Renewal of the Network and Information Security Directive: Implications for public and private entities

The Network and Information Security (NIS) Directive established in 2016 (EU 2016/1148) defined for the first time so called “critical economical activities”. These covered essential activities for basic services and basic life needs such as electricity, gas, transport, etc.

With the outbreak of the COVID-crisis and the related increased number of cyberattacks, the limits of the NIS Directive were revealed, pushing the European Union (EU) to strengthen its cybersecurity legislative package and renew its Directive.

The NIS Directive II (NIS II) has been published on the 27^th December 2022 (EU 2022/2555) and should be implemented by each Member State during 2024. NIS II brings important improvements: it harmonises the rules at EU level and takes the current and expected cybersecurity situation into account. With these changes, the cyber security level and resilience should improve. However, with the extension of its scope, a quick implementation will be a challenge, because of the current lack of human-work resources in the cybersecurity sector. Many companies are not prepared to implement the required measures although they fall under the new NIS scope.

NIS Directive II – Main aspects

Extended scope:

• Large and medium enterprises are now concerned (as from 50 employees and 10 million euros turnover).
• More sectors will be covered. 16 sectors will fall under its scope.
• The entire supply chain shall be taken into account.

New classification of companies:

• NIS II identifies essential (e) and important (i) facilities based on their criticality degree instead of dividing them into Operators of Essential Services and Providers of Digital Services.

Changes in rules:

• A minimum list of appropriate technical and organisational measures will have to be applied to manage risks.
• The timeline for incident reporting is shortened.
• Single criterion for identifying companies, ending national differences.

What do these changes imply?

NIS II broadens the number of entities falling under its scope with a single capsize criterion and new sectors (essential or important). Therefore, national authorities are no longer responsible for identifying critical entities, which has led to numerous differences between countries under NIS I.

• Entities now have to self-assess if they must oblige to NIS II.
• All entities will be handled the same way, as some big companies were listed as critical in some Member States (MS), but not in others.
• Following sectors are new: providers of public electronic communications networks or services (e), space (e), public administration (e), wastewater (e), food (i), manufacturers of certain products such as medical devices, chemicals (i), postal and courier services (i), digital services such as data centre service (i), and waste management (i).

Furthermore, NIS II also recognises the importance of the risks coming from the supply chain. All covered companies will now have to take their supply chain into account in their risk management.

Which measures should companies apply?

Companies -essential or important- will now have to apply a list of minimal measures to manage their risks. This is an important change, as under NIS I, rules were defined by national authorities, leading to significant differences among countries and complication for companies operating in several MS.

These minimal rules are listed in Article 21. The most important ones are:

• Risk analysis and information system security policies,
• Incident handling and
• Security in network and information systems acquisition, development, and maintenance.

In addition, some important and essential companies could be obliged to certify (or to use already certified) ICT products, services, and processes for specific activities (Article 24).

• Entities falling under this obligation should pay great attention at the products, services or processes chosen for their information systems. The lists of certified products are usually to be found on the national information security agency website.

How can infodas help your company comply with the implementation of NIS II?

We are a leading cyber security consulting company, whose services are certified by the German Federal Office for Information Security (BSI). We work closely with the German public administration and critical infrastructures (e.g., Security Consulting, Auditing, Pen-Testing). We have for example accompanied many entities concernig the KRITIS law in Germany.

We can support companies with the implementation of the Directive, especially with the measures described in Article 21. The following activities could be proposed to help enterprises to develop, maintain, manage and monitor effective and sustainable IT measures:

• Risk Assessment and analysis of IT processes and infrastructures
• Definition and Implementation of appropriate cyber security measures
• Auditing on basis of the German law for critical infrastructures (BSI-Act)
• Penetration-Testing to check if the implemented measures are effective
• Incident Response Planning / Business Continuity management

Furthermore, for the most critical entities (e.g., energy providers, rail companies, public administration), we also develop high-trusted, certified cyber security products: Cross Domain Solutions (CDS). CDS also contribute to the improvement of the cyber security level of companies.

In these strategic sectors, CDS are used to secure the process of IT/OT integration, as well as to prevent any data leakage in the IT environment. These appliances are placed between both domains, that were formally separated by air gapping. As air gapped systems are no longer a secure and the best solution for a digital world, CDS control and inspect all data flow coming from and to the OT system. The data flow is allowed (or blocked) based on the ruleset of data. Authorized data flows are predefined and coded into the appliance as security policies.

Even connected to the IT side, the most critical networks are not put in danger and their attack surface is reduced.