NIS 2 The Empire Strikes Back

May 16, 2022

Filip Verloy Technical Evangelist EMEA

Post Featured Image

When it comes to movie sequels, the second one is usually worse than the original. The original movie might’ve taken decades to cultivate in the writer’s mind. While the sequel, looking to capitalize on the success of the first film, has far less time available. Luckily, many exceptions to this rule exist, think: The Godfather: Part II (1974), Terminator 2: Judgment Day (1991), and Star Wars: Episode V - The Empire Strikes Back (1980), for example.

With that in mind, the newly revised Network and Information Security (NIS) directive also has a chance to become an exception to the rule. The first iteration was established in 2016, but unfortunately was not widely adopted. However, given the rising number of cyber attacks since the first attempt, we hope adoption will be higher this time around. 

Now dubbed “NIS2”, the legislation seeks to embed the importance of ICT into the minds of governments and large organizations. It aims to increase collaboration, facilitate information exchange and notification of breaches, as well as implement cybersecurity best practices. Fines can also be levied for failure to comply with risk management recommendations. Ultimately these tactics are planned to strengthen cybersecurity efforts for both the private and public sectors in the European Union. 

So what is different this time around?

For v2, the European Commission has created a set of simplified criteria that determine who NIS2 will apply to. It is no longer left to individual countries to decide for themselves. Broadly speaking, there are only 2 criteria remaining:

  1. If you provide Essential Services, you are classified as an Essential Entity (more stringent rules).
    • Examples: Digital infrastructure (IXPs, DNS Services,...), Cloud Computing Services, Data Centers, CDNs, network providers,...
  2. If you provide Important Services, you are classified as an Important Entity (less stringent rules).
    • Examples: Online marketplaces, online search services, social media services,...

Now this also applies even if you are not in the EU. The criteria states if you are essential to the EU, which means you could be located anywhere. There is however an exemption for small and medium enterprises (and hobbyists). If you employ fewer than 50 people and your annual turnover does not exceed 10 million EURO, you do not fall in those categories. That is unless you are the sole provider of a specific service within a country, or if you provide a "key role" for society. 

That said, the directive will also not apply to organizations in verticals such as defense, national security, public security, law enforcement, judiciary, parliaments, and central banks.

What does this mean for those organizations NIS applies to?

You must report any cyber issues immediately to your national authority. If you are not in the EU, you must disclose this issue to the EU country you are most relevant to. You must also comply with the directive in terms of implementing sufficient security measures:

  • Risk analysis and security policies
  • Incident handling
  • Business continuity and crisis management plan
  • List known dependencies on your service providers, and have a backup plan in place if those are not available (i.e. what do you do if your own cloud provider has a service interruption?)
  • Plan for vulnerability handling and disclosure
  • Testing and audit of the effectiveness of these cybersecurity measures 
  • Use cryptography and encryption 

If you do not comply with these measures, the EU can order you to comply (i.e. fix it). And if you don’t follow the order, they can leverage fines and start criminal procedures. They are giving themselves permission to perform on-site inspections if needed in order to ensure measures are being met. They can even remove certain directors from your organization's management team or order you to stop business operations altogether.

Empowering the CISO!

Just like we already have regulation for electricity, general communication infrastructure, health care and others, we should also regulate computing and networking. We are just as critically dependent on it as the others. Of course, no one wants to be overly regulated and forced to certify. Think about the amount of work caused by the likes of Sarbanes-Oxley, ISO 9001, ISO 27001, etc. 

But learning from past experience, it helps tremendously to use those regulations as a forcing function to finally have security taken seriously at an organizational level. The CISO will find a willing ear now to implement many controls he/she always wanted to enforce. We are not yet in the implementation phase, however, so it remains to be seen how all this will work in practice. You could certainly argue that the track record has not been stellar so far. 

The key will be to ensure that the agreed upon definitions, implementations, and general principles make sense in the real world. In any case, improving one's security posture is an excellent and important goal that we at Noname Security can only applaud.