Understanding the NIS2 Directive

How can the best interests of the public be protected when more and more crucial pieces of public infrastructure depend on technology?

That’s the core question addressed by a new piece of EU legislation set to become law in Ireland later this year. From government services to public utilities to hospitals, banks and more – the world has shifted to embrace technology, and while this has brought enormous efficiencies, it has also created new kinds of risks for society.

To help mitigate these risks, the Networks and Information Systems 2 (NIS2) directive will introduce new obligations around cybersecurity on Irish companies.

This directive became EU law in January 2023 and will become Irish law as well when it comes into force in October 2024. It’s important that company directors, chief information officers and security specialists everywhere have a good grasp of what this will mean.

The first NIS directive (NIS1) was written in 2016 and introduced into Irish law in 2018, but six years is a long time in cybersecurity and a lot has happened since then. There is now broad support for a new version of the directive, one that aims to establish higher levels of cybersecurity standards.

So what is this NIS2 directive, and what does it mean for you? What does it do that the previous version didn’t? The new and updated directive aims to ensure that Europe’s essential digital infrastructure in areas such as banking, transport, health and energy is kept safe from attack.

It recognises that some activities and some kinds of infrastructure are more important than others, with some crucial to keeping society going. Because of this, the companies who run them need to be held to high standards of security. The main difference between NIS1 and NIS2 is that this new version applies to more companies than before, in more sectors. Even if a business wasn’t subject to it NIS1 before, it might now be subject to NIS2.

First goal of the NIS2 Directive - cast a wider net

The new and updated version of the directive has three main goals. The first is to increase cyber resilience across the EU, bringing more types of companies in more sectors under its jurisdiction than before.

The sectors covered by the NIS2 directive are as follows: healthcare, banking and financial market infrastructure, water supply, digital service providers, transport, digital infrastructure, energy, food, postal and courier, space, digital services, such as social networking services platforms and data centre services, manufacturing of certain critical products, providers of public electronic communications networks or services, public administration and finally waste water and water management.

For NIS2, a further difference is that member states won’t be able to tweak the legislation before enacting it. The general idea is to update the law to reflect that across Europe, society is becoming more dependent on IT, and the rules around protecting the public need to reflect that dependence.

Second goal of the NIS2 Directive - reduce inconsistency

The second is to reduce inconsistencies in the sectors already covered by the first NIS directive, adding new sectors and bringing more public and private entities under its umbrella.

This is about enforcing uniform reporting responsibilities, improving supply chain resilience and generally tidying up the loose threads exposed by the implementation of the old legislation originally written in 2016.

Third goal of the NIS2 Directive - raise awareness

The third goal is raising the level of awareness across the EU of the importance of cybersecurity and improve member states' abilities to defend themselves. This goal aims to improve the way the EU prevents, handles and responds to large scale cybersecurity incidents.

It also introduces mandatory incident reporting and aims to make companies take the issue of ransomware and network incursions much more seriously.

“The revised NIS2 directive covers more sectors and companies based on an assessment of their criticality for the EU economy and wider society. One of the main things it aims to achieve is a kind of harmonising of the rules generally enforced across Europe,” said Stephen Corrigan, Solution Sales Principal for Vodafone Ireland.

The thinking is that if different countries enforce different rules, then the differences could end up becoming a significant barrier to progress.

“But we recognise that many C-suite professionals and even cybersecurity experts are extremely busy people, and it can be a challenge to stay on top of best practice for every aspect of the technology they rely upon. It’s our job to be able to offer close partnerships where we can help shoulder this challenge together, either directly or with the help of partner businesses we think are global leaders in these areas,” said Corrigan.

A significant aspect of any legislation designed to change behaviour are the penalties that can be imposed on companies and organizations that don’t comply. In the case of the NIS2 directive, the range of sanctions allowed for are quite varied.

They include binding instructions, an order to implement the recommendations of a security audit, an order to bring security measures into line with NIS2 requirements and administrative fines of up to $10 million, or two per cent of the offender’s total annual worldwide turnover, whichever is higher.

These are heavy penalties, but it’s important to note that NIS2 doesn’t just represent a logistical hassle, in the form of more regulations to observe. It also offers an opportunity.

“Just like when the GDPR was introduced, complying with NIS2 is probably not the most welcome item on your to-do-list. But the expression ‘every disadvantage has its advantage’ is not a cliché in this case.

You can lament the hard work and expenses, but you can also see it as a golden opportunity to take your cybersecurity to the next level,” said Tim Timmermans, Chief Information Security Officer for Vodafone partner ON2IT.

“Yes, NIS2 increases the cybersecurity requirements that must be met, but you are probably already compliant with some of these. The flip side to these additional requirements is that the NIS2 directive also states that companies will get help from the government when, for example, they are hit by a ransomware attack.”

Together, Vodafone and ON2IT can help advise Irish companies on the best policies and procedures to put in place to ensure NIS2 compliance, as well as provide the tools to make incident handling and network security much more easily handled.

“As an organization, you will need to be able to proactively demonstrate compliance with NIS2 regulations. Practically speaking, in order to comply with the NIS2 measures, you need a 24/7 security operations centre (SOC). Therefore, you will have to make a choice; do I keep this SOC in-house, or do I outsource it?” said Timmermans.

“We think a good overarching policy is a good starting point for making this important decision, and we’re happy to partner with Vodafone to help create one with you.”