The EU, with its new NIS 2 cyber security directive, is aiming to bring greater resilience to the entire infrastructure. To date, many industries have been largely unaffected by such concepts, but now it’s time to take things seriously. Companies failing to follow suit will be facing heavy fines. In this article, we take a closer look at NIS 2 and explain why the new EU directive is also applicable to Swiss companies.
In May 2022, after lengthy negotiations, the EU Member States and the EU Parliament agreed on the NIS 2 Directive (Directive on Measures for a High Common Level of Cybersecurity across the Union). The scope of the directive will be significantly broadened compared to the 2016 NIS Directive. In future, companies employing over 50 people, with an annual turnover or balance sheet of over 10 million euros and that belong to a critical or important sector, will be included. The list of sectors that are impacted will also be significantly extended. Additionally, there will be new obligations regarding risk management and reporting, as well as significantly higher fines, which are currently about half the level of the fines under the GDPR. The member states have around 18 to 24 months to incorporate the directive's latest elements into national law. This means that the new comprehensive cyber security regulations are expected to apply to EU companies from autumn 2024 onwards.
Cyber security in the EU and NIS 1
In 2016, the European Commission put forward a new cyber security package based on a revised version of the 2013 cyber security strategy. The core measure of the European cyber security strategy is the “NIS Guidelines” (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of network and information systems across the European Union). The aim is to achieve a higher level of security for network and information systems in the EU, and it is the first comprehensive EU-wide legislation in the field of cyber security. In addition to authorities and establishing computer emergency response teams, essential service operators and digital service providers on the corporate side will be required to roll out IT security measures and report serious incidents. However, NIS 1 was too vague and the oversight of implementation was completely overlooked. The directive also did not contain specific requirements regarding the disclosure of cyber risks.
NIS 2 – What are the actual differences?
In the wake of rapid developments in the cyber security sector, it soon became apparent that there were vulnerabilities in NIS 1, and the regulations needed to be adapted to reflect the current risks. This is because industry-wide networking in particular can multiply the potential vulnerabilities of a smart manufacturing plant, and now, cyber-attacks perpetrated against manufacturing industry are among the most prevalent attacks, and the trend is clearly on the rise. This is why in December 2020, the European Commission published a proposal to repeal the current NIS Directive and the NIS 2 Directive, and in mid-May 2022, negotiations on the new Directive were concluded between the Commission, the Council and the Parliament. The aim was to establish an EU-wide standard for cyber security, one that industry would also be obliged to implement. This would mean that the entire infrastructure should become more resilient.
NIS 2 is significantly more comprehensive than NIS 1. In particular companies and organisations need an improved approach to risk management. Supply chains and the dependence on partner companies (and this can also impact you as a Swiss company) also need to be taken into account and included. The new directive also includes significantly more companies and envisages more obligations, as well as stricter sanctions, in order for cyber security to be enhanced across the EU. The existing eight sectors of NIS 1 will be extended to the following 16 sectors:
- Ongoing: Energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure
- New: Sewage, B2B ICT service management, public administration, space, key utilities like postal and courier services, waste management, chemicals, food, manufacturing/manufacturing
- New, optional: Digital service providers and research organisations
Small companies, i.e. businesses employing less than 50 people that have either an annual turnover of no more than 10 million euros, or with an annual total balance sheet not exceeding 10 million euros, are exempt. But watch out, as some companies, regardless of their size, will fall within the scope of application if a company is the sole provider of a service in a Member State that is essential for maintaining critical social or economic activities. This means that companies will no longer be given the choice. They have to meet a minimum security standard. This also applies in Switzerland in the same way on the basis of the ICT minimum standard for the operators of critical infrastructures. But for SMEs in particular, there are enormous cost factors involved, because for them the NIS 2 requirements are almost the same as those for big companies.
The five most important elements of NIS 2
- Companies will be required to adopt an approach to risk management that includes a list of minimum basic security elements.
- Clear provisions on the procedure for reporting incidents, the content of reports and deadlines must be complied with.
- Strict supervisory measures for national authorities and enforcement requirements apply.
- Fines will be imposed for breaches of safeguards.
- Selected companies will be required to tackle cyber security risks in supply chains.
In the same way as for the GDPR, NIS 2 also requires significant security incidents to be reported within 24 hours of an early warning and an assessment be submitted to the authorities within 72 hours. Failure to comply may result in penalties of up to 10 million euros and 2 per cent of the group’s total annual turnover for key organisations, and 7 million euros and 1.4 per cent of the group’s total annual turnover for big organisations. This is one of the biggest criticisms from the industry; and also that in the future CEOs or boards of directors will be held accountable for any failure to implement, and public bodies will be exempt from penalties.
NIS 2 necessitates concrete measures for cyber security
The EU’s NIS 2 directive sets minimum cyber security requirements for operators. Subsequently, national legislation must make these measures obligatory and these will be monitored by national authorities. Operators in the EU must implement the following cyber security measures as a minimum to protect the IT and networks of their critical services (Art. 17 & Art. 18):
- Policies: Risk and information security guidelines
- Incident Management: Prevention, detection and management of security incidents
- Continuity: Business continuity management and crisis management
- Supply Chain: Supply chain security through to secure development at suppliers
- Test and Audit: Methods for measuring the effectiveness of information security
- Cryptography: The appropriate use of encryption
These cyber security measures will be based on international and European standards, for which the EU Commission may go on to issue more specific regulations. Member states can also require operators to use EU cyber security certifications (Art. 21 & Art. 22).
What needs to be done?
The new regulations cover active risk management and scaling up to more companies to improve cyber security across the EU. However, these two areas do not only apply to companies in the EU, they are now the cornerstones of a cyber security strategy, as we already demonstrated in an earlier blog article. Companies should be actively preparing themselves now and implementing the corresponding measures within their business. However, cyber security is not purely an IT issue; it also affects OT (Operational Technology). Aspects of systems planning and automation expertise must also be taken into account in order to implement measures like these. A company’s IT department often does not have this knowledge and therefore should not bear the additional responsibility for OT security. IT and OT are closely linked, but both need to maintain their own outlook and have a critical view of the other area. If this engineering and automation knowledge is lacking within a company, an external partner definitely needs to be brought in. We therefore recommend that you contact a security expert in plenty of time.
Do you need assistance? We offer a broad portfolio of risk management and compliance services to provide you with professional support for the challenges posed by NIS 2. Get in touch with us – our cyber security experts will be pleased to help you.