NIS2: Directive on Cybersecurity Measures Published

The NIS2 DirectiveDirective (EU) 2022/2555 (standing for Network and Information Security), establishes an information security framework to ensure the protection of information systems and networks within the European Union, with the aim of preventing attacks and ensuring service continuity.

The Directive sets cybersecurity obligations for Member States, measures for cybersecurity risk management, notification obligations for entities within its scope, obligations related to the exchange of cybersecurity information, as well as monitoring and enforcement obligations for Member States. This Directive will require an update of Spanish regulations in Royal Decree-Law 12/2018 and Royal Decree 43/2021.

The NIS-2 Directive is mandatory for companies with more than 250 employees and an annual turnover of 50 million euros or more. At the same time, compliance with this Directive is also required for operators providing essential services and digital service providers operating within the European Union. These services include, among others, energy, transportation, healthcare, banking and finance, and telecommunications services.

It applies to both the public administration and medium to large-sized companies in certain sectors, such as waste management, chemical, pharmaceutical, and food industries, heavy machinery manufacturing, postal services, vehicles, and more.

Additionally, it also applies to companies that process large amounts of personal data, such as cloud hosting service providers.

The second version of the directive excludes national defense or security, public security, police, the judiciary, parliaments, and central banks from its scope.

The directive promotes cooperation and coordination among EU countries in the field of information security, allowing for a more effective response and better preparedness for possible cyber incidents.

The new NIS 2 directive requires Member States to:

• Adopt cybersecurity strategies.
• Designate or establish competent authorities.
• Appoint cybersecurity crisis management authorities.
• Specify single points of contact for cybersecurity.
• Establish computer security incident response teams (CSIRTs).

Specifically, the European Network of Cyber Crisis Liaison Organizations (EU-CYCLONe) has been created to improve coordination in managing large-scale cybersecurity.

Additionally, the European Union Agency for Cybersecurity (ENISA) will play a more prominent role in promoting cybersecurity requirements and actions for prevention, detection, and response to cyberattacks among Member States and competent authorities.

This is the second version of the directive, an improvement over the first version, Directive (EU) 2016/1148, which has been repealed.

In addition to expanding its scope and improving coordination and cooperation, as mentioned earlier, the main improvements or novelties compared to the first version include:

• Harsher penalties for non-compliance with obligations, including significant fines and administrative sanctions. Warnings, instructions, and fines could range up to two million euros and even reach 2% of the organization’s annual revenue.
• Responsibility of company executives The directive requires governing bodies to approve and oversee the implementation of technical, operational, and organizational measures, as well as measures to prevent and minimize the impact of incidents if they occur.
• New security requirements. New obligations include end-to-end encryption, training for executive members of essential entities and similar training for their employees periodically. It imposes privacy by default and by design, crisis management, certification of their services, products, and/or systems under European cybersecurity certification schemes, and the handling and disclosure of vulnerabilities.
• Strengthening supply chain security, as well as relationships with suppliers. In the case of critical operators, companies are allowed to require their suppliers to comply with the regulation.
• Mandatory incident reporting: Similar to the GDPR, the NIS2 Directive requires operators of essential services and digital service providers to report certain types of serious incidents to relevant authorities within 72 hours. It also requires them to notify their designated CSIRT without undue delay in the event of security incidents with significant impact.
• Full integration with sectoral regulations, such as the Digital Operational Resilience Directive (DORA) for the financial sector and the Resilience of Critical Entities Directive (CER).

The Directive entered into force on December 27, 2022, following its publication in the Official Journal of the European Union. However, Member States have until October 17, 2024, to transpose it and adopt and publish the necessary measures to comply with the Directive.

The NIS2 Directive is an important step to ensure greater security in the digital age and to protect EU interests in information security. Its implementation in organizations is expected to continue improving the security of information systems and networks throughout the EU.

At GlobalSuite Solutions, we offer the necessary assistance and guidance for the implementation of the NIS2 Directive. Additionally, we have the GlobalSuite® Security software, which can help your organization:

• Streamline document management: Create, update, and manage the necessary documents to comply with NIS 2 requirements, such as security policies, incident response plans, and security records.
• Regulatory compliance: Establish and monitor NIS 2 requirements to ensure they are being met in all areas of the organization.
• Control security risks: Identify and manage information security risks and implement controls to mitigate those risks.
• Implement security measures: The platform facilitates the implementation of specific security measures required by the NIS 2 directive, such as strong authentication and access controls.
• Monitor and improve security: The software provides continuous monitoring of information security and allows you to make improvements based on the organization’s needs.
• Etc.