In a world where the internet has turned from a commodity to an absolute necessity, and where almost everything is connected to it, the protection of critical infrastructures is of utmost importance. The European Union, recognizing this need even from 2017, had passed the NIS Directive for the protection of critical infrastructures. Nevertheless, acknowledging the rapid evolution of cyberspace, along with the multiplication of threats to critical infrastructures, it updated said Directive. The NIS2 Directive, officially known as the Directive on measures for a high common level of cybersecurity across the Union, establishes legal measures to elevate cybersecurity standards in the EU and replaces its predecessor the NIS Directive. It entered into force on 16 January 2023, almost for a full year now, and States have until mid-October 2024 to transpose its measures to national law. This post will briefly explore some basic points of the NIS 2 Directive and the types of obligations it imposes to EU Member States.
According to the European Commission the NIS2 Directive has the following overarching objectives: a) Ensure Member States’ readiness by mandating suitable equipment, such as a Computer Security Incident Response Team (CSIRT) and a competent NIS authority b) Establish a Cooperation Group to enhance strategic collaboration and information exchange among Member States and c) Fostering a security culture in crucial industries that rely significantly on ICTs. These industries include energy, transportation, water, banking, financial market infrastructure, healthcare, and digital infrastructure.
National frameworks on the security and network of information systems
Member states must adopt a national strategy, i.e. a framework that establishes strategic objectives and priorities for network and information system security at the national level. Furthermore, they must designate one or more national competent authorities on network and information system security, covering at least the sectors listed in Annex I and II, as well as a national single point of contact for security and information systems (which may overlap with the competent authority). The national single point of contact will act as a liaison to ensure cross-border collaboration among Member State authorities, as well as with the collaboration Group mentioned in Article 11 and the CSIRTs’ network mentioned in Article 12 of the NIS Directive.
Cybersecurity Risk-Management and Reporting
The NIS2 directive defines a set of consistent obligations that governments must require essential entity operators to comply with. First, states must ensure that operators of critical entities take suitable and proportionate technical and organizational steps to mitigate the risks to the security of the networks and information systems that they utilize in their operations. These precautions should be based on a “all hazards approach” and must include the following: “(a) risk analysis and information system security policies; (b) incident handling; (c) business continuity, such as backup management, disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning each entity’s relationships with its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; (g) basic cyber hygiene practices and cybersecurity training; (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; (i) human resources security, access control policies and asset management; (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.”
Furthermore, member states must ensure that critical and important organizations notify competent authorities or CSIRTs of incidents that impact the continuity of the essential services they provide as soon as possible. An incident is considered significant if “(a) it has caused or is capable of causing severe operational disruption of services or financial loss for the entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing substantial material or non-material damage.”
The NIS2 Directive is a very positive step, on behalf of the EU, towards a more effective and comprehensive protection of critical infrastructures. Furthermore it offers projects like the EU-CIP necessary guidance, but also tools, in order for them to fulfil their mission towards more resilient European critical infrastructures. By introducing reporting obligations, obligations to adopt national cybersecurity strategies, as well as different ways to mitigate and manage risks, it helps promote a more concrete cybersecurity culture. The EU-CIP, as a project, might contribute to the compliance of actual operators of essential entities, with the NIS2 Directive. Trainings or mentorship sessions can be offered for interested operators of vital entities, particularly newly created ones, who want to comply with the NIS2 Directive. These trainings can take the shape of classes, one-on-one mentoring, or coaching services. Said mentoring/training sessions should enlighten the operators of critical entities on the many steps that need to be done, such as risk management measures, cybersecurity policy making, cyber hygiene, and cybersecurity training, among others. Thus, the EU-CIP project can play a pivotal role towards a more effective implementation of the NIS2 Directive.
Written by: Triantafyllos Kouloufakos
Legal Researcher- Centre for IT & IP Law KU Leuven