What is NIS2 in the EU?
The NIS2 Directive is the European Union’s flagship cybersecurity law, poised to significantly strengthen cyber defenses across the EU when it takes effect on 17 October 2024. This upgraded version of the 2016 NIS Directive (NIS1) not only introduces stricter rules but also broadens its reach, covering more sectors and businesses, ensuring comprehensive protection and a stronger security posture.
Additionally, the Commission, EU Agency for Network Information Security (ENISA), and Member States should continue to align with international standards and industry best practices in cybersecurity risk management by mitigate threats to network and information security used to provide essential services in key sectors and ensure the continuity of such services when facing incidents. This includes areas such as supply chain security assessments, information sharing, and vulnerability disclosure, fostering a robust and unified approach to cybersecurity across the Union.
EU Cybersecurity Act
The EU Cybersecurity Act discusses cybersecurity and cyber resilience in the EU and strengthens the role of ENISA by providing the agency with more funding and human resources.
With ENISA assisting member states in managing cyberattacks and coordinating a unified response to large-scale cyber crises, ENISA helps ensure that systems are better protected, more resilient, and able to withstand and respond to cybersecurity threats effectively. This collaboration and unified approach contribute to the overall hardening of systems across the EU.
What is the NIS2 Strategy?
NIS2 mandates specific cybersecurity actions for businesses and organizations. These include identifying potential cyber threats (risk analysis), having plans in place to respond to cyberattacks (incident management), ensuring operations can continue after a disruption (business continuity), and protecting against vulnerabilities in the supply chain.
Who needs to comply with NIS2?
NIS2 applies to any company operating in the EU, including all public and private entities. This means all medium-sized and large entities operating in the sectors or providing services covered by the directive will be included within its scope.
The following sectors and subsectors for NIS2 Directive are outlined in the Factsheet here.
Does ISO 27001 cover NIS2?
At this point ISO 27001 does not cover all of the NIS2 directives. NIS 2 was released by the EU in December 2022 and its legal effect will be on October 17, 2024. While NIS2 Directive specifically refers to ISO 27001, existing ISO 27001 certifications or those covering only a portion of a company might contain gaps when compared to NIS2 requirements.
ISO 27001 and NIS2 are both standards aimed at improving the level of cybersecurity, but they differ in nature. ISO 27001 is a voluntary, globally recognized framework that organizations can choose to adopt to manage their information security risks. On the other hand, NIS2 is a mandatory law imposed by the European Union that sets specific cybersecurity requirements for certain types of businesses and organizations operating within the EU.
View an interactive map showing the relationship between NIS 2 and ISO 27001
(Source: Arne Halenza, "Navigating Compliance: How ISO 27001 Aligns with the New NIS 2 Directive")
EU Cybersecurity Certification Framework
To ensure that products meet high cybersecurity standards, it will be essential to have visible certification confirming an organization’s compliance for all Information and Communication Technologies (ICT) products. The European Common Criteria-based cybersecurity certification scheme (EUCC) would simplify and clarify the process for everyone.
To achieve this, the Commission is developing an EU-wide certification framework, with ENISA playing a central role. The EU cybersecurity certification will state that ICT products and services have been certified against a comprehensive set of rules, technical requirements, standards and procedures. It’s being called the Cybersecurity Act certification framework.
Each European scheme should specify:
- the categories of products and services covered
- the cybersecurity requirements, such as standards or technical specifications
- the type of evaluation, such as self-assessment or third party
- the intended level of assurance
While the framework doesn’t explicitly mandate specific hardening techniques, it encourages and validates security practices that often include system hardening such as the Assurance levels. The framework defines three assurance levels (basic, substantial, and high) which correspond to increasing levels of security rigor. Higher assurance levels typically involve more comprehensive hardening practices. Also, many of the security objectives addressed by the certification schemes align with hardening principles, such as protecting against unauthorized access, ensuring data integrity, and maintaining secure configurations.
Cyber Resilience Act Compliance using CE Marking
The Cyber Resilience Act (CRA) was announced in the EU Cybersecurity Strategy 2020 and complements the NIS 2 Directive. CRA will be directly enforceable across all EU member states as soon as it becomes a regulation; unlike the NIS2 Directive, which requires individual member states to translate it into national law. Manufacturers affected by the CRA will have a three-year transition period to comply with its requirements. Given that the CRA is likely to be enacted this year, manufacturers can expect to adhere to its rules starting in 2027.
By enforcing these measures, the EU Cyber Resilience Act ensures that digital products are designed, developed, and maintained with strong security practices, thus significantly contributing to the hardening of systems across the EU. The Cyber Resilience Act will guarantee:
- manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle
- a coherent cybersecurity framework, facilitating compliance for hardware and software producers
- enhance the transparency of security properties of products with digital elements
- enable businesses and consumers to use products with digital elements securely
Upon approval of the regulation, manufacturers must use a CE marking to indicate that products with digital elements, including all hardware and software with data or network connections, conform to essential requirements.
Is NIS2 mandatory?
The NIS2 Directive will go into effect in October 2024. Companies that fail to comply with its cybersecurity rules face severe penalties. These penalties can be a hefty fine of up to ?10 million or 2% of the company’s global annual revenue, whichever is greater.
How to prepare for NIS2?
The directive mandates the implementation of appropriate technical and organizational security measures, emphasizing the importance of risk management, which involves identifying and assessing vulnerabilities, including those related to system configuration.
Organizations with hardened systems can significantly reduce the impact of a successful cyberattack and maintain audit compliant, while ensuring systems and components are securely configured to uphold overall system integrity. Get in touch to see your one-click to compliance.
