Since then though, the cybersecurity world has changed significantly – and so the NIS directive also needed an update. That’s why on 16 January 2023, a revised version of the NIS directive, NIS 2, came into force.
How is the new law different from the original one, and who will it affect? You’ll find everything you need to know about the new regulations in this article.
Why was the NIS directive needed?
Malware and worms have been around for almost as long as computers themselves – for example, the very first virus, “Brain,” appeared in 1986.
Before the internet was widely available though, cybercriminals had relatively few ways to infect and damage computers. That’s unfortunately no longer the case today.
In 2022, organizations all around the world detected 493.33 million ransomware attacks. According to another survey, four companies are hit by a ransomware attack every minute.
And also unfortunately, critical sectors are one of the cybercriminals’ favorite places to attack.
Between July 2021 and June 2022, cyber-attacks on IT, financial services, transportation, and communications infrastructure accounted for 40% of all attacks. A year earlier, it was 20%.
The reason why they target essential services is simple. Their security is often lacking (making it easier to attack), and a single attack can affect thousands of people at once. That gives the criminals a chance that their demands will be met faster – a hospital or water plant can’t afford to stop operating, after all.
What is the Network and Information Security (NIS) directive?
To improve the security of the essential services sector, the European Union created and passed its first EU-wide cybersecurity directive in 2016, Network and Information Security (NIS). The main goal of the regulations was to establish common security practices for critical infrastructure organizations in the member countries and this way, lower the risk of cyber incidents disrupting the service.
A few years later, however, the original directive began to show its flaws:
- Member states were interpreting and implementing the security requirements in their own way.
- Security practices in the directive were no longer enough to protect the data and infrastructure from attacks.
- Each country had its own incident reporting process, which made communication between different EU members difficult.
- Which industries were subjected to the NIS law varied from country to country.
So to address all those problems and make the directive fit the modern times, in 2020 ENISA announced in 2020 that they are working on a revised version of the directive, NIS 2.
The new law was officially published on December 27, 2022 and entered into force on Jan 16 2023. EU member states now have 2 years (until October 18th 2024) to implement the new regulations.
How is NIS2 different from its predecessor?
The first major change inside the new directive is that it no longer distinguishes between “operators of essential services” and “digital service providers.” Instead, the law uses “essential entities” and “important entities” categories, based on the given organization sector, importance, and size.
- Essential entities: Energy, Transport, Banking, Healthcare providers, Drinking water, etc.
- Important entities: Postal and courier services, Waste management, manufacturing, research organizations, etc.
What’s important to note is that digital infrastructure providers and services are now also included in the NIS2’s scope. This means that cloud computing service providers, DNS services, social media networks, and search engines all fall under the law as well.
The number of industries that have to comply with the NIS2 regulation has grown as well. This is because the earlier NIS directive applied to only 7 essential sectors, including energy, transport, and banking. NIS2 meanwhile added several new industries to the list, such as manufacturing, chemicals or waste management, to a total number of 15 sectors.
The NIS2 directive is intended mainly for medium or large organizations meaning those that have:
- Over 250 employees and/or generate more than 50 million Euros a year (for essential entities)
- Over 50 employees and/or generate more than 10 million Euros a year (for important entities)
If a given company works as a sole provider of a critical service in a given region though, then the size cap doesn’t apply.
The NIS2 Directive also added guidelines on how organizations falling under the directive should report security incidents. Based on the new law, organizations now have to prepare:
- An “early warning” sent within 24 hours after the organizations became aware of the incident
- An incident notification describing the issue’s impact on the organization (sent within 72 hours)
- A final report that will include the likely cause of the incident and the mitigation measures applied. The notice must be sent no later than one month after submitting the incident notification.
Enforcement and administrative fines
As the original directive had no enforcement regulations, the EU had very limited options regarding warning and punishing member states.
NIS2 is meant to solve this problem as well.
Authorities responsible for enforcing the directive will now be able to perform security checks, request information and documents and even visit the organizations for an on-site inspection.
More importantly, the competent authorities can also impose financial penalties for non-compliance:
- For essential entities, the penalties can be up to €10 million or 2% of the worldwide annual turnover.
- For important entities, the fines can be up to €7 million or 1.4% of the worldwide annual turnover.
ENISA also created a list of security measurements that both essential and important entities are required to implement. Some of the requirements on the list include:
- Strengthening supply chain protection measures
- Creating risk analysis and information systems security policies
- Having set processes for incident handling (prevention, detection, and response)
- Using cryptography and encryption to secure their data
- Implementing business continuity and crisis management measures
- Mandatory cybersecurity training
Organizations in the essential category will also be under proactive cybersecurity supervision from the authorities. In case of non-compliance, they will face higher fines as well.
How can SOC-as-a-Service (SOCaaS) help companies in becoming and staying NIS2-compliant?
As the full list of NIS2 compliance requirements is quite long, it might seem that making your organization fully compliant will take a long time. There is a way to make securing your business and meeting the requirements a bit easier though – by using a Security Operations Center (SOC) service.
What is SOC-as-a-Service?
SOC-as-a-Service (Socaas in short) is a cloud-based security solution that gives companies access to dozens of security and monitoring tools to detect and react to security threats in real-time. These platforms can perform most of the tasks of an in-house security operations center and also allow businesses to work with external cybersecurity experts.
And as to access the service companies only need to pay a subscription fee, using a SOCaaS solution is often an ideal solution for businesses that want to boost their security but cannot afford an in-house cybersecurity team.
What does the SOCaaS platform include?
SOCaaS platforms come with several cutting-edge business security features that are available right out of the box. Some of the most common features you can find inside are:
- 24/7 Threat detection and response
- Incident investigation and reporting
- Threat deception and sandboxing
- Compliance monitoring, etc.
That way, businesses do not need to implement multiple cybersecurity systems, but can instead store all their relevant data in one place.
But there’s one more benefit of using such a platform that is quite often overlooked – getting help from the SOCaaS provider’s external team of security experts. Unfortunately, as finding and hiring cybersecurity specialists can be quite difficult (and expensive), few companies can build their own cybersecurity teams.
By partnering with a SOCaaS provider, organizations can reach out to those specialists whenever they need them though. For example, the company can rely on their skills and experience during an incident investigation or while creating new cybersecurity policies for their employees.
How can SOCaaS aid companies in meeting NIS2 compliance requirements?
A SOCaaS system can also be extremely helpful for companies working towards NIS2-compliance. With the platform’s features, organizations can quickly cover most of the security requirements without having to hire in-house experts or invest in several different on-premise solutions.
The application will also be monitoring the entire business infrastructure 24/7 and alerting the SOC experts whenever it notices anything suspicious, to reduce the response time. As a result, businesses will be able to quickly notice any issues that could end in hefty fines and solve them straight away.
Plus, with the automated incident logs, security audits and compliance reporting tools, creating the necessary reports for the NIS2 authorities can also become much smoother.
As the SOCaaS solution generates the reports automatically, businesses will be able to quickly provide authorities with the documents they require.
How can our CyberDefender aid your company in meeting the NIS2 requirements?
Companies that are falling under the NIS2 directive now have two years (until October 2024) to implement the necessary security measures and prove that their networks are as safe as they can be. All those security measures might seem impossible to implement in two years only though, if you had to do it all yourself.
With the CyberDefender platform and our cybersecurity experts team though, those requirements can be met in no time at all, as our solution only takes a few days to implement.
Then you can use all those features (and our cybersecurity experience) to give your essential services infrastructure fortress-level security.
And if you have additional security requirements (such as protecting your data from leaking out or managing your security configuration), then we’ll be happy to tailor the system to your needs as well.
Want to see just how much safer our CyberDefender tool can make your business? Then how about scheduling a quick call with our team or trying out our 14-day free trial version? After the implementation, you can leave the cybersecurity tasks in our hands – we know exactly how we can make your business safe and sound from cyber threats.
With how much the cybersecurity world has changed, the NIS directive had to be updated. And together with the regulations, the business cybersecurity measures must be enhanced as well. Just a firewall and antivirus program is simply no longer enough to protect an organization’s network from cyberattacks.
The good news are that SOCaaS platforms can make enhancing business security and meeting new requirements a lot easier. Leave the heavy lifting to us at Cyber360 – and we’ll prove to you that with us at your side, staying safe and compliant can be effortless.