The NIS2 Directive: do the new cybersecurity requirements apply to your organisation? 

The NIS2 Directive, which entered into force on January 16, 2023, is the European Union’s response to increasingly sophisticated cyber threats and the overall changes in the digital world. It marks a pivotal step towards strengthening and harmonising cybersecurity standards across EU member states, aiming to enhance resilience and safeguard critical sectors against emerging digital risks.

This article explores the key objectives and sector-specific impacts of NIS2, highlighting its implications for your business.

What is the NIS2 Directive?

The NIS2 Directive (Network and Information Systems Directive 2) is a regulatory framework established by the European Union to enhance and standardise cybersecurity across member states.

Who does NIS2 apply to?

Building upon the original NIS Directive, NIS2 aims to improve the overall security and resilience of network and information systems critical to the functioning of society and the economy. This includes sectors such as:

Essential Services Providers:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health sector
• Drinking water supply and distribution
• Digital infrastructure
• Digital Services Providers:
• Online marketplaces
• Online search engines
• Cloud computing services
• Public Administration:
• Central government entities
• Regional and local government entities where their cybersecurity is crucial to national security

Non-EU Providers:

Although the Directive applies only to entities within the EU, it also mandates that non-EU providers establish a legal entity within the EU.

What are the key objectives of the NIS2 Directive?

Organisations across various sectors need to comply with the Directive by implementing the required cybersecurity measures and ensuring ongoing adherence to the established standards. Non-compliance can result in significant legal and financial consequences, making it crucial for organisations to invest in their cybersecurity infrastructure and practices. Here are some key objectives of NIS2:

Strengthened Cybersecurity Measures

NIS2 mandates more rigorous risk management practices, ensuring organisations implement robust cybersecurity measures and conduct regular risk assessments. One typical method of assessment is Threat and Risk Analysis (TARA) or Threat Modelling Analysis. These involve evaluating the criticality of specific assets that comprise our service or product and identifying which types of cyber threats could be critical in this context.

Enhanced Incident Reporting

NIS2 requires organisations to report significant cybersecurity incidents promptly to relevant authorities and inform affected individuals. This aspect involves enhancing cooperation and information exchange by specifying the necessary elements to report, as well as types of incidents and threats.

Wider Scope

As already mentioned, the NIS2 Directive extends its reach to more sectors and entities, including healthcare, transport, energy, banking, digital infrastructure, and more, ensuring comprehensive coverage.

Improved Cooperation

It promotes better cooperation and information sharing among EU member states, fostering a coordinated response to cross-border cyber threats.

Since the release of NIS in 2016, the IT landscape has undergone significant changes with the emergence of new technologies and threats. Harmonising and updating regulations across all EU member states became necessary to adapt to these developments.

Increased Accountability

NIS2 raises penalties for violations and introduces personal accountability of cybersecurity leaders within an organisation. If the organisation fails to appoint a designated individual for this role, the responsibility falls on the company’s management. According to NIS2, if an organisation classified as critical is successfully attacked by cybercriminals, the company’s management will be held criminally liable. This approach aims to enforce a more rigorous approach to cybersecurity.

What are NIS2 requirements?

In summary, the requirements of the new directive include:

Risk management

Adopting a risk-based approach to manage cybersecurity threats effectively.

Incident response

Developing and maintaining incident response plans to quickly address and mitigate the impact of cyber incidents.

Continuous monitoring

Regular monitoring and auditing of cybersecurity practices to ensure compliance and identify areas for improvement.

Training and awareness

Ensuring that staff are adequately trained in cybersecurity best practices and aware of the latest threats and vulnerabilities.

Technical and organisational measures

Implementing advanced technical measures such as encryption, access controls, and intrusion detection systems, along with organisational measures like policies and procedures to enhance cybersecurity.

The impact of NIS2 on software development

NIS2 primarily mandates strengthening protection against cyberattacks through both technical and organisational, emphasizing a Security by Design approach. This means that security must be seamlessly integrated into the product rather than treated as an afterthought. It needs to be considered from the initial design phase onward. While this approach has been recognised previously, its consistent application across all industries has been variable. Often, it has been viewed as a competitive edge rather than a standard. By embedding security considerations early in the design phase, organisations can address potential vulnerabilities and mitigate risks proactively.

Fundamental to software development under the NIS2 Directive is risk assessment and cybersecurity management throughout the lifecycle of the product or service post-development. NIS2 requires companies to monitor cybersecurity changes, new attack methods, and adapt their defences accordingly. This significantly impacts the design and development of the product or service.

Other considerations during development include identity management and data control, which are critical to ensuring compliance with data protection regulations and maintaining trust with stakeholders.

For companies seeking certification of their products, adherence to the NIS2 Directive becomes imperative. Certification requires demonstrating compliance with cybersecurity standards and practices outlined in the Directive to prove that an organisation is commitment to protecting against cyber threats effectively.

The impact of NIS2 on the automotive industry 

The automotive industry is one of the best-prepared industries in terms of meeting the requirements of the new Directive, as products or services already had to comply with industry-specific regulations concerning cybersecurity, such as R155 and R156. The UNECE WP29 Group, which aims to harmonise vehicle regulations, recently issued Regulation R155/R156, mandating new vehicle manufacturers to implement a Cybersecurity Management System from 2024. Additionally, concerning update management, R156 requires the implementation of a Software Update Management System (SUMS), with best practices described in ISO 24089. Automotive companies also have dedicated cybersecurity teams covering various areas within their structures. 

The remaining issue to address regarding the NIS2 Directive is establishing an effective communication system for reporting data breaches. As vehicles increasingly collect and transmit data to the cloud, they face potential cybersecurity vulnerabilities. In the event of a data breach, responsible entities must promptly notify both relevant authorities in their member state and affected customers.  

The impact of the NIS2 on the healthcare industry 

In the healthcare industry, cybersecurity has long been a standard practice. An additional aspect introduced by NIS2, similar to the automotive industry, is a stricter requirement for incident reporting. The Directive emphasises improved incident response, increased accountability at the board level, and regular monitoring and auditing. Additionally, NIS2 expands the scope to encompass more healthcare entities, including hospitals, clinics, pharmaceutical companies, and medical device manufacturers. 

The impact of the NIS2 on Industry 4.0 companies 

So far, cybersecurity has been primarily a competitive advantage for Industry 4.0 sector companies. Now, it has become a necessity to sell products in the European market. Customers demand transparency from manufacturers regarding the cybersecurity solutions implemented in their products or services. While adapting to NIS2 poses challenges in governance and technical adjustments, it also presents opportunities to enhance market credibility and resilience against cyber threats. 

In summary, the automotive, healthcare, and Industry 4.0 sectors are already well-prepared in terms of cybersecurity during the development phase. However, the challenge they still face under the new Directive is establishing cybersecurity responsibilities, developing an incident reporting and response system, and implementing monitoring and auditing solutions. 

How can our services help your company meet the requirements of the NIS2 Directive? 

We are a one-stop-shop for cybersecurity services – from embedded software solutions, to data security (ISO 27000 and TISAX). Our software developers and architects are well-versed in cybersecurity requirements. We have a team of pentesters who can assess the resilience of your organisation, product, or service against cyberattacks. Our experts have extensive experience in analysing processes within companies to identify areas that need improvement in terms of cybersecurity, including threat monitoring, risk analysis, product and service development, and vulnerability testing. We also assist our clients in defining and implementing these processes in accordance with industry best practices. Furthermore, we help companies successfully deploy these solutions. Additionally, we support firms in transitioning through third-party audits or certification processes.  

Contact us via the form below to ensure your cybersecurity measures are complaint with the NIS2 Directive.