Out-Law News 3 min. read
08 Jul 2024, 2:42 pm
Businesses in the digital industry have until 25 July 2024 to comment on the European Commission's new proposals on cybersecurity measures under the second Network and Information Security (NIS2) Directive.
The NIS2 Directive on measures for a high common level of cybersecurity across the EU (NIS2) directive came into force in the EU on 16 January 2023 and has to be implemented into national laws across the EU by 17 October 2024. It builds on the original NIS directive which took effect in the EU in 2018. It is broader in its scope than the original directive, meaning more public and private organisations will be subject to its extended set of cybersecurity risk management and incident reporting obligations.
The NIS2 contains a number of so called Implementing Acts, specifying certain obligations in more detail. Now, the European Commission has sought feedback on the draft implementing act that is aimed at clarifying the technical and methodological requirements around cyber security risk management and to further specify the cases in which a security incident should be considered to be a 'significant incident'. This means that businesses such as cloud services, online marketplaces, social media services and search engines have to apply the directive.
Christian Toon, cyber security expert at Pinsent Masons, said: "Finally with NIS2 we’re seeing greater traction in the adoption of security controls, regulation in this space is finally starting to move the dial on security maturity for organisations previously out of scope. Organisations can now be clear on what is expected with regards to 'appropriate technical and organisational controls'. Accountability is assigned to the management of these organisations, so they must now take responsibility for their cyber security maturity. Financial penalties if they get this wrong are now more significant, it makes simple business sense to invest in the cyber controls now and avoid costs later on."
"Partnering with experts who can assure of the legal compliance as well as the practical operational controls will be vital for organisations and directors to navigate this directive successfully,” Toon said.
The draft implementing act seeks to clarify what constitutes a "significant incident" to be reported under the directive. Here, the draft sets out general criteria, but also specific criteria for the individual sectors, for example for data centres, cloud service providers and online marketplace providers. It also sets out rules on cybersecurity risk management measures.
Andre Walter, an Amsterdam-based data protection expert at Pinsent Masons, said: "The draft implementing legislation focuses on both policy and operational compliance with NIS2. At a strategic and tactical level, covered entities should establish a policy framework for the security of their network and information systems, and at an operational level they should have in place topic-specific procedures, such as for authentication, access control, incident handling and the like. Although the draft implementing legislation is currently out for consultation, it provides sufficient detail for organisations to start planning the development and implementation of such policies and procedures. The three months remaining before NIS2 becomes nationally applicable should be used wisely."
The draft implementing act clarifies that organisations will have to detect anomalous behaviour and potential incidents. They should monitor their network and information systems and prepare to evaluate potential incidents. These measures should recognise network attacks based on anomalous patterns of incoming or outgoing data traffic and denial of service attacks quickly.
According to the proposals, the affected businesses should establish a supply chain security policy which governs their relations with their direct suppliers and service providers and agree on security clauses in their supplier contracts, for example by requiring cybersecurity risk-management measures.
The proposals further envisage that relevant entities will carry out security tests regularly, as well as apply appropriate security patch management procedures in alignment with their change management procedures – and avoid security patches introducing additional vulnerabilities or instabilities.
The draft also states that "relevant entities should manage the risks stemming from the acquisition of ICT products or ICT services from suppliers or service providers and should obtain assurance that the ICT products or ICT services achieve certain cybersecurity protection levels, for example by European cybersecurity certificates and EU statements of conformity for ICT products […]" It also highlights the need for appropriate network security solutions such as firewalls and malware detection and repair software.
"The relevant entities should also consider implementing measures to minimise the attack surface, reduce vulnerabilities that can be exploited by malware, control the execution of applications on user workstations or user end devices, and employ email and web application filters to reduce exposure to malicious content," it said.
Under the proposals, the relevant businesses would also have to protect their systems against external physical threats such as fire, floods and earthquakes.
According to the draft implementing act, relevant entities that are unable to implement the act due to being too small would be expected to implement other alternative measures suitable to achieve the same purpose of the requirements.
The Commission has until 17 October 2024 to complete the implementing act. The public can give their opinion until 25 July via the ‘Have your say’ portal.