The challenges of NIS-2
3 min leestijd
With political agreement reached on NIS-2, affected organizations are expected to be compliant by the end of 2024. This well-attended webinar – the first in a new cycle of NIS focus group events – provides a comprehensive overview of the new challenges, due to a broader scope and applicability to many more organizations.
The directive on ‘measures for a high common level of cybersecurity across the Union’ – commonly known as NIS-2 – addresses new insights, identified shortcomings and implementation disparities of the first NIS directive across Europe. In his ‘Revolution or solid ground for security’-presentation, Pieter Byttebier (CCB) provides an extensive overview of what is known today about NIS-2, including a refresher on NIS 1.
NIS-2 was needed because of ‘insufficient harmonization; vital sectors still out of scope; insufficient exchange between member states and weak enforcement.’ Clearly, there was still an ‘inadequate level of resilience’ and a ‘lack of crisis preparedness’, undermining the NIS purpose of societal continuity.
The NIS-2 proposal expands the scope to include additional sectors (e.g., public administration entities – at national, regional and optionally local level; food sector – production, processing, distribution; waste management and more), with a differentiation of ‘essential’ and ‘important’ entities. In Belgium, it would affect an estimated 2,600 entities (ca. 1,600 ‘important’, ca. 800 ‘essential’ and in Belgium <150 ‘vital’ entities, i.e. essentials with higher risks). Given the huge numbers involved, entities will have to register (rather than being identified), based on criteria such as size (number of employees and turnover) or upon specific request from the authorities. Annex 1 has a list of sectors and entities covered by NIS-2.
Furthermore, rules on notification (e.g., delays) are clearer, as well as on information exchange and cooperation. The risk based approach (e.g., assessments) charges business management at boardroom level with making decisions concerning measures (necessitating cybersecurity training for business risk owners) and an obligation of following up on implementation (at a risk of liability penalties if neglected). NIS-2 also provides for minimal ‘top fines’ (up to 10 million euro or 2% of annual worldwide turnover).
The transposition of NIS-2 into Belgian law will require some serious efforts in the run- up to the compliance deadline. As the CCB is the authority regarding the follow-op and coordination of the NIS-law, Pieter Byttebier presents a ‘to do’ list for the coming years, involving requirements, thresholds, criteria, supervision in practice, while recuperating NIS-1 compliance efforts. The extent and diverse nature of this ‘to do’ list necessitates a strong collaborative effort from all parties involved, based on “a dialogue in the coming period.” So Byttebier invites everybody to “please provide us with your input!”
The auditor’s perspective
The usefulness of a broad-spectrum input was immediately proven by the presentation of Koenraad Béroudiaux (auditor and ISO 27000 expert), mapping ISO 27 on NIS/NIS-2. Indeed, a 2022 resolution states that the ISO 27000 standard covers information security, as well as cybersecurity and privacy protection, and is applicable to all organizations. Ultimately, both ISO 27 and NIS seek to ensure the continuity of society, requiring all parties to consider their relationships with other parties with whom they share cyberspace.
In practice, it is a challenge for an auditor to verify how well an implementation covers the objectives of a directive as the NIS. For example, it is up to the business people, as risk owners, to approve the information security risk treatment plan and the acceptance of residual risks. Never mind the lack of ‘auditor’-supply, if the required number of auditor-days per audit is to be spent. Check his presentation for his specific challenges, including his list of ‘ISO 27001 and Nis/NIS2: possible major nonconformities for ISO27001 certification.’ Interesting, considering the role played by ISO277K1 certification in presumed NIS-compliance.
Clearly, NIS-2 is a far from simple matter, tasked with protecting society’s critical infrastructure. Therefore, Benjamin Boegel’s (European Commission) ‘The NIS Directive revision (NIS 2) State of play’-presentation is of interest by providing a clearcut overview of the why and how of NIS-2. Of the current state of the directive.
Though the compliance deadline is still a couple of years away, and the last i’s must be still dotted and t’s crossed, implementation efforts should start without delay. Also because “you don’t need to wait until NIS-2 to make positive changes in your life,” is Pieter Byttebier’s sound advice.