What is the NIS2 directive?

Starting in December 2023 and going into 2024, several new important regulations on cybersecurity and digital operational resilience are coming into effect, affecting both the United States and the European Union (EU).

The SEC Cybersecurity rule was announced in July 2023, came into effect December 18, 2023 for most US public companies, will take effect June 15, 2024 for smaller reporting companies, and primarily will impact US public companies in 2024 and beyond. Lacework previously provided a solution brief, webinar, and SEC materiality framework, which we encourage you to review for further information relating to the SEC Cybersecurity rule. 

NIS2 will come into effect in the EU on October 17, 2024. In January 2023, it was announced that the EU Network and Information Systems (NIS) law would receive an overhaul. NIS2, the sequel to NIS, expands the initial 2016 regulation to eliminate inconsistency and establish a common set of cybersecurity standards and risk management practices, including incident reporting and information sharing obligations. The goal is to create a coordinated response through Cyber Crises Liaison Organizations Network (EU-CyCLONe) across EU member states, sectors, and businesses, with compliance mandated by October 17, 2024. 

DORA will come into effect in the EU on January 17, 2025. The Digital Operational Resilience Act (DORA) is a new EU regulation on digital operational resilience for the financial sector, and for information communication technology (ICT) companies providing services to the financial sector, such as cloud service providers, and data analytics providers. The United Kingdom has introduced a related law, the Financial Services and Markets Act, which has many similarities to DORA, but with an added ability to issue sanctions for non-compliance. The UK Act received royal assent on June 29, 2023.

This article will focus primarily on NIS2 compliance.

What are the key new elements of NIS2?

The primary new elements of NIS2, when compared to the prior NIS1, are as follows:

  • Broader scope than NIS1 with a new classification of organizations.
  • Greater penalties for non-compliance
  • Holds management and “management bodies” accountable
  • Stronger supervisory powers for national authorities.
  • Specifically addresses supply-chain security, including supplier relationships
  • Lists 10 measures that all in-scope organizations are required to comply with
  • Revised reporting requirements, with tight timelines
  • Provides for greater cross-border cooperation between member states

What entities are impacted by NIS2?

NIS2 applies to all entities which (i) provide services to the EU, or carry out activities in the EU, or (ii) are an “essential” or “important” entity. NIS2 includes a size cap, such that small business and micro businesses are excluded from compliance. Member states can choose to exempt entities which operate in the security, public safety, defense, or law enforcement spheres. 

From a practical perspective, companies with more than 50 employees and more than €10M in revenue must now have a security plan along with a risk management process for responding quickly. From an infrastructure perspective, this requires companies to have full visibility into their infrastructure, an overview about security issues (ranging from misconfigurations and vulnerabilities to over privileged identities), and the ability to detect potential intrusions. NIS2 extends its reach from critical industries into cloud computing service providers and digital providers like online marketplaces and search engines.

What business sectors does NIS2 apply to?

NIS2 distinguishes between "high criticality" sectors and “other critical sectors” for prioritization purposes. These are defined by the EU as follows:

What are high criticality sectors within NIS2?

Sectors of high criticality: energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, water and road); banking; financial market infrastructures; health including manufacture of pharmaceutical products including vaccines; drinking water; waste water; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services); ICT service management (managed service providers and managed security service providers), public administration and space.

What are the other critical sectors within NIS2?

Other critical sectors: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital providers (online marketplaces, online search engines, and social networking service platforms) and research organisations.

What proactive steps must companies take to comply with NIS2?

To avoid fines, companies must take proactive steps to minimize disruption. This includes measures to find and mitigate infrastructure risks as well as adding intrusion detection capabilities. This is essential for being able to disclose incidents or cyber threats to the national authority within 24 hours, followed by an official public-facing notification within 72 hours. This is a tighter timeframe than even the US SEC Materiality disclosure requirements.

What are the specific cybersecurity requirements imposed by NIS2?

NIS2 imposes on all in-scope entities a certain set of cybersecurity requirements, including:

  • Risk analysis and incident response
  • Encryption and cryptography
  • Vulnerability disclosure
  • Cybersecurity training
  • ICT supply chain security

The supply chain security requirement means that in-scope entities will need to assess and take into account vulnerabilities of each direct supplier and service provider to the entity. In addition, each in-scope entity will need to pay attention to quality and cybersecurity practices of their service providers and suppliers

What incident reporting does NIS2 require? 

The definition of a reportable incident has been tightened up1 from NIS1, as NIS2 only requires reporting when “An incident is significant if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned (Article 23(3)(a)) or if it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage (Article 23(3)(b)).”

However, with NIS2, the reporting deadlines2 are challenging. An early warning indicating “whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact” is required with 24 hours of an incident occurring, and an incident notification updating “the information referred to in and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise” 

What supervisory powers does NIS2 provide?

NIS2 enforces supervision3 of essential entities, whereby national authorities can carry out random inspections, audits, and security scans, and request evidence4 of compliance. 

What if I don’t adhere to NIS2 compliance?

In particular, NIS2 gives national authorities power5 to subject entities to make public aspects of their non-compliance, to cease conduct, and to implement recommendations made by the national authority. NIS2 also gives national authorities power to suspend6 certification or authorization of service providers, and requests that authorized bodies temporarily suspend management individuals (natural persons) from exercising managerial functions in that entity.

NIS2 also introduces fines7 for non-compliance as follows:

  • Essential entities are subject to administrative fines of a maximum of at least EUR 10 million or of a maximum of at least 2% of the total worldwide annual turnover, whichever is higher.
  • Important entities are subject to administrative fines of a maximum of at least EUR 7 million or of a maximum of at least 1.4% of the total worldwide annual turnover, whichever is higher.

NIS2 is a complementary cybersecurity regulation to the general data protection regulation (GDPR). In particular, if competent authorities become aware of a NIS2 non-compliance leading to a breach or personal data, they are required to notify the relevant data protection authorities without undue delay. This can result in a potential “double-whammy” against entities where they suffer a cybersecurity incident under NIS2, and then also have to deal with a privacy incident under GDPR. 

How can companies comply with NIS2?

A key required capability for compliance with NIS2 is the ability to quickly detect attacks, and report on them with sufficient detail to fulfill the reporting requirements under SEC, NIS2, and DORA. This attack detection capability goes far beyond simple risk ranking or cloud security posture management (CSPM). In fact, the attack detection requirements of NIS2 align well with recent guidance from CISA in partnership with Australian, New Zealand, Canadian, and UK security agencies. 

In security, time is your biggest enemy, as it takes 241 days8 on average to detect and contain a breach but just 5 hours for an attacker to exfiltrate data. This presents an almost Herculean task to security practitioners attempting to sort the true threats from an avalanche of alert noise and false positives.

How can Lacework help with NIS2 compliance?

Lacework can assist with NIS2 compliance and specifically with these cybersecurity items:

  • Risk analysis: With our CSPM, cloud infrastructure entitlement management (CIEM), and vulnerability capabilities, Lacework helps with detecting potential issues proactively and provides guidance on how to best fix them. 
  • Incident response: With our composite alerts, including our machine-learning powered anomaly detection capabilities, we provide all needed context to effectively respond to detected intrusions. The composite alert already provides the needed information for complying the reporting requirements. In particular, Lacework uses threat intelligence feeds that provide known indicators of compromise (IOCs) and checks if any of those indicators are present in an environment. For unknown IOCs, the anomaly detection and composite alerts provide additional context and indicators of a potential incident. This is critical in providing a timely and detailed response for the NIS2 mandatory reporting requirements.
  • Encryption and cryptography: With our many security posture management (*SPM) capabilities, we help identify those basic misconfigurations on a continuous basis and provide guidance on how to fix best.
  • Vulnerability disclosure: With our code security offering, we are able to surface unknown vulnerabilities. Companies can use those findings to follow responsible disclosure guidance.
  • ICT supply chain security: With our software bill of materials (SBOM) and software composition analysis (SCA) technology, we help to detect vulnerable third party packages. With our active vulnerability detection context, we are able to determine if packages are actively used, or "inactive," and pose no threat to the organization.
  • Compliance reports: Lacework provides detailed compliance reports on visibility, cloud posture, identity posture, risk and vulnerabilities, supply chain, and other relevant reports as required under Article 32 (g).9

NIS2 is coming into force soon, and entities have just months to prepare for compliance. Please reach out to learn more about how Lacework can help you easily achieve NIS2 and DORA compliance or watch an on-demand demo of Lacework to see our platform in action.

1Commission Guidelines on the application of Article 4 (1) and (2) of Directive (EU) 2022/2555 (NIS 2 Directive) II.2.1. Notification of significant incidents to CSIRTs, competent authorities and recipients (14)

2NIS2, Article 23. Reporting obligations sections 3, 4

3Article 32, Supervisory and enforcement measures in relation to essential entities

4NIS2, Article 32, Supervisory and enforcement measures in relation to essential entities (g)

5Article 32, Supervisory and enforcement measures in relation to essential entities

6Article 32, Supervisory and enforcement measures in relation to essential entities (5)

7Article 34, General conditions for imposing administrative fines on essential and important entities

8Edgescan: 2023 Vulnerability Statistics Report, IBM: 2023 Cost of a Data Breach, 2023 Global Cloud Threat Report, SANS: 2022 Ethical Hacking Survey

9NIS2, Article 32, Supervisory and enforcement measures in relation to essential entities (g)