The NIS 2 regulation: an update on the issues, obligations and penalties

Mélanie Lebrun

|

Youzer Marketing Manager

04/2024

| Mis à jour le

Articles
>
Cybersecurity
The NIS 2 directive is designed to protect the European Union's critical infrastructures against cyber threats. It reinforces NIS 1 to guarantee the security of networks and information systems, as well as cooperation between Member States to respond effectively to security incidents.

Contents

In a nutshell, what is the NIS 2 directive?

NIS 2 meets a cybersecurity need. Society is evolving rapidly in the digital age, and it has become necessary to regulate on a European scale. NIS2 follows on from NIS1, and complements and strengthens the directive.

NIS2 does not apply equally to all players: there are essential EE entities and important EI entities. The directive is applied in proportion to a company's criticality and size.

NIS 2 will come into force on October 17, 2024, but this is not the date of application.

ANSSI plays a major role in the directive, since it is responsible for implementing it at national level. The new regulations are applicable to all European member states, and must be transposed by each country's competent body.

The aim of NIS 2 is to enhance the cybersecurity of national players.

NIS 2 highlights

What exactly was this directive, known as NIS 1, all about?

NIS 1 follows on from the military programming law introduced in 2013.

The European NIS1 directive was adopted in 2016 and implemented in 2018.

💡 NIS: Network and Information Security aims to strengthen the security of networks and information systems in Europe, focusing on critical sectors such as water supply services, energy, transport, healthcare and finance.

The NIS 1 directive was designed for economic players who could have a considerable impact within the European Union.

It has been defined at European level ⭐ 🟦 ⭐ and obliges national authorities to define a cybersecurity strategy.

It was necessary to designate a supervisory authority responsible for the deployment and application of this law. ANSSI, the French national information systems security agency, has drawn up a roadmap for implementing this directive.

ANSSI represents France 🟦⬜🟥 within the CSIRT network, a cooperation group for national transposition of the directive.

NIS 1, strengthens member states in their security upgrades and enables cooperation between countries.

The idea was to have a directive deployed uniformly in every country, but that's where the first difficulties arose.

NIS 1 targets large players known as "essential service operators", economic players who could have a considerable impact within the European Union.

NIS 1 was a first version of a European IT security project, which is very positive, but quickly, even before its implementation, malfunctions became apparent.


Morten Løkkegaard, Dane and Member of the European Parliament and NIS2 rapporteur explains that member countries didn't all agree on the framework, they didn't understand why states and legislators should have a say in how companies manage cyber. The directive was therefore watered down, but the context and urgency were not the same as in 2023.

  • There was too much heterogeneity in practice and implementation between member states.
  • The threat of cyber attacks and their impact on society have evolved.
  • essential entities have raised their level of cybersecurity, but their suppliers (supply chain) have not done much in the way of security, and it is they who are currently being targeted.

➡️ The idea for NIS2 was born on December 14, 2022.

The NIS 2 directive, network and information systems, at a glance

Three points prompted us to think about NIS 2 fairly quickly:

  1. We quickly realized that the scope of NIS 1 was very limited, encompassing around 15,000 regulated operators, and expanding it to over 100,000 entities.
  2. The requirements were rather vague in the first directive and needed to be clarified.
  3. Regulatory mechanisms needed to be more precise.
The difference between NIS 1 and NIS 2

Legislators had to think differently, because not everything was a science: small and medium-sized businesses could also be critical entities.

👉🏼 It was therefore necessary to better categorize the targeted players, and the European working group created two typologies:

  • essential EE entities
  • important entities EI

The measures apply differently in each case, and above all, they are applied in proportion to the size of the organization.

Thus, the security measures required take into account the size of the organization, upstream controls for EAs and downstream controls for EIs if a non-compliance has been discovered.
Penalties will not be identical, up to 2% of sales for EAs and 1.4% of sales for EIs.

As with NIS 1, compliance deadlines are long, to give targeted players time to take action. The same will apply to NIS 2.

Envie de voir une démo instantanée de Youzer ?  
View demo

The differences between NIS 1 and NIS 2 :

Let's take a look at the differences between the two regulations, and what remains the same.

What will change?

  • there is a power of sanctions and control (we'll come back to this). We need to lay down the rules and make them more coercive.
  • the security foundation is insufficient, and there will be an increase in requirements and penalties. We'll have more details in the coming months, especially concerning operators of essential services.
  • the scope of application is changing: before, we spoke of essential service operators and digital service providers. Today, we speak of essential entities and significant entities: this covers more people and provides for exceptions.
  • the most important point: in the past, states designated entities, but now it's up to companies and organizations to declare themselves as entities to the authorities. Member States will have to declare all EEs and IEs on their territory by April 17, 2025 at the latest, while France has given companies and organizations until January 17 to declare themselves.

What doesn't change

  • cooperation between Member States, the Commission and ENISA (the European Union's cybersecurity agency).
  • the CSIRT network (specialized IT security incident management teams).
  • voluntary information sharing
  • minimum harmonization (the disadvantage is that some countries will be stricter, others more lax, which will distort competition).

Who will be affected by this new directive?

The directive applies to three criteria:

  1. To be a natural or legal person with the capacity to hold rights and obligations in its own name: a person with legal personality.

  2. Depending on the size of the company :
Entity size Number of employees Sales figures Annual review
Medium-sized company Over 50 More than 10 million euros More than 10 million euros
Large company More than $250 Over 50 million euros Over 43 million euros

3. According to the criticality of its activity :

Essential Entities Important Entities
Energy Postal and shipping services
Transport Waste management
Banking sector Manufacture, production and distribution of chemical products
Financial market infrastructures Food production, processing and distribution
Health Manufacturing (medical devices, computer products, electronic equipment, machinery and equipment, motor vehicles and transport equipment)
Drinking water Digital suppliers
Waste water Search
Digital infrastructures
ICT service management
Public administration
Space

For a detailed list of EAs and IAs, see pages 64 to 67 for EAs and pages 69 - 70 for IAs.

4. Be established or provide services within the European Union. Even if you are not established in the EU, but work with EU companies, you are concerned.

There are exceptions, which do not take into account the above criteria, such as the criticality of the activity or whether it is designated by the State. For example, the size criterion does not apply to all sectors: network providers, local public services, specific public administration entities, digital service providers, trust service providers, domain name registry providers...

There are :

  • a default rule,
  • an adjustment mechanism
  • clarification

What is the aim of the NIS 2 directive?

Given the economic context, wars and cyber-attacks, the European Commission is keen to strengthen cybersecurity in all member countries, with the aim of achieving uniqueness.

NIS 2 is part of a context of resilience, designed to help players overcome and cope with cyber crises.

The European market wants to stand strong and united in the face of increasingly organized hackers. Cyberattacks are becoming more professional, and the supply chain is increasingly targeted.

The aim of NIS 1 was to strengthen highly critical players, but the problem has shifted to their subcontractors, and the aim is to force all players to strengthen their cybersecurity.

Corporate management is much more involved in NIS 2 than ever before. So much so, that responsibility is being shifted back to management bodies, with mandatory training and involvement in the application of cybersecurity rules and standards.

Management, which until now has been able to detach itself from the problems of IT departments, will now have to get involved and, above all, provide a budget.

Would you like to receive our white paper on identity and access management?

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

What will change with the adoption of the NIS2 directive?

Entities will become proactive about their digital security.

They will have obligations and will have to follow a safety charter with risk management.

  • Entities must notify ANSSI.
  • They must provide contact information and keep it up to date.
  • They must report major cyber incidents to ANSSI

Changes for management bodies

There will also be changes in safety requirements for management bodies, who will have to approve risk management measures, supervise their implementation and be liable in the event of non-compliance.

There is an obligation to train members of management to better understand cybersecurity management risks, practices and incidents.

Management must also provide all employees with ongoing training in IT security.

Obligation of management bodies

Security measures for regulated entities

  • risk analysis and IS security policies
  • incident management
  • business continuity (backups, DRP, crisis management)
  • supply chain security (suppliers/contractors)
  • security of IS acquisition, development and maintenance
  • policies and procedures for evaluating the effectiveness of asset management measures
  • the use of multi-factor or continuous authentication solutions and secure communications

⚠️ Don't worry, these are the broad outlines, and the States will add further details on what we need to do.

NIS 2 incident reporting

The episode must be reported according to very specific steps:

  1. The organization must notify the CSIRT or the competent authority within 24 hours of the start of the incident. It will be very important to specify if there is a cross-border impact.
    This is an early warning in which a malicious or illicit act, real or suspected, is stipulated.
    Morten Løkkegaard, Member of the European Parliament, makes it clear that this is just 'Houston we have a problem': no detailed report is expected, just the mention to the authorities that there is a problematic situation.

  2. 72 hours after notification of the incident, the organization must update the information and carry out an initial assessment.

  3. One month after notification (i.e. 72 hours + one month), the organization must issue its final report, or one month after the incident has been processed at the latest.

NB: If the incident lasts more than one month, the organization must produce an interim report.

Different stages following an incident - NIS 2

The final report

It must include the following elements:

  • a detailed description of the incident, including its severity, impact, repercussions and status if the incident is still in progress,
  • the type of threat or root cause likely to have triggered the incident,
  • mitigation measures implemented and in progress,
  • where applicable, the cross-border consequences of the incident.

What does a company risk if it fails to comply with the requirements set out in this European directive?

As we've seen, companies have a duty to report malicious or illicit acts, but that's not all. They also have a duty to train staff in good computer hygiene, and to do everything in their power to protect themselves from cyber-attacks.

Non-pecuniary penalties for EI or EE :

There will be warnings and orders to inform, to publicize a major event.
The ANSSI will be able to ask to stop a behavior and to comply.

For EE, there will be :

  • the order to designate a control manager for a given person,
  • a temporary ban on individuals exercising management or legal representation functions,
  • suspension of certification or authorization (you will have been warned in advance!).

Financial penalties :

Essential entity Major entity
Up to €10m or 2% of worldwide annual sales Up to €7m or 1.4% of worldwide annual sales
Penalties to compel an EA or IE to cease its infringement

😔 The bad news: these are minimum penalties set by the European Commission, which means that each country can adapt the penalties and choose to go beyond them.

Why were penalties introduced?

Only because it's sanctions that move the lines. Morten Løkkegaard explains "If we don't have fines, sanctions, people will not apply, that's the truth of the matter".

The other reason is that companies are currently tempted to pay the ransom, but tomorrow the penalty will be higher than the ransom, so companies will be more tempted to comply with their practices. It will be more interesting, more judicious, to pay for investments to bring their cyber protection up to standard.

When does the NIS 2 directive come into force?

To recap the dates :

  • The European NIS Directive was published on December 27, 2022 in the EU's Official Journal ➡️. Each Member State has 21 months to implement it in its national law.
  • The directive will enter into French law on October 17, 2024. Prior to this, the directive will be transposed into law, involving work with ministries, current critical entities, the SGDSN (General Secretariat for Defense and National Security) and industry federations. The regulations must follow a parliamentary route.
  • Please note that the directive does not come into force in October. There is a compliance deadline for regulated entities.

What role does ANSSI play in this process?

ANSSI, as the historical player and intermediary for the regulatory aspects of NIS 1 and 2 in France, is responsible for implementing NIS.

ANSSI will have to transform itself to take on an advisory, control and monitoring role.

Control

  • on-site inspection
  • security audit
  • security scans
  • information requests
  • data access requests

For more EEs :

  • regular audits
  • requests for evidence

ANSSI will have a special role to play in this directive:

  • it acts as a regulator, supporting and advising entities,
  • it controls,
  • it helps develop digital services,
  • it is involved in all the major stages of regulatory development,
  • it co-constructs,
  • it lightens.

In short: it interacts between entities and the regulator, sets security requirements, receives incident reports and monitors operators of essential services, with the ability to impose penalties.

ANSSI's role in the NIS 2 directive

How do I comply with NIS 2?

For the moment, as you will have gathered, NIS 2 is not yet applicable. It is in the regulatory process, and ANSSI has not yet issued its requirements.

At the InCyber 2024 trade show in Lille, I had the opportunity to speak with a member of ANSSI's sector coordination team, who gave me the following advice: for IEs, good IT hygiene applied with the help of the guide will be a very good step towards NIS 2 compliance.


Maxime Antoine of OSSIR (Observatoire de la sécurité des systèmes d'information et des réseaux) advises :

  • have a look at the ANSSI guides
  • industrialize
  • don't craft anymore
  • boost your cybersecurity
  • show leadership
  • have a real policy
  • opt for a risk management process
  • don't limit yourself to planning and execution → verification, continuous improvement, management and non-compliance.

In conclusion

NIS 2 will be applicable and known in October 2024. Before this date, the law is not known in detail, so it's best not to rush into any solution, but to take stock of your IT hygiene and review the basics in cyber risk management.

We can help you take stock of the management of your users and their accounts:

  • who has what and why?
  • what rights are granted to users
  • who actually use the applications
  • do you have orphan accounts
  • do you have accounts in error
  • do you have any flaws in the transmission of the 1st password?
  • account sharing

Sources :

Récap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

Recevoir l'actu IT

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.

Hey! you know the drill :) We use anonymous data analysis cookies. By "Accept all cookies", you help us understand (anonymous) page views. Learn more about our privacy policy.