NIS: what it is and how it protects cybersecurity

Estimated reading time: 6 minutes

The NIS Directive (Network and Information Security) was issued in 2016 by the European Union with the aim of achieving a high level of security of networks and information systems in the European Union.

It applies to essential service providers, such as energy, transport, banks, healthcare, and digital service providers, such as search engines, cloud and e-commerce. NIS has introduced a series of measures to strengthen cybersecurity.

NIS objectives

The main objectives of NIS directive are:

• Improve prevention of cybersecurity incidents
• Increase ability to detect and manage computer attacks
• Limit impact of outages and disruptions of essential services for European citizens.

This is achieved through introduction of security standards, reporting obligations, cooperation between member states.

Scope

The subjects covered by NIS are:

• Essential service operators (ESO): crucial public and private entities for maintaining vital civil, economic and social activities
• Digital service providers (DSP): online search engines, cloud computing and online marketplaces

For ESOs, NIS applies to energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution sectors.

NIS2: main updates introduced in 2021

In December 2020, the European Commission proposed an update to the NIS Directive, called NIS2, to improve its effectiveness in light of growing cyber threats.

Sectors included in NIS2

In addition to sectors already covered by NIS, NIS2 directive will include:

• Postal and courier services
• Waste (wastewater and waste management)
• Essential public infrastructures (national and cross-border)
• Manufacturing sector
• Product safety
• Space and satellite activities
• Public administration
• Education (schools, universities, research centers)

Enhanced cybersecurity for companies of all sizes

Particular attention will be paid to strengthening security standards applicable to small and medium-sized enterprises (SMEs), often the Achilles heel in cybersecurity.

Large companies will also see growing obligations, with fines up to 2% of global turnover for breaches of information security requirements and failure to notify incidents.

This will push top management to seriously invest in cybersecurity.

International cooperation

Closer cooperation between member states will be promoted, establishing cross-border procedures for incident management and crisis management to effectively counter large-scale attacks.

Cooperation mechanisms with third countries are also planned for a global approach to strengthening international digital resilience.

NIS2 supervisory bodies

The proposed NIS2 directive confers new powers to regulatory bodies established at national level (or identified among existing ones) to oversee implementation of legislation.

Competent authorities

Their specific tasks include:

• Security audits
• Inspections and investigations of regulated entities
• Dynamic analysis of IT risks
• Requests for information
• Power to impose sanctions.

They will also have task of increasing population awareness and understanding of cyber risk.

For example, in Italy the National Cybersecurity Center already performs some of these functions.

NIS cooperation group

A cooperation group will be established bringing together these national authorities together with ENISA and European Commission to coordinate cross-border issues and exchange information.

Obligations for essential and digital service operators

NIS2 mandatory subjects

The subjects to whom NIS2 obligations apply are divided into 3 categories:

• Essential service operators (energy, transport, banking, healthcare, etc.)
• Digital service providers (cloud, web search engines, e-commerce)
• Public entities (central and local administrations)

Required safety measures

Regardless of size, all NIS2 entities must meet requirements in terms of:

• Cybersecurity governance
• Risk management
• Operational resilience
• Monitoring, detection, classification of incidents
• Business continuity and disaster recovery
• Information sharing with competent authorities

More stringent security standards are required for entities that support critical services or process significant amounts of personal data.

For example, they will be required to conduct regular penetration testing and cyber crisis exercises to test response plans.

Mandatory incident notification

All NIS2 entities, including SMEs, will have to notify national authorities without undue delay of significant cyber incidents that could disrupt essential services or impact security of data and systems.

Penalties are expected in case of failure to notify.

Expected impact on EU digital resilience

With extensive implementation of NIS2, the European Union aims to significantly reduce the risk and impact of cyber attacks against critical infrastructures and digital services in the coming years.

Success indicators

Some key indicators have already been identified to measure progress in European digital resilience:

• Average time to detect cyber intrusions
• Average time to respond and resolve a cyber attack
• Number of personal data breaches reported annually
• Economic losses caused by disruptions of critical services

Expected social impact

Benefits for European citizens will come from greater protection of essential services such as healthcare, transport and energy from cyber attacks, and consequently less disruption impacting social life.

Qualitative improvements in digital services are also expected, thanks to investments in data security and infrastructure reliability.

Entry into force and transition

The new NIS2 directive is still in the final stages of the European legislative process, with approval by the EU Council and Parliament expected for 2022.

Obligations taking effect

Once published in the Official Journal of the European Union, member states will have 21 months to incorporate NIS2 into national law.

From that moment on, companies and public bodies covered by the legislation will have 15 months to fully comply with the new obligations.

So NIS2 requirements are expected to become binding between 2023 and 2024, depending on transposition times.

SME support

Given the complexity of the matter, European guidelines and support documentation will likely be published to help small and medium enterprises implement processes and technologies compliant with regulations.

Funding and tenders are also planned to economically support smaller operators in necessary ICT security investments.

Transposition in Italy already completed and new deadline

In Italy, NIS2 directive was transposed last July 31, 2022 with “Legislative Decree no. 123 of June 30, 2022”.

The text faithfully reflects framework and content of European legislation, adapting national law.

Final deadline for compliance

Following entry into force of transposition legislative decree, October 17, 2024 now represents the final deadline by which essential service operators and digital service providers operating in Italy must fully comply with new network and information systems security obligations introduced by NIS2.

After that date, entities not yet fully compliant with directive requirements risk pecuniary fines. For this reason, investments in IT security can no longer be postponed.

Indirect impacts on supply chain and public procurement

Although NIS2 obligations directly apply only to specific operators of essential services and providers of certain digital services, the directive will have a “dragging” effect also on many other companies.

Commercial motivation to comply

In particular, compliance with NIS2 requirements could soon become a de facto prerequisite when participating in public or private calls for tender.

Similarly, it may be an appreciated competitive factor for customers who want to ensure all suppliers in their supply chain meet advanced infrastructure reliability and information security standards.

Cybersecurity certifications

Precisely in order to demonstrate their level of adequacy, it is foreseeable that even companies not subject to NIS2 will increasingly resort to voluntary certifications and third-party independent security audits.

In this way, even without regulatory obligations they can still reap commercial benefits from investing in their cyber resilience level.

Useful links:

• Cloud CRM
• Web agency
• Introducing a set of new GDPR tools
• [Name change] Acronis Data Cloud –> Acronis Cyber Cloud