NIS 2: Implications and Strategies for European Organizations
The NIS (Directive (EU) 2016/1148) was launched on July 6, 2016 and was the first comprehensive European Union directive on cybersecurity. The directive aims to ensure that EU member states adopt common security and resilience measures focused on preventing and responding to incidents/threats. In Portugal, for instance, NIS 1 was transposed to Law no. 46/2018
The successor – NIS2 (Directive (EU) 2022/2555) – introduces a series of changes, improvements and simplifications from the perspective of risk management and incident handling, also extending its applicability to more sectors and, thus, organizations.
NIS vs NIS2: What has changed?
The most significant change from NIS 1 to NIS 2 is that whereas NIS 1 offered recommendations and best practices, NIS 2 includes regulatory provisions that are mandatory. Non-compliance with these provisions can result in severe penalties.
The main changes are:
- Broadening the scope: NIS2 adds to the scope of its precedent, Digital Services (e.g. Data Center Services), Manufacturers of certain critical products, postal services and public administration.
These sectors are classified as “Highly critical sectors” or “Other sectors”. Entities can be “Essential” or “Important” – these classifications will impact the level of supervision and application of the Directive. The criteria that define which companies must comply are more detailed and include, for example, the number of employees and turnover.
- Security requirements: Introduction of fundamental cybersecurity measures including risk analysis, security policies, incident response, crisis management and business continuity.
- Collaboration: Creation of EU CyCLONe to coordinate the management of large-scale incidents in the European Union.
- Incident reporting: Clearer guidelines for the process and deadlines for reporting incidents, defining it as mandatory to notify the authorities within 24 hours of an incident, as well as providing a monthly update.
- Tougher sanctions: It provides for stricter penalties for non-compliance, which in the case of essential organizations can be up to 2% of annual turnover or at least 10 million euros, whichever is higher.
- Responsibility of Management Bodies: NIS2 aims to make the management of organizations responsible for implementing and complying with security measures.
What are the challenges for companies in achieving NIS2 compliance?
Among the various challenges that organizations face, this article considers relevant to highlight the importance of security in the supply chain, this requirement being one of the additional controls that the organizations concerned have to implement and manage. This means that, in practice, there is an indirect application in all companies that are suppliers of services and products applied in critical and essential organizations. It is referred to as an indirect application because it will be natural for organizations to make greater demands on their entire supply chain.
We would point out that there is a growing tendency for malicious actors to focus their attacks on the supply chain. This is because the supply chain often encompasses all of an organization’s activities and processes, from the creation, production and delivery of a product or service, and is usually made up of several interconnected links.
This complexity offers various opportunities for exploitation by malicious actors. It is therefore crucial, and at the same time a tremendous challenge, to implement measures to mitigate the risks inherent in the supply chain, be they technological, procedural or contractual.
An attack through the supply chain usually happens when the malicious actor, using an attack vector such as exploiting a vulnerability in a software, product or system, or compromising the supplier’s infrastructure, or even taking advantage of a compromised user, obtains privileges that allow them to spread the attack between organizations, advancing through the links in the supply chain. This approach allows the attacker to cross different parts of the chain, extending its reach.
It should be noted that operators of critical and essential infrastructure are highly dependent on outsourced services, which makes it difficult to control the supply chain in depth.
In short, the difficulties that organizations face in managing security in the supply chain are:
- Lack of understanding of the real risk posed by the supply chain of services and products;
- Limited in-depth visibility of the entire supply chain;
- Not knowing or lacking the capacity to address supplier security effectively
Naturally, it will be up to each organization to govern security and risk management in the supply chain, but there are cross-cutting aspects and efficient approaches that can be taken into account when implementing policies.
The first aspect is addressing who, or which teams, are responsible for managing security in the supply chain. It is recommended that the larger the organization, the greater the need to appoint a person directly responsible. With or without a dedicated team, this figure is essential for building policies that are appropriate to the business processes, understanding the needs of the business and, above all, understanding and managing the risk for each process.
The second aspect is an in-depth understanding of the supply chain. Although NIS 2 only mentions direct suppliers in its requirements, knowing all, or a large part, of the chain will make it possible to address more risks and, consequently, implement more measures and controls to manage that risk.
Finally, how to address and what to demand from suppliers who are part of the supply chain for critical business processes? This point must be properly defined in security policies and can be broken down into several categories, depending on the supplier and the risk it poses to business processes. An increasingly used method is to demand security certifications, supported by the implementation of risk management systems such as the ISO 27000 series. Another method is to use your own resources to conduct in-depth due diligence on the processes and procedures with which the supplier approaches information security in its service, product and organization. More demanding policies may require companies to carry out their own audits with a view to specialized and independent security assessments.
In short, critical and essential operators will have to understand the risks that their suppliers bring to them, classify them according to those risks, implement measures to control and monitor them and carry out the necessary due diligence to demand the appropriate safety standards.
What strategies can be used to achieve compliance?
As a strategy for compliance with the directive, we have identified one that seems to be more assertive: opting for the implementation of ISO 27001:2022. This standard defines a framework that sets out the requirements for an Information Security Management System (ISMS) focused on risk management. It is considered that the correct implementation of an ISMS allows companies to move closer to the NIS2 directive in its entirety.
It is possible to establish a direct connection between one of the most relevant articles of the directive, Article 21 Cybersecurity risk management measures, and Annex A of ISO 27001:2022, and in this context, the standard can be used as an effective tool to achieve compliance. In addition, there is also the National Cybersecurity Reference Framework which, together with its implementation guide, provides another alternative for achieving compliance. In this context, organizations can opt for any of these frameworks, and choosing ISO 27001 includes the possibility of certification, which can be beneficial not only in the field of compliance, but also at a business level. In the case of adopting the National Framework, the aim is not so much to achieve certification, but rather to enrich the implementation of measures that strengthen the company’s security and resilience posture.
Conclusions and recommendations
This article highlights the great expansion of requirements and scope of applicability that NIS2 has, thus increasing the impact on organizations operating in Portugal. If, perhaps, organizations in critical sectors (e.g. critical infrastructures), already under the previous version of NIS, should be more prepared and closer to compliance – which translates into greater resilience in the face of the threats they face – there is now a very wide range of organizations that will certainly have a long way to go.
One of the ways proposed in this exhibition is to implement an ISMS, using the ISO 27001 standard, which makes it possible to fully implement the controls and requirements that NIS2 demands. Of course, implementing the ISMS alone is not enough; it is necessary to include the specific NIS2 guidelines when implementing the controls in the standard. For example, the inclusion in the incident response procedure and policies of the communication channels and protocols with the European network.
The importance of security in the supply chain was also highlighted, as an additional requirement of NIS2 compared to NIS, which in itself is a complex topic to address due to the great interdependence of critical and essential operators with suppliers’ services and products.
ANNEX
Looking at Article 21 of NIS2, which is the most objective in terms of the controls that companies have to implement, it is possible to make a direct mapping with the clauses of the standard and the controls in Annex A of the ISO 27001:2022 standard:
NIS 2 (Article 21) | ISO 27001:2022 (Annex A) |
Article 21.2 a)
Risk analysis and information systems security policies;
|
Clauses
5.2 Policies 6.1.2 Information security risk assessment 6.1.3 Treatment of information security risks 8.2 Information security risk assessment 8.3 Treatment of information security risks
Annex A. – 5.1 Information security policies |
Article 21.2 b)
Incident handling
|
Annex A.
5.24 Information security incident management planning and preparation 5.25 Evaluating and deciding on information security events information security 5.26 Responding to information security incidents 5.27 Learning from information security incidents 5.28 Collecting evidence 6.8 Reporting information security events
|
Article 21(2)(c)
Continuity of activities, such as backup management and disaster recovery, and crisis management; |
Annex A.
5.29 Information security during a disruption 5.30 Preparing ICT for business continuity 8.13 Safeguarding information 8.14 Redundancy of information processing facilities
|
Article 21(2)(d)
Security of the supply chain, including security aspects concerning the relationship between each entity and its suppliers or direct service providers;
|
Annex A.
5.19 Information security in relations with suppliers; 5.20 Information security approach in agreements with suppliers Suppliers; 5.21 Information security management in the ICT supply chain; 5.22 Monitoring, review and change management of supplier services 5.23 Information security for the use of cloud services;
|
Article 21(2)(e)
Security in the acquisition, development and maintenance of network and information systems, including the treatment and disclosure of vulnerabilities.
|
Annex A.
5.37 – Documented operating procedures 8.8 – Technical vulnerability management 8.9 – Configuration management 8.20 – Network security 8.21 – Security of network services
|
Article 21(2)(f)
Policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
|
Clauses
9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review
Annex A.
5.35 Independent information security review
|
Article 21(2)(g)
Basic cyber-hygiene practices and cybersecurity training;
|
Clauses
7.3 Awareness 7.4 Communication
Annex A.
6.3 Information security awareness, education and training
|
Article 21(2)(h)
Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
|
Annex A.
8.24 Use of cryptography
|
Article 21(2)(i)
Security of human resources, policies on access control and asset management;
|
Annex A.
6.1 Screening 6.2 Terms and conditions of employment 6.4 Disciplinary procedure 6.5 Responsibilities after termination or change of employment 6.6 Confidentiality or non-disclosure agreements (NDA’s) 5.15 Access control 5.16 Identity management 5.17 Authentication information 5.18 Access rights 5.9 Inventory of information and other associated assets 5.10 Acceptable use of information and other associated assets associated assets
|
Article 21(2)(j)
Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communications systems within the entity, where appropriate
|
Annex A.
5.16 Identity management 5.17 Authentication information 5.14 Information transfer
|
Article 21(3)
Secure development procedures
|
Annex A.
8.25 Secure development lifecycle 8.26 Application security requirements 8.27 Secure systems architecture and engineering principles 8.28 Secure coding 8.29 Development and acceptance security testing 8.30 Outsourced development 8.31 Separation of development, test and production environments production 8.32 Change management 8.33 Information on tests
|
Article 21(4)
Member States shall ensure that an entity which concludes that it does not comply with the measures set out in paragraph 2 takes all necessary, appropriate and proportionate corrective measures without undue delay
|
Clause
10.2 Nonconformity and corrective action
|
Authors
Luís Gonçalves
Sérgio Alves