Cyberattacks are proliferating and becoming increasingly sophisticated. The 2022 attacks made it clear that cyberthreats such as ransomware, phishing, and presidential fraud do not discriminate between small, medium, and large businesses. This trend toward “supply chain attacks,” where subcontractors target their customers’ networks, has been on the rise, with notable compromises such as SolarWinds. In 2020, SolarWinds, a company specializing in network management and IT security software, revealed that it had been infiltrated by cybercriminals who compromised its Orion software. This attack allowed the attackers to distribute malicious updates to this software to many client organizations. The attackers managed to insert malicious code into updates for SolarWinds Orion software, which led to the compromise of the networks of many companies and government agencies that use the software. This widely publicized attack was called a “supply chain attack” because it exploited users’ trust in software updates from a reputable source. The SolarWinds attack had far-reaching repercussions and highlighted potential vulnerabilities in the software supply chain, prompting many companies to strengthen their security measures to protect themselves against such attacks. Instead of attacking companies directly choose Cybercriminals are increasingly using their subcontractors to more easily penetrate their customers' networks. All companies are now vulnerable to cyberattacks. Small and medium-sized businesses are 4.5 times more likely to fall victim to cyberattacks than larger companies combined. They are specifically targeted with malware that can encrypt their information systems and destroy their backups. This approach has proven its ability to cause business failures in the most severe cases. This underlines the importance of all companies being prepared for any attack.

Against this background, the NIS2 Directive (Directive on the Security of Network and Information Systems) is a major development aimed at strengthening the protection of digital infrastructures in Europe. The NIS2 Directive, the successor to the NIS 1 Directive, is one of a number of major initiatives aimed at creating a more robust and harmonised framework for the security of network and information systems. For many companies, this new directive is the subject of much debate and questioning. What will its impact and significance be for companies and administrations in the EU?

What is the NIS2 Directive?

The NIS2 Directive (Network and Information Security, version 2) is a European regulation designed to harmonise and strengthen cybersecurity within the EU. It is the successor to the NIS 1 Directive and introduces new measures to ensure a high level of security for network and information systems. The NIS2 Directive was adopted in January 2023. EU member states will have a certain period of time to transpose this directive into their national legislation.

Advertisement

Who is affected by NIS2?

The NIS2 Directive covers a wide range of business sectors. The NIS2 Directive is aimed at private companies, public administrations and other entities operating within the EU.
One of the strategic objectives of NIS2 is to expand the scope of NIS to cover essential service operators and digital service providers in sectors deemed “critical for the economy and society”. NIS2 will cover providers of public electronic communications services, digital services (covering social networking platforms and data centre services) and healthcare services, including entities operating in the medical devices and life sciences sectors, in particular pharmaceutical research and development, and manufacturers of medical devices.

The NIS 2 Directive mainly concerns two categories of entities:

Operators of Essential Services (OSE): Essential Entities (EE), already included in the first version of the NIS1 Directive. OSEs/EEs are entities that operate services that are essential to society and the economy. This includes sectors such as energy, transport, healthcare, banking and financial services, water, digital infrastructure and digital services.

Digital Service Providers (DSP): Significant entities. DSPs/IEs are companies or organisations that provide digital services, such as cloud services, online platforms, search engines, e-commerce services and other similar services. They are covered by the Directive if they meet certain thresholds in terms of the number of users or the economic value of the services provided.

According to the NIS 2 Directive, an entity qualifies as material or significant on the basis of two criteria:

• Size of the entity (number of employees, sales, annual balance sheet);
• Business criticism: what type of entity refers to the activities carried out by the entity?

What are the most important changes compared to NIS1?

The NIS 2 Directive introduces several important changes compared to the NIS 1 Directive, including:

Expansion of the scope of application: NIS2 extends the scope of the Directive to a wider range of business sectors and digital service providers, meaning that new categories of businesses could be subject to cybersecurity obligations.
Improved security requirements: The directive imposes enhanced safety requirements, including stricter emergency preparedness and incident management measures, as well as stricter obligations to report incidents.
Safety score: NIS 2 introduces a security scoring system to assess the resilience of PSDs and ESOs. This will allow competent authorities to identify players with higher levels of security.

The NIS 2 Directive introduces several new obligations for the entities concerned. For important and critical entities, new technical, organisational and operational measures will need to be put in place:

1. Contractual obligation for security in the supply chain. Entities must ensure that information security is maintained throughout the supply chain. This means that suppliers, subcontractors, and other partners must also adhere to appropriate security standards.
2. Reporting obligation. The directive requires that security incidents with a significant impact on the continuity of essential services be reported to the competent authorities within a specified timeframe.
3. Management responsibility. Management is responsible for ensuring that security policies and procedures are implemented, maintained and reviewed regularly.

What measures must companies and local authorities take to comply with the NIS2 Directive?

Companies and local authorities will need to strengthen their security standards, establish incident reporting mechanisms and possibly conduct risk assessments and security audits. They will also need to work closely with the relevant national authorities.

Implementation of specific cybersecurity measures:

• implementation of risk analysis and security policies for information systems. Each entity must therefore review its structure to assess cyber risk,
• incident management,
• Establish business continuity plans (BCP) and disaster recovery plans (DRP). Measures to ensure continuity of operations in the event of an incident. This includes, for example, proper management of backups and crisis management measures.
• security in the acquisition, development and maintenance of networks and information systems,
• assessment of cyber risk management measures,
• the application of cryptographic policies and procedures, and the use of cryptographic techniques to encrypt information for better protection,
• asset management and access control policies: exemplary access control, to avoid intrusions and benefit from robust security,
• training employees in good cyber hygiene, including best practices to be systematized throughout the company,
• Implementation of multi-factor authentication solutions. Multi-factor authentication (MFA) and strong authentication should be favored for increased security.
• the obligation for companies to issue a first warning to ANSSI within 24 hours in event of a security incident.

What risks does a company face if it does not comply with this directive?

Companies that do not comply with the NIS 2 Directive may face financial penalties. NIS 2 will introduce a system of fines for non-compliance. Maximum potential fines for non-compliance could amount to either €10 million or 2 % of global annual sales for “significant” entities, or €7 million or 1.4 % of global annual sales for “significant” entities. In particular, where non-compliance with NIS 2 could also result in a personal data breach, no fines will be imposed under the EU NIS 2 and RGPD systems, if the breach is the result of the same security incident. Furthermore, in the event of a security incident resulting from non-compliance, they may be held liable for any operational or financial damage. Each Member State has to October 2024 at the latest to transpose the NIS2 Directive into their national rules. It is conceivable that some countries will accelerate the process, as the national versions of NIS2 are based on the existing national versions of NIS1.

Responsibility for top management

The NIS 2 Directive emphasizes the responsibility of senior management within organizations. Senior management must take an active role in managing cybersecurity and ensure that appropriate measures are in place to protect networks and information systems.

Raise awareness among teams and management

Cybersecurity awareness is crucial to ensuring compliance with the NIS2 Directive. Companies must invest in training their staff to recognize and prevent cyber threats. Management must also be made aware of the importance of cybersecurity and compliance with the Directive.

The NIS 2 Directive represents a major milestone in strengthening cybersecurity in Europe. Businesses and local authorities must take immediate action to comply with these rules, strengthen their resilience to cyberattacks and prevent security incidents. Complying with the Directive is essential to avoid significant financial penalties and protect your organization’s reputation and trust. There are many resources available to help businesses comply with the NIS2 Directive, such as the guides and recommendations published by ANSSI (Agence nationale de la sécurité des systèmes d’information) in France. It is also possible to enlist the help of specialized cybersecurity service providers to support your company in its efforts.

Altospam solutions help companies partially comply with the NIS2 directive by strengthening the security of their email (the first attack vector) and protecting their information systems from cyber threats. Altospam's Mailsafe offers advanced protection against threats including phishing attacks, ransomware and malware. The solution's anti-spam, anti-phishing, anti-ransomware and anti-malware filters block malicious emails before they reach users' inboxes. Altospam solutions can be an important part of a company's overall security strategy to meet NIS2 requirements. However, full compliance requires a holistic approach to information security and risk management.