Introduction

The purpose of this page is to give an overview of the Network and Information Systems 2 (NIS 2) directive and to explore.

NIS 2 has been developed to Strengthen cybersecurity, streamline reporting, unified rules.

The first part of the directive is 143 numbered sections listing general information about for how it is applies and what organizations are included. The intension here is to analyse to what degree an implementation of NIS 2 provides the required cybersecurity.

The second part is the actual directive consisting in of nine chapters and 46 articles to be transferred into national laws.

Finally the is a table listing critical sectors.

Definitions

NIS 2 uses the following definitions:

  • Computer Security Incident Response Team (CSIRT): Teams responsible for responding to cybersecurity incidents and risks at a national level. The term CSIRT is mentioned 158 times in the directive and 104 times in the articles.
  • Essential and Important Entities: NIS 2 determining the level of obligations for entities. *Essential’ entities critical services, while ‘important’ entities, though significant, have lesser impact on social or economic well-being. Member states shall establish a list of essential and important entities.
  • EU Cyber Crises Liaison Organisation Network EU (CyCLONe): A component of the NIS 2 framework, designated to enhance the EU capacity to manage large-scale, cross-border cybersecurity incidents and crisis.

Scope and purpose

  • Expanded scope: NIS 2 covers more sectors, requires wider compliance with enhanced cybersecurity standards,
  • Mandatory Incident Reporting: Requires timely, detailed reporting of cybersecurity incidents.
  • Rigorous Risk Management: Implement strong risk management measures to protect network and information systems.
  • Supply Chain Security: Focus on securing the supply chain to mitigate associated cyber risks.
  • Heavier Penalties for NON-Compliance: NON-Compliance with NIS 2 can result in significant and financial consequences.

Various levels of rules:

  • EU Directive: An EU directive is a legislative act that sets out goals that all EU countries must achieve. However, it does not dictate the means of achieving that goal (NIS 2).
  • National law: National laws are specific legal rules that are created and enforced by individual countries.
  • Regulation: Legally binding and directly applicable in its entirety across all EU member states without the need for individual countries to pass any legislation (e.g., GDPR, NCCS).
  • Standard: A standard is a set of guidelines or best practices that can be followed for a particular process, product, service, or industry (e.g., IEC 62443).

What is NIS 2:

  • NIS 2: An enhanced EU cybersecurity directive
  • Aims: Strengthen cybersecurity, streamline reporting, unified rules and penalties in EU.
  • Directive specifics, but national transpositions may vary; limited flexibility.
  • Taget OT sectors: Energy, transport, healthcare, water, based installations, mid-size and large manufacturing.

Article 10 – Computer security incident response teams (CSIRTs)

A computer security incident response team, or CSIRT, is a group of IT professionals that provides an organization with services and support surrounding the assessment, management and prevention of cybersecurity-related emergencies, as well as coordination of incident response efforts.

Article 10 gives a short introduction to CSIRST.

More information may be found in the home page of the global Forum of Incident and Response and Security Teams (FIRST).

Recommendation ITU-T X.1060 (2021) is framework for the creation and operation of a cyber defence centre.

The National Institute of Standards and Technology (NIST) has issued a Computer Security Incident Handling Guide.

Article 20 – Governance

Article 20 requires Member States to ensure that the management bodies of essential and important organisations approve the cybersecurity risk management measures taken by those
organisations to comply with Article 21, oversee the implementation of those measures and can be held liable for infringements of the Article.

Furthermore, the management bodies are required to follow training, and are encouraged to offer similar raining to their employees on a regular basis. This way, employees gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the organisation

Article 21 – Cybersecurity risk management measures

Article 21 requires Member States to ensure that essential and important organisations take
appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. Proportionality is based on the organisation’s exposure to risk, the organisation’s size and the likelihood and severity of possible incidents, including the economic and societal impact. Organisations should take an all hazard approach to be prepared for a full spectrum of incidents and emergencies and be able to protect network and information systems and the physical environment of those systems. The measures should include at least the following:

Paragraph 1

Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed.

Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Paragraph 2

A – Policies on risk analysis & information security policies

ISO/IEC 27002:22022 kombineret with CIS 18

B – Incident handling

Dedikos politikker og hændelsesspecifikke IRP + fx Sophos MDR
(24+72 timers krav + 1 måneds udredning. Husk relevante sensorer – fx NDR)

C – Business continuity

Such as backup management and disaster recovery, and crisis management

D – Supply chain security

including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
Forsyningskædesikkerhed, herunder sikkerhedsrelaterede aspeckter vedrørende forholdene mellem de enkelte enheder og dens direkte leverandører ellr tjeneste udbydere.
DEdikos trejdepart risiskostyrings model, Securityscorecard.IO.

E – Security in network and information systems acquisition

development and maintenance, including vulnerability handling and disclosure.
ISO/IEC 27002:2022 A.5.20, 5.24, 5.37, 8.8 8.20 and 8.21

F – Procedures to assess the effectiveness of cybersecurity risk-management
G – Basic cyber hygiene practices and cybersecurity training

Essential eight CIS 18 IG½ = Inventarstyring, sårbarheds og konfigurationsstyring

H – Policies and procedures for cryptography and encryption

I – Human resources security, access control policies and asset management
J – Use of multi-factor authentication and secure communication systems

Article 23 Reporting obligations

  • Early warning: Within 24 hours
  • Incident notification: Within 72 hours
  • Complete report: Within one month.
  • Engage with national and EU bodies.
  • National entities like CSIRTs to oversee directive adaption
  • Report to bodies like EU-CyCLONe)

Article 23 requires Member States to ensure that organisations notify the CSIRT or, where applicable, the competent authority in case of a significant impact on the provision of their services.

In case of a significant cyber threat, the organisations need to inform the recipients of their services that are potentially affected on any measures or remedies that they can take in response to the threat. Where appropriate, entities can inform recipients on the threat itself

A cyber threat is considered significant when:

  1. It has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
  2. It has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

The organisations are required to submit to the CSIRT or competent authority:

  1. Within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
  2. Within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise;
  3. Upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates;
  4. A final report not later than one month after the submission of the incident notification under point (2).

Article 24 Use of European cybersecurity
certification scheme

To demonstrate that the security obligation of particular requirements of Article 21 is met, Member States may require the entities to use specific ICT products, services and processes that are certified under European cybersecurity certification schemes. Furthermore, Member States should encourage essential and important organisations to use qualified trust services

Article 26 Supply chain

  • Certification for compliance – Member states may mandate certified ICT products and services for essential and important entities.
  • Qualified trust services Encouraged – Promotion of qualified trust services by member states is advised.
  • Commision’s power for specifications – The Commission can define specific entity categories for mandatory certification.
  • Provision for new certification schemes – The Commission can initiate new certification schemes if existing ones are inadequate.

Example article 21 for energy: Network codes (NCCS)

  • Netwok codes on cybersecurity:
    • Unified EU regulation for cross-border electricity flows.
    • Cover cyber risk assessment, minimum requirements, product certification, monitoring, reporting and crises management.
    • Implications: power loss, capacity reduction, compromised frequency reserve, blackstart capacity loss.
  • NCCS approach: Impact perimeters:
    • Differentiation between high-impact and critical-impact zones using Electricity cybersecurity impact index (ECII)
    • Categorization based on business outcome and safety implications
  • Cybersecurity controls:
    • Both perimeters need minimum control
    • Advance control for critical-impact zones: IT/OT isolation or micro-segmentation around assets, e.g., gas turbines
    • Likely use of IEC 62443
    • Use of advanced solutions like unidirectional gateways.

Takeaways

  • NIS 2 evolution: Expands scope to include new OT sectors like manufacturing, with enhanced accountability and reporting requirements.
  • Risk-based measures (article 21): Encourages risk-based security measures, especially for critical infrastructures, leading to stricter standards and implicit focus on consequential zones.
  • Prompt reporting (article 23): Mandates quick reporting of cyberattacks to improve transparency
  • Accountability and compliance: Introducing fines and direct accountability for business and top officials, emphasizing more than minimum compliance.
  • Beyond the lines: Advocate for clear OT and IT segregation, aligned with NCCS and TS 50701 standards, underscoring that OT security needs to be the focus due to potential severe impact on human lives and critical services.

Introducing the IEC 62443 series

As we prepare for the implementation of the NIS 2 Directive, it is understandable that many
organisations are uncertain about how to ensure compliance with the upcoming regulations since a lot remains unclear at this point. However, there is good news for those already reacting to the NIS2 Directive as there are already industry standards accepted internationally that can help organisations prepare by ensuring compliant and effective controls. Member
States and the operating entities within must take advantage of best-in-class industry standards, such as the IEC 62443 series for OT environments.

By adopting the IEC 62443, organisations can proactively identify and address vulnerabilities in their OT systems, as well as ensure that their employees are trained and equipped to maintain a secure environment. So, although the detailed requirements of the NIS2 Directive are still forthcoming, organisations can take action now to improve their cybersecurity posture by adopting the IEC 62443.