Prepare your organization with Securden Unified PAM

What’s new in NIS2?

The improved version of the Networks & Information Systems Regulations (NIS), also known as NIS2, is the latest regulation for data protection that is primarily for organizations that work with the European Union (EU).

These converged set of controls help manage sensitive data comprehensively and are key to mitigate cyberattacks, allowing organizations that support critical infrastructure in the EU to immediately recover from incidents/breaches and operate with full efficiency.

NIS2 Objectives

The NIS2 proposal sets itself three primary objectives for harmonised sanctions across the EU:

1. To increase greatly, the level of cyber-resilience of businesses operating in the EU across all relevant sectors with a common set of rules for all public and private entities which fulfill important economic functions for society.
2. Maintaining consistency in resilience across the internal market by aligning the scope for all sectors previously defined, and new ones. The security and incident reporting objectives have also been made stringent.
3. Improving the level of joint situational awareness and collective capability to prepare and respond. This was done by establishing an EU-CyCLONe to support coordinated management of EU wide cybersecurity incidents and for regular exchange of information.

Introduction/Overview

The NIS 2 Directive (EU-wide legislative act: Directive (EU) 2022/2555) was released with the aim to achieve a higher level of cybersecurity for Networks and Information Systems (NIS) across entities that work with European member states. The guidelines released in the NIS 2 directive are to be adopted by member states within specific timelines, as mentioned.

Adoption Timelines

• By 17 July 2024 and every 18 months thereafter, EU-CyCLONe shall submit to the European Parliament and to the Council a report assessing its work.
• By 17th of October 2024: Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
• By 18th of October 2024: They shall apply those necessary measures and the NIS 1* Directive (Directive (EU) 2016/1148) shall be repealed.

What has changed with NIS2?

The NIS 2 directive came from a proposal to revise the NIS directive which was successfully adopted by the European Commission.

It came as a response to growing threats posed with digitization and from the surge of cyberattacks. The main objectives were to streamline reporting obligations, introduce supervisory measures that were more stringent and make enforcement requirements stricter.

Key changes in the directive

The main differences between NIS and the newer NIS2 Directive are summarized:

• NIS 2 eliminates the classification and distinction between operators of essential services (OES) and providers of digital services (DSP). Instead, the NIS 2 provides different rules for "essential entities" and "important entities". DSPs have not disappeared from the list of target companies but have been redistributed among the list of essential and important entities.
• New sectors that were previously not in focus have been included in the NIS2 directive. These sectors are considered critical to the economy and public (e.g. postal & courier services, wastewater management, food, etc.
• Security requirements for supply chains and suppliers have been included and made stringent.
• The establishment of a European Cyber Crises Liaison Organization Network (EU-CyCLONe)
• Greater coordination is established in the disclosure of new vulnerabilities discovered throughout the Union and stricter supervisory measures for national authorities, stricter enforcement requirements and aims to harmonize sanctioning regimes across Member States.

NIS2 modernizes the existing (NIS) framework to keep up with the evolving cyberthreat landscape and increased digital adoption. With new sectors, it aims to improve the resilience of entities.

Who does the NIS2 directive apply to?

NIS 2 applies to any organization providing critical services in an EU member country, NIS 2 must be incorporated into the national laws of each EU member by 2024 October. These organizations are obligated to take appropriate measures as defined by the directive to manage and mitigate cyber risks and minimize the impact of incidents.

Classification of Critical Entities

Critical entities are classified as below, if your organization falls under a critical category as defined below, NIS2 directives apply to you.

Essential entities - Generally large organizations in highly critical sectors

"Essential" entities were previously defined in the NIS, but some sectors were additionally added in NIS2:

• Energy (electricity, oil and gas, covering production, storage and transmission activities - hydrogen as added by NIS 2)
• Drinking water
• Wastewater (collection, disposal or treatment of municipal wastewater, domestic wastewater or industrial wastewater)
• Transportation (air, rail, water, road)
• Banking
• Financial markets
• Digital infrastructure (Internet nodes; DNS service providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; providers of public electronic communication networks and public electronic communication services)
• ICT service management (managed service providers and managed security service providers)
• Governments (central, as well as regional, the latter only risk-based, but excluding defense or national security and law enforcement, as well as the judiciary, parliaments, and central banks)
• Healthcare (hospitals but under NIS now also includes reference laboratories, manufacturers of medical devices or pharmaceutical preparations and others)
• Space

Important entities - Mid-sized and large organizations as specified by NIS2

• Postal and courier services
• Waste management and management
• Accounting firms
• Digital providers (online marketplaces, online search engines and social networking platforms)
• Research organizations (excluding education)
• Production and distribution of chemicals
• Wholesale and industrial food production and processing
• Manufacturing of Medical devices
• Electrical equipment
• Motor vehicles, trailers and semi-trailers.
• Machinery and equipment

Medium and large companies from these sectors within the EU must now comply with NIS2. Smaller organizations could be included if they carry out critical functions.

While there is no difference in requirements between both these entities, essential entities will have to comply with supervision requirements from the introduction of NIS2, while important entities will be subject to ex-post supervision, meaning that action will be taken if authorities receive evidence of non-compliance.

Supporting Entities: EU-CyCLONe and CSIRT

As part of the NIS2 initiative, certain entities have been established to help with cooperation.

The EU-CyCLONe

As part of this initiative, the European cyber crisis liaison organization network (EU-CyCLONe) was established. The EU-CyCLONe supports the coordinated management of large-scale cybersecurity incidents to ensure the regular exchange of information among member states, union institutions, bodies, offices and agencies.

NIS Cooperation Group and CSIRT Responsibilities

The NIS Cooperation Group functions according to the European Commission and follows its own rules of procedure. On the operational side, the NIS Cooperation Group is supported by the work of the network of Computer Security Incident Response Teams (CSIRTs), dedicated to sharing information about risks and ongoing threats, and cooperating on specific cybersecurity incidents. The NIS Cooperation Group provides strategic guidance for the activities of the CSIRTs network.

These entities ensure that organizations meet the objectives of NIS2.

The Main Objectives of NIS2

The primary objectives of NIS2 can be divided into three categories,

• Responsibilities of member states
• Information exchange and cooperation with the govt
• Risk management and security measures to be taken by companies

This whitepaper/handbook will focus on the security measures that organizations are required to take and how a PAM solution can help comply with a number of NIS2 requirements.

Repercussions of not meeting obligations

A minimum set of administrative sanctions has been established in case organizations do not follow the obligations set in the NIS2 directive.

Administrative fines:
For essential entities: Administrative fines of up to 10,000,000 euros or at least 2% of the total annual global turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
For important entities: administrative fines of up to €7,000,000 or at least 1.4% of the total annual global turnover in the previous fiscal year of the company to which the key entity belongs, whichever is higher.

Reporting Obligations

All important and essential entities must notify about incidents that are ‘severe’. Local government, authorities, and CSIRT support and information sharing across entities are one of the main areas of regulation.

An incident shall be considered to be significant if:

• It causes or may cause severe operational disruption of the services or financial loss for the entity concerned.
• It affects or may affect other natural or legal persons by causing considerable material or non-material damage.

Precise provisions are introduced on reporting incidents, the report content and timing. Reporting must now be done within 24 hours of the discovery of the incident – Instead of 72 hours previously);

C-Level Management Now Accountable

To reduce the pressure that falls on the IT team personnel to maintain security across the organization, new measures have been introduced to hold C-level management responsible. NIS2 holds top level managers personally liable if gross negligence is proven after a cyber incident. The measures to be taken include:

• Ordering public announcement of compliance violations.
• Identifying person(s) responsible for any violation and give a public statement.
• Banning (temporarily) the identified individual from having a management role when violations are repeated.

How your business can prepare

While preparing for NIS2 can be tasking for large and small organizations alike, a step-by-step approach with proper roadmaps and planning can help with satisfying security requirements.

Review existing security controls

Go over the current security posture of your organization, assess risks based on your infrastructure, access controls and sensitive assets/data. Review incident detection and response management capabilities and define local/regional (EU)/global responsibilities.

Fill in any security gaps

Identify solutions that can help fill your IT security gaps, especially when it comes to data security. Look for solutions that can address security gaps, increase efficiency and operate at a reasonable cost. The solution must also be able to scale with growth in your organization.

Addressing NIS2 directives with Securden Unified PAM

Privileged Access Management (PAM) solutions help to address directive requirements in the segments of Access Control, Basic Cyber (Password) Hygiene, Zero Trust Policies, Supply Chain Security, Cryptography, and Encryption Tools.

A mapping of NIS2 requirements to global security standards has been released by ENISA. We have mapped major security controls that can be satisfied by Securden Unified PAM.

How Securden Unified PAM helps comply with NIS2

Securden Unified PAM has the capabilities to secure all sensitive data and protect access to resources used by critical entities. Regulations and mandates as per the NIS2 directive can be met through comprehensive access controls, customizable reports and auditing mechanisms, privilege management of endpoint systems and management of privileged remote sessions.

Important and essential entities can leverage these capabilities whether they operate on-prem, on cloud or have a hybrid distributed environment.