NIS2 – Enhancing cyber security in EU

Organizations should set up and maintain an information security management system that enables a systematic, proactive approach to risk management.

Organizations are required to establish appropriate capabilities to prevent and deter cyber attacks. To do this effectively, organizations must identify:

• their most significant vulnerabilities
• the cyber security measures necessary to minimize the risk of vulnerability exploitation
• how the organization will detect and respond to any incidents.

The directive explicitly requires that “essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.”

Organizations should plan how they will react to an attack. Relevant stakeholders need to be trained and plans made for tackling incidents impacting business continuity and recovering from disruption and potential downtime.

Organizations are required to evaluate and manage the risks posed by vulnerabilities within their supply chain. This requirement encourages organizations to cooperate with their suppliers and ensure that all parties understand the risks associated with being part of the supply chain, regardless of what is being supplied.

Vulnerabilities within organizations’ networks must be disclosed. Organizations need to be transparent around vulnerability management, provide the means for the public to report vulnerabilities, and ensure that the relevant departments can act on the information.

This transparency means other organizations can act on the information and ensure they are not exploited using known vulnerabilities.

NIS2 requires an initial report within 24 hours of an organization becoming aware of any ‘significant’ incident, a full incident report within 72 hours, and a final report not later than one month after the submission of the incident notification, including:

• a detailed description of the incident, including its severity and impact
• the type of threat or root cause that is likely to have triggered the incident
• applied and ongoing mitigation measures
• where applicable, the cross-border impact of the incident.

A ‘significant’ incident is any incident that has caused or is capable of causing severe operational disruption of the service or financial loss to the entity concerned, or one that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

NIS2 encourages close cooperation and sharing of EU-level data between Member States. This enables efficient and coordinated responses to cyber incidents on both a national and EU level. NIS2 also encourages the use of European and international standards and technical specifications relevant to the security of network and information systems by member states, thus harmonizing the ways good security practices are being built.