As information security threats develops rapidly, it also causes requirement for updating legislation to counter security threats. For such reasons NIS2 was created. The new legislation, NIS2, will also apply to many companies that are not clearly involved with information security in their day-to-day life. Neglecting the requirements can result in significant financial sanctions, so one should start preparing for the change right away.
What is NIS2?
NIS2 is the EU's new, expanded cyber security directive. It expands the existing EU-wide information security legislation and replaces the previous NIS1 directive from 2016. NIS stands for Network and information security.
The purpose of the new legislation is to modernize and expand the already existing legislative framework and stay ahead of increased digitalization and constantly developing information security threats. NIS2 sets high-level information security requirements for member states and requires the protection of critical infrastructure, thus increasing information security throughout the EU. The extension covers all kinds of critical infrastructure, not only IT infrastructure.
NIS2 is currently being drafted by the Ministry of Transport and Communications.
The directive sets the following requirements for essential and important entities:
-
Access management and authentication procedures
-
Asset management and identification of critical operations for security
-
Backup, recovery planning, crisis management, and other business continuity management, including, if necessary, the use of secure alternative communication systems
-
Basic cyber hygiene practices to ensure the security of operations, communication security, hardware and software security, and information security
-
Cybersecurity risk management model
-
Cybersecurity risk management principles and assessment of the effectiveness of risk management measures
-
Detection and handling of anomalies to restore and maintain security and operational reliability
-
General quality and resilience of supply chain suppliers' products and services, cybersecurity risk management measures included in products and services, and cybersecurity practices of suppliers and service providers
-
Incident notifications and reporting
-
Management responsibility
-
Measures to ensure the physical environment and facility security of communication networks and information systems and the availability of necessary resources
-
Operational principles for the security of communication networks and information systems
-
Personnel security and cybersecurity training
-
Principles and procedures for the use of encryption methods and, if necessary, measures for the use of secure electronic communication
-
Security in the procurement, development, and maintenance of communication networks and information systems, including procedures for handling and disclosing vulnerabilities
Sanctions
Failure to comply NIS2 can lead to sanctions, which can be up to 10 million euros or 2% of global turnover for essential entities and 7 million euros or 1.4% of global turnover for important entities. The competent authority can carry out an inspection of essential entities regarding NIS2 compliance, even if the entity is not suspected of failing to comply NIS2 requirements.
Who is affected by the directive?
The organizations affected by the directive are categorized to be either essential entities or important entities, depending on their size, industry and criticality. In the table below, one can get the general idea of who is affected by the directive. It is important to note that NIS2 may therefore also affect very small organizations that operate in a very critical industry according to the interpretation of NIS2. Hence, it is important to understand whether ones own organization meets the criteria of a essential or important entity and if organization is required to comply NIS2 or not.
Table's information
Large organization
At least 250 employees, annual turnover of € 50 million or balance sheet of € 43 million.
Medium-sized organization
50 -249 employees, annual turnover of € 10 million, or balance sheet of € 10 million.
Small organization
Less than 50 employees, annual turnover less than € 10 million, or balance sheet less than € 10 million.
✅ = Essential Entity
✔️ = Important Entity
❌ = Not affected by NIS2
| SECTORS OF HIGH CRITICALITY | Organization's size | |||
|---|---|---|---|---|
| Sector | Subsector | Large | Medium | Small |
| Energy | Electricity, District heating and cooling, Oil, Gas, Hydrogen and Operators of a recharging point that are responsible for the management and operation of a recharging point, which provides a recharging service to end users | ✅ | ✔️ | ❌ |
| Transport | Air, Rail, Water and road traffics | ✅ | ✔️ | ❌ |
| Banking | Credit institutions | ✅ | ✔️ | ❌ |
| Financial market infrastructures | Operators of trading venues and Central counterparties | ✅ | ✔️ | ❌ |
| Health | Healthcare providers, EU reference laboratories, entities carrying out research and development activities of medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations, entities manufacturing medical devices considered to be critical during a public health emergency | ✅ | ✔️ | ❌ |
| Drinking &Waste water | ✅ | ✔️ | ❌ | |
| Digital infrastructure | Qualified Trust service providers | ✅ | ✅ | ✅ |
| Non-Qualified Trust service providers | ✅ | ✔️ | ✔️ | |
| DNS service providers, excluding operators of root name servers | ✅ | ✅ | ✅ | |
| TLD name registries | ✅ | ✅ | ✅ | |
| Providers of public electronic communications networks | ✅ | ✅ | ✔️ | |
| Providers of publicly available electronic communications services | ✅ | ✅ | ✔️ | |
| Internet Exchange Point providers | ✅ | ✔️ | ❌ | |
| Cloud computing service providers | ✅ | ✔️ | ❌ | |
| Data centre service providers | ✅ | ✔️ | ❌ | |
| Content delivery network providers | ✅ | ✔️ | ❌ | |
| ICT service management (business-to-business) | Managed service providers, Managed security service providers | ✅ | ✔️ | ❌ |
| Space | Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties | ✅ | ✔️ | ❌ |
| Public administration | Essential entities: entities defined in The Information Management | ✅ | ✅ | ✅ |
| Important entities: wellbeing services counties and city of Helsinki | ✔️ | ✔️ | ✔️ | |
| OTHER CRITICAL SECTORS | Organization's size | |||
| Sector | Subsector | Large | Medium | Small |
| Postal and courier services | ✔️ | ✔️ | ❌ | |
| Waste management | ✔️ | ✔️ | ❌ | |
| Chemicals | Manufacture, production and distribution of chemicals | ✔️ | ✔️ | ❌ |
| Food businesses | Production, processing and distribution of food | ✔️ | ✔️ | ❌ |
| Manufacturing | Medical devices and in vitro diagnostic medical devices, ticomputer, electronic and optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers and other transport equipment | ✔️ | ✔️ | ❌ |
| Digital providers | Providers of online marketplaces, online search engines and social networking services platforms | ✔️ | ✔️ | ❌ |
| Research | Research organizations | ✔️ | ✔️ | ❌ |
| Domain name registration services provided by operators | Operators of all sizes, but only for signing up to the operator list and regarding obligations related to domain name registration information. | ✔️ | ✔️ | ❌ |
Business partners may also be responsible
It is important to note that the impact of the legislation also extends to partners. In this way, the directive also indirectly affects an organization that belongs to the supply chain of a essential or important entity, even if the organization itself is not classified as an important or essential entity. Entities should ensure that their business partners are complying NIS2, and correspondingly, organizations that do not fall under the scope should ensure that they are NIS2 eligible if they operate with important or essential entity.
Wapice is NIS2 ready entity and consultant
The NIS2 requirements are strongly based on the requirements of widely used common information security standards, such as the ISO/IEC 27001 standard. The ISO/IEC 27001 is nationally accepted standard for information security management system. Wapice has been an ISO/IEC 27001 certified company since 2007 and we have years of experience working with customers in various industries. Our quality requirements, and the certificates we have, make Wapice a partner, which is ready to operate even after NIS2 comes into force. We are ready to assist in matters related to NIS2, and in cooperation, to identify how NIS2 affects your organization. If your organization is an entity subject to NIS2, we can together ensure that the requirements of the directive can be met by creating the necessary processes to fulfill them.