The NIS directive was adopted by the European institutions in July 2016 with the aim of ensuring a certain level of security for networks and information systems belonging to critical and sensitive infrastructures in EU member states. Six years later, revisions to this directive are gaining pace, with the first agreements between the Commission, the Parliament and the European Council in May and June 2022. The yet-to-be-adopted new NIS2 Directive is already prompting many questions about its implications and scope of application. Here’s why.
Broader involvement by stakeholders
The increase in cyber-attacks in recent years is forcing EU Member States to increase their levels of security to protect citizens, local and regional authorities and businesses. To meet this challenge, the NIS Directive is being reformed, harmonised and strengthened in version 2.0. According to Thierry Breton, European Commissioner for Internal Market, this reform must “further secure critical services for society and the economy” and enable a “modernisation of the rules”.
The first degree of harmonisation will clarify the sectors concerned, and this is the main question continually asked on the subject: is my company affected by the NIS2 Directive? Stipulated in the Official Journal of the European Union, there are 18 sectors affected, divided into critical and highly critical sectors. There are 11 highly critical sectors: energy (electricity, heat and cooling networks, oil, gas, hydrogen), transport (air, rail, water and road transport), the banking sector, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. Meanwhile, there are nine critical sectors: postal and shipping services, waste management, manufacture, production and distribution of chemical products, production, processing and distribution of foodstuff, manufacture (manufacture of medical devices, IT, electronic and optical products, electrical equipment, machines and equipment, automotive vehicles and other transport equipment), digital suppliers and research. Delving further into the description, a list of entities is stipulated in the European directive, corresponding to business activities. The size of the entity is also one aspect to take into account with the NIS2 directive, as the number of employees (greater than or equal to 50) or the revenue (or annual balance sheet, greater than or equal to €10 million) are also selection criteria.
This list is not exhaustive and some details are yet to be defined in connection with national transpositions, for example to integrate or exclude entities on an individual basis (following a national risk analysis or a national defence and security clause). Regarding French national territory, Guillaume Poupard, former Director General of the ANSSI, declared in June 2022 that the NIS2 directive would considerably extend its scope, representing “a tenfold increase in the number of stakeholders classified as operators of essential services (OESs).” To date, there is no official figure for the number of companies affected, but initial communications from the ANSSI mention several thousand French organisations being affected by the NIS2 Directive. Furthermore, in order to more effectively adapt the regulation to each sector's specific characteristics, the ANSSI is working with professional and sector organisations (federations, unions, etc.). Initial consultations were carried out at the start of 2023.
Together with the public administration sector, local and regional authorities are therefore included in this reform. According to an interview with Yves Verhoeven, Deputy Director of Strategy at the ANSSI, speaking to the La Tribune newspaper, “the revised NIS provides the option of regulating local authorities and imposing cybersecurity rules on them.” It should be noted that this is only an option: as explained above, each Member State has the right to extend the scope of the new directive to its local administrations.
Overlooked in the first version of the directive, players in the supply chain (subcontractors and service providers) with access to critical infrastructure will also be subject to NIS2. That’s because flaws in a provider’s infrastructure could jeopardise the security of the OESs for which it works. The cyberattack on Kaseya in July 2021 is an unfortunate and well-known example of such supply chain attacks. Once NIS2 has been implemented, the reality on the ground will be very different. For example, in the energy sector, security measures will no longer be imposed solely on electricity producers, transporters and distributors. And all critical infrastructure subcontractors will also be affected. In particular, service providers and other digital services companies will be obliged to report any security incident within 72 hours in order to contain the spread of the attack. It is therefore to be expected that small and medium-sized companies will quickly recruit a CISO role to meet security requirements and continue to work with large accounts. This adds further tension to a labour market that already seems to be at breaking point...
NIS2: the beginning of the end for OESs
Before we talk about their end, let’s start with a quick definition: what is an OES? Designed as an extension of the OIV (operator of vital importance) status established in France by the 2013 Military Planning Act, an OES is an essential service operator for whom an IT system or infrastructure failure would have a significant impact on the functioning of the French economy or society.
However, with the inclusion of subcontractors and service providers in charge of critical infrastructure and in particular a semantic movement, the NIS2 Directive signals the end of the OESs. From now on, the scope of these regulated operators will be divided into two types of players: essential entities (EEs) and important entities (IEs), which will be differentiated according to the criticality of the associated sectors. Here, the NIS2 Directive includes proportionality between entities in terms of security measures, regulation and also penalties. This is a logical approach, as critical entities will obviously have a greater impact than important entities in the event of a service outage. The end of operators of essential services (and digital services providers), and the adoption of the essential and significant business categories, are intended to harmonise all obligations upon these stakeholders.
This desire for harmonisation also raises questions, as companies and operators will be responsible for designating themselves as EEs or IEs. To do so, they will base their decision on one of the sectors of activity previously targeted and the size of their entity (medium to large company, medium-sized company and small and micro company). A basic rule states that essential entities will in particular be major entities belonging to the 11 highly critical sectors. In addition, each Member State will, at its own discretion, be able to designate certain operators as essential or important according to piecemeal adjustment mechanisms.
A new binding dimension to the Directive
According to Thierry Breton, this reform of the directive provides greater security for entities “by implementing a system of obligations and sanctions.” The NIS2 directive is a “major step forward”, according to the European Commissioner, extending its coercive powers. But what are the obligations of essential entities and important entities? First of all, the obligation to declare a loss makes it possible to react as quickly as possible and contain the cyber threat. Although the directive stipulates initial incident notification within 24 hours, it leaves room for manoeuvre in terms of national transposition, particularly regarding the time period for implementing security measures. At the time this article was written (and updated), the deadlines to implement the directive for relevant entities have not yet been stipulated. At the same time, companies, subcontractors and local authorities will be required to undergo safety audits in order to receive recommendations and thus meet stringent safety standards. Risk and IT system security analysis, incident management, business continuity, supply chain security, IT system acquisition, development and maintenance security, the assessment of cyber risk management measures, basic practices (such as cyber hygiene and training), human resources security and the use of multifactor authentication solutions are all security measures provided for by the NIS2 Directive.
For companies that fail to cooperate or that contravene the regulations, the NIS2 Directive has also introduced revised sanctions. In the event of a security incident and a refusal to cooperate with the authorities, NIS2 provides States with a right of injunction. Companies will therefore be forced to comply with the State’s request, and may be subject to fines of between 1.4% and 2% of turnover. As in the case of the former OES status, the manager may be liable.
But while this reform aims to improve security, it also raises budgetary issues. For the thousands of companies affected, executive committees will be required to focus on their budgets for investment in cybersecurity products – and allow more flexibility in this area. And what about local municipalities, departments and regions? With less flexibility than their private counterparts, these entities will be forced to make do with the opportunities available to them (such as the France Relance plan), with restricted budgets and a lack of human resources. This is a gap in terms of tools and skills that is already difficult to fill, especially for small and medium-sized communities today, and the situation is likely to get even worse following the implementation of the NIS2 directive.
When is NIS2 coming? The answer to that question is not so simple. Although the European Parliament officially adopted the new NIS2 Directive on Thursday 10 November 2022, transposition at a national level is due to take place by 17 October 2024. However, consultation phases are scheduled for the second half of 2023, concerning the preparation of other regulatory texts (decrees, orders). Its implementation, at national level, is therefore not expected before the very end of 2023 or early 2024. But will this give all the entities concerned time to prepare for a major change in the face of the cyber threat?