What the EU's NIS 2 Directive Means for U.S. IT Teams

In May of this year, the European Union (EU) reached a political agreement on new legislation that sets cybersecurity standards for critical industry organizations. This is the Network and Information Systems (NIS) 2 Directive, which is replacing the existing NIS legislation

The EU Commission originally proposed these new measures in December of 2020. The rules still need to be formally approved by EU member countries and the European Parliament, but once passed, member states will have to make the new requirements part of national law within 21 months. 

A press release states:

“The existing rules on the security of network and information systems (NIS Directive), have been the first piece of EU-wide legislation on cybersecurity and paved the way for a significant change in mind-set, institutional and regulatory approach to cybersecurity in many Member States. In spite of their notable achievements and positive impact, they had to be updated because of the increasing degree of digitalisation and interconnectedness of our society and the rising number of cyber malicious activities at global level.”

Indeed, in 2022, the market for the Internet of Things (IoT) is expected to grow 18% to 14.4 billion active connections, and security attacks increased 31% from 2020 to 2021.

The EU’s NIS 2 Directive Will Apply to Organizations in Critical Sectors

The NIS 2 Directive will apply to medium and large organizations situated in critical sectors. These industries include:

  • Public electronic communications services
  • Digital services
  • Wastewater and waste management
  • Manufacturing of critical products
  • Postal and courier services
  • Healthcare
  • Public administration

As with the first NIS Directive, this new piece of legislation doesn’t only apply to EU Member States; it can affect US IT teams as well. This is also the case with the EU General Data Protection Regulation (GDPR), which affects any company that handles data belonging to EU customers. 

The NIS 2 Directive applies to any enterprise outside of the EU that leverages services available to individuals within the EU. It’s crucial for U.S. organizations in the sectors above to be aware of the new regulations in place, as failing to abide by them may be costly from a financial, legal, or reputational perspective.

Appointing a NIS Representative

The first NIS Directive required companies located outside the EU to appoint a NIS representative, and this rule still applies. This EU-based representative will act on behalf of a non-EU company to ensure appropriate implementation of the Directive.

Timely Reporting of Security Incidents

One of the provisions in the new legislation is the requirement to flag cybersecurity incidents to authorities within 24 hours. This need to timely report a cybersecurity attack means that U.S. IT teams need to have the necessary tools in place to quickly identify a security incident, as well as have protocols for clearly and accurately reporting the attack to the relevant authorities.

Patching New Software Vulnerabilities

An organization’s existing software might contain undiscovered vulnerabilities, especially when cybercriminals develop novel tactics. To patch weaknesses in their software, organizations first need to be able to detect them. 

 

No vulnerabilities should slip through the radar. This requires having experienced cybersecurity professionals who are aware of the changing landscape of cybercrime, and who are adept at comprehensively analyzing software for any weak points.

Preparing Risk Management Measures

An additional provision in the EU’s NIS 2 Directive is to prepare risk management measures, which means being able to identify and assess security risks, ensuring that the most serious hazards are eliminated wherever possible. Any risk mitigation strategies you employ to reduce the chance of a severe security incident must also be efficient and effective. Risk management measures should include:

 

  • Identifying all potential threats
  • Determining the potential impacts of each threat
  • Performing risk analysis and establishing suitable precautions
  • Implementing security control measures and recording findings
  • Reviewing and reassessing when necessary
Sanctions for Failure to Comply

The NIS 2 Directive also aims to create stricter enforcement requirements and harmonize sanctions regimes. Operators of essential services can face fines of up to 2% of annual turnover for failing to comply, while for important service providers, the maximum fine would be 1.4%. 

 

For organizations with a high annual turnover, a serious sanction could end up involving a large financial loss. 

The Importance of the NIS 2 Directive

The first NIS Directive was a vital step in enhancing cybersecurity in Europe, involving cooperation with non-EU businesses all over the world. But changes are needed. Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age, has said the new Directive “is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services.”

Having adequate cyber-resilience protocols in place also matters in the context of Russia’s ongoing war with Ukraine, which has involved various kinds of malicious cyber activity. Margaritis Schinas, vice-president for Promoting our European Way of Life, stated:

“Cybersecurity was always essential to shield our economy and our society against cyber threats; it is becoming critical as we are moving further in the digital transition. The current geopolitical context makes it even more urgent for the EU to ensure that its legal framework is fit for purpose. By agreeing on these further strengthened rules, we are delivering on our commitment to enhance our cybersecurity standards in the EU. Today, the EU shows its clear determination to champion preparedness and resilience against cyber threats, which target our economies, our democracies and peace.”

U.S. IT teams that do business with EU member states should be cognizant of the NIS 2 Directive’s details and make sure that all IT employees work in accordance with the rules outlined.

Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.

more insights