Guarantor of Digital Security in Europe
If you’re a CISO, DPO or cybersecurity legal expert, you can’t escape NIS2, a major piece of European Union cybersecurity legislation. How does it differ from NIS, and what impact does it have on your business?
Foundations of the NIS Directive
Originally established in 2016, the NIS Directive was designed to ensure the security of networks and information systems in the European Union, with the aim of improving the functioning of the internal market. Its aim is to guarantee the security of data stored, transmitted and processed, with particular emphasis on the notification of incidents, the seriousness of such incidents, and the sharing of information between the players involved. It imposes specific obligations on Essential Service Operators (ESOs), particularly in the following sectors
- Energy
- Transport
- Banking
- Financial markets
- Health
- Drinking water
There are also digital service providers (DSPs) such as :
- online marketplaces
- search engines
- cloud services
OSEs must take technical and organisational measures to manage IT security risks and ensure business continuity.
DSFs, for their part, must guarantee the security of systems and installations, incident management, business continuity, as well as monitoring, auditing and control, while complying with international standards.
When is it due?
The NIS2 Directive was published in the Official Journal of the EU on 27 December 2022. It must be transposed into the national law of each EU country; it cannot be applied as such. Member States therefore have 21 months from that date to transpose it into national law – i.e. before October 2024. In France, for example, this is the deadline announced by ANSSI, the competent national authority. However, it should be noted that this is the deadline for transposition into national law for the Member States, and not the compliance date for entities subject to NIS2. The latter will most likely have additional time to comply with the directive once it is applied in their respective countries.
Extension and reinforcement with NIS2
With the adoption of the NIS2 Directive, security requirements have been considerably strengthened for ESOs and DSOs. This new version imposes more rigorous standards to guarantee the protection of networks and information systems. ESOs must now comply with even stricter security protocols, including advanced technical and organisational measures to prevent cyber attacks and ensure business continuity. In addition, they are required to notify security incidents to the relevant authorities within even shorter timeframes, thereby speeding up the response to any threats. Digital service providers must also step up their security efforts. They need to put in place stronger safeguards to ensure the security of systems and installations, as well as to manage security incidents effectively. This proactive approach aims to reduce the risk of cyber attacks and ensure a safer and more resilient digital environment for the European Union as a whole.
Cooperation and Coordination in Cybersecurity
The NIS2 Directive also aims to strengthen cooperation between EU Member States on cyber security. It enables :
- The exchange of relevant information on cybersecurity threats and incidents to strengthen collective vigilance against potential attacks.
- Coordination of security measures taken by Member States, facilitating a faster and more effective response to emerging threats.
- The adoption of common cybersecurity standards and best practices between Member States, facilitating cooperation and mutual understanding of challenges and solutions.
- Strengthening Member States’ cybersecurity capabilities through training, joint exercises and collaboration with specialised agencies such as ENISA (the European Union’s cybersecurity agency).
These actions aim to create an environment of enhanced cooperation between EU Member States. Thanks to CyCLONe, a collective and coordinated response is possible.
CyCLONe: A solution to the lack of communication
The NIS2 directive formalises the CyCLONe network (Cyber Crisis Liaison Organisation Network). This is a formal European Union network designed to strengthen coordination and collaboration between the national cyber security agencies of EU Member States (e.g. ANSSI in France). CyCLONe facilitates effective, real-time communication on threats and incidents.
It also encourages strategic cooperation by identifying best practices and developing common strategies for dealing with emerging threats. In the event of a major crisis, CyCLONe enables coordinated action between national cybersecurity agencies, government authorities and other stakeholders for a rapid and effective response. By also promoting the sharing of resources, tools and expertise between EU Member States, the network strengthens the security and resilience of networks and information systems throughout the European Union.
Penalties :
In the event of non-compliance with the provisions of the NIS2 Directive, sanctions may be imposed on EU Member States. These sanctions may vary depending on the seriousness of the breach and its consequences. They may include formal warnings, financial fines and specific corrective measures imposed by the European Commission. Member States may also be required to remedy the breach within a specified period and to take measures to prevent any recurrence in the future. Therefore, companies or organisations affected by the Directive may also be subject to administrative or criminal sanctions at national level, in accordance with the national legislation of each Member State.
The Pillar of a Protected Digital Europe
The NIS2 Directive represents a crucial response to cyber attacks, aimed at ensuring a safer cyberspace.
However, strict compliance with these directives is only the starting point. Attacks are unpredictable and limitless, constantly evolving.
It is essential to understand that regulatory compliance alone is not enough to ensure robust security.
In the face of increasingly sophisticated and intelligent (read: AI) attacks, it is imperative to recognise that digital security is a constantly evolving challenge.
The more your business grows, the more vulnerable it becomes. This vulnerability is amplified by the increasing complexity of its infrastructures, whether on site or in the cloud.
It is advisable to engage with cybersecurity experts to ensure highly effective protection.
ESOs and DSOs must take immediate steps to strengthen their cyber security posture.
To protect themselves, they can use agile solutions on niche topics such as APIs, CI/CD, WAF, IAM, CDN and Kubernetes.
Failure to strengthen your security can have severe consequences and damage your company’s reputation. By implementing fortified cyber security, you can not only comply with regulations, but also consolidate resilience in the face of ever-changing threats. Only an ongoing commitment to improving security can guarantee adequate protection over time.