NIS 2 regulation, let's take stock of the issues, obligations and sanctions

In short, what is the NIS 2 directive?

NIS 2 addresses a cybersecurity need. Society is evolving very rapidly with all things digital, and it was necessary to regulate at European level. NIS2 follows on from NIS1 and complements the directive to strengthen it.

NIS2 does not adjust in the same way for all players, there are essential entities (EE) and important entities (IE). The application of the directive is carried out in proportion to the criticality of the company and its size.

NIS 2 will come into force on October 17, 2024, but be aware that this date does not correspond to the date of application.

ANSSI plays a major role in the directive since it must deploy it at the national level. The new regulation is applicable to European member states, with transposition to be done for each country with a referring entity.

NIS 2 aims to strengthen the cybersecurity level of national players.

What exactly did this directive, known as NIS 1, consist of?

NIS 1 is in line with the military programming law implemented in 2013.

The European NIS1 directive was adopted in 2016 and implemented in 2018.

💡 NIS: Network and Information Security aims to strengthen the security of networks and information systems in Europe by focusing on essential sectors, such as water supply, energy, transport, health and finance.

The NIS 1 directive was designed for economic actors that could have a considerable impact within the European Union.

‍

It was defined at the European level ⭐ 🟦 ⭐ and obliges national authorities to define a cybersecurity strategy.

It was necessary to designate a supervisory authority responsible for the deployment and application of this law. ANSSI, the national agency for information systems security, has built a roadmap for the implementation of this directive.

ANSSI represents France 🟦⬜🟥 within the CSIRT network, a cooperation group for national transposition of the directive.

NIS 1 strengthens member states in their security upgrades and enables cooperation between countries.

The idea was to have a directive deployed uniformly in each country, but this is where the first difficulties arose.

NIS 1 targets large players known as “operators of essential services”, economic actors that could have a considerable impact within the European Union.

NIS 1 was an initial version of a European IT security project, which was very positive, but dysfunctions quickly appeared, even before its application.

‍
Morten Løkkegaard, Danish Member of the European Parliament and NIS2 rapporteur, explains that member countries did not all agree on the framework, and they did not understand why states and legislators should have a say in the cyber management of companies. The directive was therefore watered down, but we were not in the same context and urgency as in 2023.

• There was too much heterogeneity in practices and implementations between Member States.
• The threat of cyberattacks and their impact on society have evolved.
• Essential entities have raised their level of cybersecurity, but their suppliers (supply chain) have not done significant work in terms of security, and they are the ones being targeted currently.

➡️ The idea for NIS2 was born on December 14, 2022.

The NIS 2 directive, network and information systems, in broad terms

Three points led to a fairly rapid reflection on NIS 2:

1. We quickly realized that the scope of NIS 1 was very limited, encompassing approximately 15,000 regulated operators, and by expanding it, we would move to over 100,000 entities.
2. The requirements that were quite vague in the first directive and needed clarification.
3. Regulatory mechanisms needed to be more precise.

For legislators, it was necessary to think differently; everything was not science: small and medium-sized enterprises could also be critical entities.

‍

👉🏼 It was therefore necessary to better categorize the targeted actors, and the European working group created two typologies:

• Essential entities (EE)
• Important entities (IE)

The measures are not applied in the same way depending on the case and, above all, they are applied in proportion to the size of the organization.

Thus, the security measures requested take into account the size of the organization, upstream controls for large companies (EE) and downstream controls for small and medium-sized businesses (EI) if a non-compliance has been discovered.
The penalties will not be identical, up to 2% of turnover for large companies and 1.4% of turnover for small and medium-sized businesses.

As with NIS 1, the compliance deadlines are long to allow the targeted players time to take action. The same will apply to NIS 2.

The differences between NIS 1 and NIS 2:

Let's now look at the differences and what does not change between the two regulations.

‍

What will change:

• there is a power of sanctions and control (we will come back to this). The rules must be laid down and made more coercive.
• The security base is insufficient, there will be an increase in requirements and penalties. We will have more details in the coming months, especially on essential service operators.
• the scope is changing: previously, we talked about operators of essential services and digital service providers. Today, we are talking about essential entities and important entities: it covers more people and provides for exceptions.
• The most important point: previously, States designated entities; today, it is up to companies and organizations to declare themselves as entities to the authorities. Member States must declare all EE and EI on their territory by April 17, 2025, at the latest; for its part, France allows companies and organizations until January 17 to declare themselves.

‍

What doesn't change

• Cooperation between states, the commission, and ENISA (the European Union Agency for Cybersecurity).
• the CSIRT network (team specializing in IT security incident management).
• Voluntary information sharing
• minimal harmonization (the disadvantage is that some countries will be stricter, others more lenient, which will cause a distortion of competition).

Who will be affected by this new directive?

The directive applies to three criteria:

1. Be a natural or legal person who has in their own name the capacity to hold rights and obligations: a person with legal personality.
   
   
2. Depending on the size of the company:

‍

3. Based on the criticality of their activity:

‍

Find the detailed list of EE and EI, pages 64 to 67 for the EE and pages 69 - 70 for the EI.

4. Be established or provide services within the European Union. Even if you are not established in the EU but work with EU companies, you are concerned.

There are exceptions that do not take into account the preceding criteria, such as the criticality of the activity or if it is designated by the State. For example, the size criterion does not apply to all sectors: network providers, local public services, specific public administration entities, digital service providers, trust service providers, domain name registry providers, etc.

There is:

• a default rule,
• An adjustment mechanism
• A clarification

What is the objective of the NIS 2 directive?

With the economic context, wars, cyberattacks, the European Commission wants to strengthen cybersecurity across all member countries with the objective of uniqueness.

NIS 2 is part of a resilience context, it should help players overcome and cope with cyber crises.

The European market wants to show strength and unity in the face of increasingly organized hackers. Cyberattacks are becoming more professional, and the supply chain is increasingly targeted.

NIS 1 aimed to strengthen highly critical players, but the problem shifted to their subcontractors, the aim is to force all players to strengthen their cybersecurity.

Company management is much more involved in NIS 2 than it has ever been. So much so that responsibility is passed on to the governing bodies with an obligation to train and an involvement in the application of cybersecurity rules and standards.

The management, which until now could detach itself from the problems of the IT departments, will have to get involved and, above all, provide a budget.

What will change with the adoption of the NIS2 directive?

Entities will become proactive in their digital security.

They will have obligations and must follow a security charter with risk management.

• Entities must notify ANSSI.
• They must communicate contact information and keep it up to date.
• They must report major cyber incidents to ANSSI.

What changes for management bodies

There will also be changes in security requirements at the level of the governing bodies, they will have to approve the measures in terms of risk management, supervise their implementation and will be responsible in case of non-compliance with the obligations.

There is an obligation to train management members to better understand the risks, practices, and incidents in cybersecurity management.

Management must also provide ongoing training to all employees on IT security.

Security measures for regulated entities

• Policies related to risk analysis and IS security
• Incident management
• Business continuity (backups, DRP, crisis management)
• Security of the supply chain (suppliers/providers)
• Security of IS acquisition, development and maintenance
• policies and procedures for evaluating the effectiveness of asset management measures
• the use of multi-factor or continuous authentication solutions and secure communications

⚠️ Don't worry, these are the broad outlines, and the States will add further details on what we need to do.

The declaration of a NIS 2 incident

The episode must be declared according to very specific steps:

1. The organization must notify the CSIRT or the competent authority within 24 hours of the start of the incident. It will be very important to specify whether there is a cross-border impact.
   This is an early warning in which a malicious or illicit act, real or suspected, is stipulated.
   Morten Løkkegaard, a member of the European Parliament, makes it clear that it is just 'Houston we have a problem': no detailed report is expected, just a mention to the authorities that there is a problematic situation.
   
   
2. 72 hours after notification of the incident, the organization must update the information and provide an initial assessment.
   
   
3. One month after the notification (i.e., 72 hours + one month), the organization must submit its final report or one month after the incident is processed at the latest.

NB: If the incident lasts more than one month, the organization must produce an interim report.

The final report

It must include the following elements:

• A detailed description of the incident, including its severity, impact, repercussions, and progress if the incident is still ongoing.
• The type of threat or the root cause that likely triggered the incident,
• mitigation measures applied and in progress,
• where applicable, the cross-border consequences of the incident.

What risks does a company face if it does not comply with the requirements described by this European directive?

As we have seen, companies have an obligation to inform of a malicious or illicit act, but that's not all, they also have an obligation to train themselves in good computer hygiene practices, but also to put all the means in place to protect themselves from cyberattacks.

Non-pecuniary sanctions for the EI or EE:

There will be warnings and the order to inform, to make public a major event.
ANSSI may request to stop a behavior and comply.

For the EEs, there will be:

• the order to designate a control manager for a given person,
• the temporary prohibition of individuals from holding a management or legal representation position,
• the suspension of a certification or authorization (you will have been warned beforehand!).

Pecuniary sanctions:

‍

😔 The bad news is that these are minimum penalties set by the European Commission, which means that each country can adapt the penalties and choose to go further.

‍

Why implement penalties?

Only because sanctions are what drive change. Morten Løkkegaard explains “If we don’t have fines, sanctions, people will not apply, that’s the truth of the matter”.

Another reason is that companies are currently tempted to pay the ransom. Tomorrow, the penalty will be higher than the ransom, so companies will be more inclined to comply with their practices. It will be more worthwhile and judicious to pay for investments to upgrade their cyber protection.

When will the NIS 2 directive come into effect?

To summarize the dates:

• The European NIS directive was published on December 27, 2022 in the official journal of the EU ➡️ each State has 21 months to transpose it into its national law.
• The directive will enter into French law on October 17, 2024. Prior to this, there will be a transposition of the directive to turn it into a bill, which involves working with ministries, current critical entities, the SGDSN (General Secretariat for National Defence and Security) and sector federations. The regulation must follow a parliamentary process.
• Please note that the entry into force in October does not mean the application of the directive. There is a compliance period for regulated entities.

What is the role of ANSSI in this process?

ANSSI, as a historical actor and intermediary in the regulatory aspect of NIS 1 and 2 in France, ensures the application of NIS.

ANSSI will need to transform itself to have an advisory, control, and monitoring role.

Control

• On-site inspection
• security audit
• security scans
• information requests
• requests for data access

For the EEs in addition:

• regular audits
• evidence requests

‍

ANSSI will have a particular role in this directive:

• it has a regulatory role by supporting and advising entities,
• it controls,
• it helps in the development of digital services,
• it is present in the major stages of regulatory construction,
• it co-constructs,
• it clarifies.

In summary: it interacts between the entities and the regulator, it sets the security requirements, receives incident reports and controls operators of essential services with the capacity to sanction.

How to comply with NIS 2?

For now, and as you will have understood, NIS 2 is not yet applicable, it is in a regulatory process and the ANSSI has not yet transmitted its requirements.

At the InCyber 2024 trade show in Lille, I was able to speak with a person from the ANSSI's sectoral coordination who gave me the following advice: for Essential Intitutions (EI), good IT hygiene applied with the help of the guide will be a very good step towards NIS 2 compliance.

Maxime Antoine from OSSIR (Observatory of Information Systems and Networks Security) advises:

• go see the ANSSI guides
• Industrialize
• stop doing it manually
• boost your cybersecurity
• Have leadership
• Have a real policy
• opt for a risk management process
• Do not limit yourself to planning and execution → verification, continuous improvement, management, and non-compliance.

In conclusion

NIS 2 will be applicable and known in October 2024. Before this date, the law is not known in detail, so it is best not to rush into any solution but to take stock of your IT hygiene and review the basics in cyber risk management.

We can help you assess the management of your users and their accounts:

• Who has what and why?
• What rights are granted to users?
• who actually use the applications
• Do you have orphaned accounts?
• Do you have accounts with errors?
• Do you have vulnerabilities in the transmission of the initial password?
• account sharing

Sources:

• Directive (EU) 2022/2555 of the European Parliament and of the Council
• Conference of the OSSIR
• ANSSI NIS2 directive

‍