31 January 2023
The NIS 2 Directive (Network and Information Systems Directive) was adopted by the European Parliament on November 10, 2022 and was published in the Official Journal of the European Union on December 27, 2022. Member states now have 21 months to transpose the directive into national law. But why transpose a new version of this text? What are the main changes in the regulations? How will SMEs and local government be affected? This article suggests some possible answers.
Ransomware, phishing, whaling – in 2022 it was once again clear that no company is safe from cyberthreats. After the cyberattacks on Kaseya and SolarWinds in 2021, “supply chain attacks” were once again widespread with Okta (authentication) and Github (a platform for hosting source code) both compromised. Rather than attacking small, medium and large companies directly, over the past few years, cybercriminals have been choosing to target subcontractors to gain access to their clients’ networks more easily.
Because of this, as shown in our Security Navigator 2023 report, any company may now have to deal with a cyberattack. With a 5% increase in the volume of cyberattacks, 99,000 incidents were processed by our CyberSOC teams in 2022. With an average of 34 incidents per month per client, that represents no less than one incident per day and per company – a new record. In Europe, there was an 18% increase in the number of cyberattack victims in 2022. And contrary to what people might think, there are 4.5 times more VSBs and SMEs that fall victim to cyberextortion than medium and large companies combined. In particular, these companies are targeted by malware with the ability to encrypt IT systems and destroy backups. These types of attacks have led to companies going bankrupt in the worst cases. On October 30, 2022, Hugues Foulon, CEO of Orange Cyberdefense issued the reminder that “60% of companies that have been the victim of a cyberattack file for bankruptcy within six months.” This fact should encourage every company to prepare for the possibility of an attack.
In its first version, adopted in 2016, the NIS 1 directive was designed to identify companies in so-called “essential” sectors, where loss of service could lead to significant disruption to companies and to state services. Companies responsible for critical infrastructure in 19 sectors, such as health, energy or telecommunications were then designated as OESs (operators of essential services).
Even though this first version represented a major step forward in standardizing security for the main European companies, it did not take into account subcontractors and local authorities, which have both been severely affected by security incidents these past few years.
The revision of this directive does not involve a drastic expansion of obligations, but a broadening of the sectors involved.
NIS 2 has multiple objectives:
In addition, there is one more significant change: NIS 2 marks the end of OESs and creates two new types of companies – Essential Entities (EEs) and Important Entities (IEs). The distinction between these two types of companies are based on how critical the company’s activities are.
The scope of application for NIS 2 is wider. The number of target sectors has increased from 19 to 35, including sectors such as wastewater processing, the supply of drinking water, and waste management. These new regulations will thus apply to all entities operating within these sectors within the European Union, whatever their size. This expansion of sectors will increase the number of entities affected tenfold.
Up until now, only companies designated as an OES (Operator of Essential Services), an OVI (Operator of Vital Importance), or DSPs (Digital Service Providers) were affected. From now on, local authorities, companies with over 50 employees and a turnover of more than one million euros as well as subcontractors of companies subject to the directive will have to comply.
What are the obligations for the companies affected?
The organizations affected by this new version must plan for new obligations such as:
Applying this kind of security policy involves investing in cybersecurity products. Whether it takes the shape of a SOC, EDR, or XDR, the response to these requirements may be complex for certain local authorities and SMEs that have fallen behind in the use of cybersecurity tools as well as the recruitment of internal skills for using such tools.
The European Directive sets out sanctions in the event of organizations’ failure to respect the obligations. These sanctions can take different shapes, such as fines (up to 10 million euros or 2% of the organization’s total annual turnover), criminal sanctions, or corrective measures. These sanctions are determined by the member states with the aim of ensuring they are effective, proportionate, and act as a deterrent.
In summary, NIS 2 is a new step forward in improving security for companies connected to critical infrastructure within member states. In an unstable geopolitical context, SMEs and local authorities in these sectors are facing governance and organizational challenges over the coming months. These challenges will be significant because, according to the Dutch MP Bart Groothuis, 160,000 entities will be required to enhance their security. To meet these challenges, these companies will require the services of qualified service providers to support them through their transformation.