ESET welcomes the decision of EU legislators to adopt the second Network and Information Security Directive (NIS2) aimed at strengthening cyber resilience across the Union. The new legislation comes as a response to the growing dependency of critical sectors on digitalization and their higher exposure to cyber threats.
The directive now approved replaces the NIS directive introduced in 2016 as the first-ever EU-wide legislation on cybersecurity. NIS2 introduces a broader scope of action, impacting more entities in “high criticality” sectors, both the public and private sectors, such as energy, transport, banking, water and waste water, among other critical infrastructure. Whilst new obligations are brought in for those in other “critical” sectors such as manufacturing, food, chemicals, waste management, postal and courier services.
Enterprises classed as “High Criticality” will be required to take both technical and operational measures to comply with NIS2, including incident response, supply chain security, encryption and vulnerability disclosure, adequate risk analysis, testing and auditing of cybersecurity strategies, and crisis management planning in view to ensure business continuity. In case of a cyber incident, these entities will also be required to submit an initial notification within 24 hours and more detailed information within 72 hours. NIS2 also introduces fines for failure to comply, including suspension of certification and personal liability to managerial positions, in line with national laws.
Finally, the directive establishes the European Cyber Crises Liaison Organization Network, EU-CyCLONe, to enable cooperation between national agencies and authorities in charge of cybersecurity, and each Member State will also be required to clearly identify a single point of contact to report cyber incidents.
Are SMEs also obliged to comply?
NIS2 establishes “the application of the size-cap rule, whereby all medium and large enterprises, as defined by Commission Recommendation 2003/361/EC, that operate within the sectors or provide the type of services covered by this Directive, fall within its scope”. While it excludes Small and Micro enterprises from having to comply with the new rules, some exceptions apply for example for SMEs in the sectors of electronic communications networks or of publicly available electronic communications services, trust service providers or top-level domain name (TLD) name registries.
Small and medium-sized enterprises are increasingly becoming the target of supply chain attacks due to limited security resources. Such supply chain attacks can have a cascading effect on entities to which they provide supplies. Member States should, through their national cybersecurity strategies, help small and medium-sized enterprises to address the challenges faced in their supply chains. Member States should have a point of contact for small and medium-sized enterprises at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity related issues.
In March last year, the European DIGITAL SME Alliance, EU’s largest SME network in the field of ICT, published its position paper to the consultation on the proposal for NIS2, welcoming the new directive, but also alerting for the indirect impact of NIS2 on SMEs.
In conversation with ESET, James Philpot, Project Manager at DIGITAL SME, notes that the first step SMEs should be taking to “understand specific needs to boost their cybersecurity practices” is looking at their “national cybersecurity center and ENISA’s guides and recommendations”. However, “it might be easier or harder” to get the right information as “different Member States provide different resources”. Nonetheless, NIS2 “mandates that States should provide support and resources” mainly when it comes to getting a detailed understanding of the scope of this legislation “and whether their customers will be subject to it”, which will “help plan ahead”.
Turning challenges into opportunities.
“Downstream suppliers are likely to be the most disrupted”, and it can be challenging for some companies to have the needed technical capabilities but mainly to understand “reporting requirements and how NIS2 interplays with other legislation”, explained Philpot.
“But in a more general sense, we have to be positive about it”, and “efforts to improve the level of cybersecurity in European businesses are generally welcomed”. The only caveat, alerts Philpot, is the level of “implementation and support, and how that is managed, that will ultimately be the difference between the legislation helping SMEs and the legislation being regulatory overburden”.
Moreover, ESET and DIGITAL SME are convinced that this new framework might be an opportunity. “Yes, it can be an opportunity, there are technical solutions available in Europe to provide the level of cybersecurity required”, but companies need to avoid “looking for the biggest name or cheapest offer, which tends to come from outside of Europe”. This is why it is so important to “link support and resources” to “leverage this legislation and to strengthen European innovation”.
SMEs can also reach out to their local CSIRTS to mitigate some of the deficiencies of other national bodies, or take advantage of resources such as the DIGITAL SME/SBS guide, the DIGITAL SME Guide on Information Security Controls or cybersecurity certificates.
Moving towards safer enterprises.
ESET’s SMB Digital Security Sentiment Report, published just last month, discovered that while 83% of SMEs believe that cyber warfare is a very real threat and 71% had moderate to high confidence in their ability to investigate the root cause of cyberattacks, 43% consider the lack of awareness of employees as the leading cause for concern, while the actual uptake of EDR (end-point detection and response) solutions, which specifically assist in this area, was only at 32%.
As Philpot also notes in the conversation with ESET, “the impacts of cyber incidents are well known” to SMEs: data leaks, considerable financial impact and loss of customer confidence. So “in a more general sense, we have to be positive” about NIS2; at the very least, this directive will play an important awareness role, even for those companies that “aren’t required to comply, they may develop greater awareness”
The NIS2 will become applicable after the EU Member States transpose the Directive into their national law: by September 2024. Nevertheless, organizations might want to be ready sooner than later, not only to be timely on the implementation process, but also to test different good practices on incident handling, control policies and reporting mythologies. Above all, NIS2 defines a minimum common level of cybersecurity in Europe, one that should be seen as the floor under our feet, not as a ceiling.