Regulatory Reflections: The NIS-2 Directive

Date Published: September, 04, 2024

In an era when connectivity is king, there is no part of the globe safe from those seeking to infiltrate digital networks. This is certainly true in Europe, where hackers have repeatedly breached systems across the European Union (EU) and beyond in 2024. France fell victim to a sustained wave of cyber-attacks targeting key ministries and government in March. And in May, European Commission President Ursula von der Leyen said her electoral website had been ‘attacked by bots.’ The EU has been working for some time on a new piece of legislation which it hopes will create a cybersecure Europe, it is known as NIS 2.

The original directive
Adopted in July 2016, the original ‘Network and Information Systems Directive (NIS)’ was the first piece of EU legislation specifically focused on cybersecurity. Intended to create a common level of security for systems critical to the economy and wider society, NIS aimed to address threats against two types of organizations – ‘operators of essential services (OES)’ and ‘relevant digital service providers (RDSPs)’.

Under NIS, sectors such as energy, transport, finance, health, and utilities were typically considered essential services. Businesses that provided digital services such as search engines or online marketplaces fell under the bracket of RDSP.

The directive ordered OES and RDSPs to take appropriate and proportional measures to manage network security risks, including incident handling and business continuity management. Monitoring, auditing, and testing in consultation with the European Union Agency for Cybersecurity ensured businesses were making the most optimal cyber-security decisions. Member states also created Computer Security Incident Response Teams (CSIRTs) to provide swift cooperation on incidents, all in aid of a more cybersecure EU network.

But nearly a decade on, the EU has re-evaluated the directive. Often scrutinized for its lack of clarity, insufficient scope, and inactive enforcement, NIS has now evolved into NIS-2 to mitigate previous failings and ensure greater security for European citizens and businesses.

Necessary enhancements
Under NIS-2, organizations are now split into two categories: essential and important entities. ‘Essential Entities’ are deemed as critical sectors for societal and economic activities. Spanning energy, transportation, banking, health and water, these sectors are devised under more requirements in NIS-2 to ensure vital company and customer data is secure. The other category, ‘Important Entities’, contains sectors crucial to the function of society and the economy: Postal and Courier Services, Waste Management, Chemical, Food, Manufacturing, Digital Providers, and Research.

Organizations in both sectors are mandated to report to the base requirements of the directive to defend the EU cyber security network. Arguably the most important requirement of the directive, cybersecurity risk management, is listed under Article 21 of the act. It outlines the framework every organization must have in place to protect security and information framework, including the use of multi-factor authentication, procedures to assess the effectiveness of management, and risk analysis. This pragmatic approach in preparing for the worst is the optimal way to safeguard information and network systems.

Also critical are Articles 20 and 24 which identify the training and standards companies should undertake to support safety efforts. Management is obliged to take regular cyber-security training and should encourage employees to do the same. Products and solutions intended to fortify systems must be approved through European cybersecurity certification.

Reporting and compliance
Where the original directive lacked in incident reporting, NIS-2 certainly makes up for it. Under Article 23, any potential breach that may compromise operations has to be reported in basic terms 24 hours after initial detection. A follow up report must then be issued 72 hours after, followed by a detailed audit a month after outlining details about the extent of the attack, and the suitable preventative measures put in place to protect systems. Businesses will be regularly requested for information, on or off-site security checks, and detailed security audits to ensure their protections are sufficient.

The scope of the penalties boasts a significant revamp comparable to the previous directive, acting as a firm deterrent to negligence. Essential entities will face fines up to 10 million euros, or 2% of their annual turnover, whichever is greater. For important entities, the fine is slightly less severe – 7 million euros, or 1.4% of their annual turnover.

The role of trusted computing
While the layout of NIS-2 does a great job at identifying the principles and actions businesses must take, introducing assured systems and standards is a different matter. Organizations will be looking to make the best-informed decision when selecting any solutions or components to bolster their cyber-security. Adherence to NIS-2 will be key, but so too will be adherence to the latest computing standards and specifications.

The backbone of developing a sustained cyber ecosystem comes in the products. Decision makers and key professionals will now have an important decision to make when selecting solutions, including those from Trusted Computing Group. Reliable components like RoT, TPM, DICE and CyRes all provide that layer of security so necessary to preserve integral systems.

TCG widely advocates the introduction of this revised directive. Taking such a proactive approach to address cyber-security concerns paves the way for other regions to follow suit, mitigating the ever-growing threat that attacks represent. By implementing suitable solutions, standards and heightening penalties, we will see transparent communities across the globe, in which entities can share best practices and optimal security measures for more secure network ecosystems.

Join

Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more

Specifications

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More