NIS2: An Overview of What’s Coming and How to Prepare Your Clients
The Directive on security of network and information systems (NIS) was the first cybersecurity legislation passed by the European Union. Intended to achieve a common standard of cybersecurity across EU Member States, it was fraught with challenges since the beginning. For one, Member States interpreted the legislation in a variety of ways, effectively making it unenforceable.
The second iteration of the NIS Directive came into effective January 2023. Generally referred to as NIS2, this legislation is still concerned with threat mitigation, but defines a broader scope, more specific cybersecurity measures, and a higher degree of enforcement.
All EU Member States are required to transpose NIS2 into their national legislature by October 17, 2024. With that deadline right around the corner, and the legal obligation to comply once it passes, MSP clients who fall under the instrument are likely to have a lot of questions. Read on to find out what you need to know so far.
Overview of NIS2 Changes
We could write an eBook on the differences between NIS1 and NIS2 (and we are, actually). In the meantime, here’s a brief overview of the most significant changes.
Change #1: Scope
NIS2 has significantly expanded the number of organizations that fall under its scope. Covered entities are now classified by size (large and medium) and type (essential and important).
In terms of size, NIS2 applies to large companies that operate in the critical sector and medium companies that aren’t essential but operate in areas of high criticality. Size is further defined by number of employees, annual turnover figures, and annual balance sheet figures.
Covered entities are further categorized by type. Essential services include the 7 sectors defined by NIS1, with 4 additions:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water supply and distribution
- Digital infrastructure
- Wastewater
- ICT Service Management (B2B)
- Public administration and
- Space
Important services fall across the following 7 sectors:
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
Change #2: Measures
Article 21 lays out a list of 10 cybersecurity risk management measures that covered entities must implement to comply with the Directive. Those measures are:
- Policies on risk analysis and information system security.
- Incident handling.
- Business continuity, such as backup management and disaster recovery, and crisis management.
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
- Basic cyber hygiene practices and cybersecurity training.
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
- Human resources security, access control policies and asset management.
- The use of multifactor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Change #3: Enforcement
To address the lack of enforcement seen with NIS1, NIS2 establishes a framework for sanctions. The new enforcement measures carry much harsher penalties for noncompliance than previously seen, including:
- National supervisory authorities have the power to levy non-monetary penalties such as compliance orders, security audits, and binding instructions.
- Member States are obliged to enforce administrative fine minimums, where minimums differ for essential versus important entities.
- Criminal sanctions on management bodies when gross negligence results in a cybersecurity incident.
In relation to the last, management bodies are now required to approve and oversee risk management measures and, when infringements or incidents occur, they can be help liable. To emphasize and understand the importance of their role, management bodies must undergo risk management and cybersecurity training.
Small Steps to Prepare for NIS2
As with NIS1, Member States are ultimately responsible for the legislation that instructs and enforces the NIS2 Directive – and covered entities won’t know those details until the October deadline has passed. For those proactive organizations out there, the Directive outlines several measures that can be acted on immediately.
Assessment
Much of the Directive focuses on the importance of risk mitigation. Covered entities can get one step ahead of what’s coming by performing a risk assessment to identify, evaluate, and prioritize weaknesses in their systems and processes.
Cybersecurity Controls
NIS2 doesn’t provide any specific security controls, or even reference a risk management framework. However, Article 21 does provide some specific information that’s likely to end up in national legislation. Proactive covered entities can start with MFA, encryption, access controls, and asset management.
Training
It’s unclear who will be considered management under national legislation and, therefore, who will require security awareness training. In our view, though, every employee should be aware of their role in maintaining cybersecurity. Start fostering a culture of security and compliance sooner than later.
Leverage Compliance Scorecard for NIS2
Looming deadline got your clients feeling overwhelmed? Fear not. Compliance Scorecard was designed for Directives like NIS2, and MSPs looking to take the lead.
These are just some of the features you can leverage to get ahead on NIS2, and implement and manage the regulations when they’re finally out there.
- Perform Assessments: Use our scorecards to assess risk, assets, policies and more, and then have easy-to-understand conversations with your clients about next steps.
- Write policies and procedures: You can start writing some of the policies required under Article 21 with our expertly-designed policy templates. You can also have them authorized, adopted, and assessed, all in one convenient repository.
- Check controls: See how your client currently aligns with other major cybersecurity frameworks, like NIST CSF and CIS, and start developing effective mitigation strategies.
- Integrations: We partner with the top MSP tools out there to provide you the most effective toolkit for compliance and security. You’ll find integrations for vulnerability scanning, patch management, asset management, and more.
- Foster a culture of compliance: Compliance Scorecard brings your client into the compliance process, every step of the way. Your program is only as string as their buy-in, and our features give you everything you need to get them engaged.
- Robust reporting: Reporting obligations will be rigorous for NIS2. Our platform not only generates detailed reports, it keeps everything NIS2-related tracked, categorized, and organized in one place.
No Need to Panic When You Work with Compliance Scorecard
As the deadline for NIS2 compliance approaches, MSPs should be prepared to guide their clients through the complexities of what’s coming. With a basic understanding of the key changes introduced by NIS2, MSPs can proactively assist their clients in mitigating risk and eventually achieving compliance.
By leveraging Compliance Scorecard and staying informed about the evolving NIS2 landscape, MSPs can position themselves as trusted advisors and help their clients navigate the challenges of cybersecurity in the European Union. Start streamlining the process ASAP! Sign up for a free demo to learn how it works.
Read More
Compliance Coaching: Can You Tell Policies, Standards, and Procedures Apart?
The Managed Services Game: Why CaaS is Your Winning Play
Go for the Goal: Deploying Scorecards to Differentiate Your MSP