Artificial Intelligence (AI) poses risks of considerable concern to academics, auditors, policymakers, AI companies, and the public. An AI Risk Repository serves as a common frame of reference, comprising a database of 777 risks extracted from 43 taxonomies. This database can be filtered based on two overarching taxonomies. The AI

My Privacy BlogMy Privacy Blog

Key Changes Introduced by NIS2

• Expansion of Sectors: NIS2 increases the number of covered sectors from 7 to 15 to protect more vital areas. It adds new sectors and broadens inclusion criteria, categorizing entities as essential or important. Annex I lists sectors of high criticality, while Annex II includes other critical sectors.
• Stricter Requirements: Compared to NIS1, NIS2 increases the requirements for enforcing cybersecurity dramatically.
• Increased Accountability for Management: NIS2 non-compliance can lead to legal ramifications for management teams, including fines. Management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee their implementation, and can be held liable for infringements.
• Supply Chain Security: NIS2 addresses the cybersecurity of the ICT supply chain. Member States can require essential and important entities to certify specific ICT products, services, and processes under the EU Cybersecurity Act.

Entities Covered by NIS2

NIS2 applies to both "Essential" and "Important" entities, which are determined by factors such as size, sector, and criticality.

• Essential Entities: These operate in sectors of high criticality, such as energy, transport, banking, financial market infrastructure, health, digital infrastructure, and ICT service management.
• Important Entities: These operate in other critical sectors like postal and courier services, waste management, chemicals, food, manufacturing, digital providers, research, and entities providing domain name registration services.

What is NIS2?

Get a clear and concise overview of NIS2, the new European cybersecurity regulation set to affect over 160.000 business entities.

The NIS2 Directive

Responsibilities of Member States

• National Strategies: Member States must adopt a national strategy on the security of network and information systems.
• Designation of Authorities: Member States are required to designate national Computer Security Incident Response Teams (CSIRTs), a competent national NIS authority, and a single point of contact (SPOC).
• Cooperation: The NIS Directive establishes the NIS Cooperation Group to support strategic cooperation and information exchange among Member States.
• Transposition: By October 17, 2024, all EU Member States are required to adopt and publish the national measures necessary to ensure compliance with the directive. They shall apply those measures from October 18, 2024.

Cybersecurity Risk Management Measures

Essential and important entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems. These measures include:

• Policies on risk analysis and information system security.
• Incident handling.
• Business continuity, such as backup management and disaster recovery.
• Supply chain security.
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
• Basic computer hygiene practices and cybersecurity training.
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
• Security of human resources, access control policies.
• Asset management.
• The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communications systems within the entity, where appropriate.

Incident Reporting

NIS2 imposes notification obligations in phases for incidents that have a ‘significant impact’ on the provision of services. Notifications must be made to the relevant competent authority or CSIRT.

• Early Warning: A preliminary notification must be submitted within 24 hours of becoming aware of an incident.
• Official Incident Notification: An official incident notification must include an assessment of the incident, its severity and impact, and indicators of compromise.
• Intermediate Status Report: An intermediate status report is required at the request of the CSIRT or relevant competent authority.
• Final Report: A final report should be submitted no later than one month after the incident.

Enforcement and Penalties

NIS2 provides national authorities with a minimum list of enforcement powers for non-compliance. It makes provision to impose administrative fines for infringements.

• For essential entities, a maximum of at least €10,000,000 or up to 2% of the total worldwide annual turnover.
• For important entities, a maximum of at least €7,000,000 or up to 1.4% of the total worldwide annual turnover.

The Relationship Between NIS2, DORA, and the AI Act

• DORA: In the financial sector, the Digital Operational Resilience Act (DORA) is considered a sector-specific Union legal act for the purposes of Article 4 of the NIS 2 Directive. The provisions of DORA relating to ICT risk management, incident reporting, digital operational resilience testing, information-sharing arrangements, and ICT third-party risk shall apply instead of those provided for in the NIS 2 Directive.
• AI Act: In cases where AI systems are used in sectors covered by NIS 2, entities must comply with both NIS 2 and the AI Act. They must leverage cybersecurity measures to support AI risk management and vice versa.

Challenges and Recommendations for Implementation

• Fragmentation: There are inconsistencies in resilience across Member States and sectors. The lack of a harmonized approach results in significant inconsistencies in how Member States draw up lists of operators of essential services (OESs) and digital service providers (DSPs).
• Need for Clear Guidelines: Clearer guidelines are needed for distinguishing between 'essential' and 'important' entities, and the respective requirements to be met should be more precisely defined.

To address these challenges, the following recommendations can be considered:

• Harmonized Approach: Establish a common set of criteria to ensure a harmonized process of OES identification.
• Information Sharing: Improve EU-level coordination of cyber-attack responses and with other related EU legislation.
• Clear Definitions: Provide clearer guidelines for distinguishing between 'essential' and 'important' entities and more precisely define the requirements to be met.

Conclusion

The NIS2 Directive represents a significant step forward in the EU's efforts to enhance cybersecurity across its Member States. By expanding the scope of the original NIS Directive, strengthening security requirements, and increasing accountability, NIS2 aims to create a more resilient and secure digital environment for businesses and citizens alike. As Member States work to transpose the Directive into national law, it is essential for organizations to stay informed, assess their readiness, and take proactive steps to ensure compliance.