What does the EU’s NIS 2 cyber directive cover?
We run the rule over the European Union’s updated NIS2 security directive
For some, Friday 13 May 2022 would not be an auspicious date to make a significant announcement on the future of cyber security, but the European Union (EU) did just that. It announced a political agreement between the European Parliament and the member states on updating what had been the first example of EU-wide cyber security legislation – the 2016 NIS Directive.
So a review that started in December 2020 has reached an important milestone in its journey. But how might the improved set of cyber security laws and regulations, called NIS2, change cyber security in the EU?
Delivering cyber resilience on a systemic level requires real leadership along with individual and collective action. The EU has a significant role to play in creating the right incentives, governance and transparency for cyber resilience, not only for what is the world’s largest single market, but also globally.
The original 2016 NIS directive, while contributing to improving cyber security, left too many gaps and discretion to individual member states. Ambiguity, lack of accountability and, ultimately, fragmentation were the result.
Gaps in approaches lead to friction, act as a barrier to trade, and eventually lead to more risk to businesses and individuals. This is why NIS2 is so important to the cyber security community. There were four major gaps that this new directive will seek to close.
1. Scale
First, it significantly expands the scope of application, which is of major importance. Growing interconnectedness, rapid digitisation and ubiquitous connectivity mean more enterprises are becoming systemically important to defend from cyber risk.
Redefining the original scope to now be more clear in covering “essential services” – including, transport, banking and public administration, and entities operating in these services such as food production, postal services and waste management – means cyber resilience measures will need to be taken at a much larger scale across the continent.
2. Governance
Enhancing security governance and making senior managers in a business accountable for cyber resilience is also a major step. Accountability drives behaviour.
Outlining that senior management needs to know security standards and oversee processes aligned to risk management practices, and sufficient to manage that risk, will drive change from top to bottom in an organisation. Cyber has to be a board-level and senior management issue, not delegated to technical teams.
Accountability will empower chief information security officers (CISOs), though it also comes with expectations that they can communicate effectively with senior management and be technical and business leaders.
3. Fines and sanctions
Governance is especially important when combined with increased fines and broadening of sanctions.
NIS2 mandates a more comprehensive set of powers to be conferred on competent authorities. They will be able to penalise at least equal to a fixed amount or 2% of worldwide turnover for essential entities. This is a significant incentive for businesses to make sure they are meeting their obligations.
Regulatory fines at this scale in other jurisdictions, notably in the US and UK, have driven greater resilience – for example, penalties leveraged on Uber, Equifax and British Airways.
These new potential penalties will be a major lever for resilience in the EU and beyond.
4. Incident response obligations
Finally, gaps have been closed and revisions made on incident response obligations.
For example, what constitutes a “significant impact” on an entity has been clarified. It will no longer be a defined metric (number of impacted users) but rather whether there was disruption to critical services, or financial or material loss. Also, notifications have been reduced from 72 to 24 hours, and reporting will be to users of services and potentially the public.
Taken together, these revisions to reporting obligations will incentivise greater responsibility to be cyber resilient and provide greater transparency to all parties affected by a potential breach. Disclosure drives responsibility.
As outlined in NIS2, governance at this level can be a good thing for business and the economy. While many will look at these increasing responsibilities as a potential cost to business, building a more resilient digital ecosystem is a strategic necessity.
Where the General Data Protection Regulation (GDPR) drove up data standards in the European Union, it also became a model to follow globally. NIS2 has the potential to raise the bar and close the gaps not only in current European Union cyber security legislation, but beyond the borders of the 27 member states that will have to implement it.
Will Dixon is global head of the Academy at ISTARI. Previously, Will led the Global Centre for Cybersecurity at the World Economic Forum, advised the EU Agency for Cybersecurity (ENISA), and was global head of intelligence in the Chief Security Office at Barclays Bank.