No it is not a sequel to a horror movie. It is a directive from EU (Directive 2022/2555) that was supposed to increase the security standards for essential and important entities. You can find the full text here (Thank you EU!). The directive is quite tick and not every part of it applies to everyone. Here I will try to provide an overview of what it means to private companies. Disclaimer, I am just some guy doing this in one company. I am not a legal expert in your country or sector. So it will be high level.
Who is essential? Who is important? Scope in section 2 lays it out (plus the Annex 1 and 2). Essentially if you are in the utilities, transport, research, finance, and food (and others) and of a certain size this applies to your company. I am not interested in this beyond knowing that it applies to the business I serve. I suggest you make sure if your business is in scope yourself.
If you want to know what your business needs to do to comply with NIS2, I suggest you skip to Chapter IV. Articles 20, 21, and 23 are putting some obligations on companies.
Article 20, charges the top management with establishing governance and receiving training on cybersecurity risk management. This is good news to you as a cybersecurity professional, hopefully when you identify some risks, the management will be able to comprehend what you are saying. Of particular interest to top management is that there are repercussions to top management if they fail to comply.
Article 21 is the broadest one with sub clauses up to J. It is called risk management, but what it amounts to is a cybersecurity program. EU didn’t invent cybersecurity, what they outline in Article 21 is essentially industry best practices. If your company is ISO27001 certified, there is little to do here. Ditto for NIST, and CIS. These are things like risk management, supply chain risk managemeent, cybersecurity awareness, access control and asset management.
Article 23 is the reporting obligations. Who do you notify, when do you notify, and that sort of stuff. Long story short, you should notify the competent authority in your country for your sector, bonus points if you also notify CSIRT. The exact text is more specific but you are supposed to send a heads up within 24 hours after detecting a significant incident, followed by a more detailed report in 72 hours. They expect progress reports and final reports too, but you can read about them in the legistlation.
Is that all? Unfortunately not. The directive needs to be implemented by each country. While the directive lays out the bare minimum, countries are free to surpass what is outlined in Directive (EU) 2022/2555. The countries and competent authorities can build upon NIS2. For example I know that certain countries have combined NIS2 and CER directives into one local legistlation, others have put more stringent requirements into OT environments… So if you are operating in multiple countries in EU, you suddenly need to comply with different requirements in each of those.
At this stage, many countries are still working on their own implementations. This makes carrying out compliance projects difficult. Many consultancies have been selling NIS2 compliance, with the expectation that the local legislation would not go too far beyond their bread and butter ISO certifications. We already know this will not cut it in some countries (e.g. Germany).
Still, if your company doesn’t have a security program, it wouldn’t hurt getting it implemented already in preparation for stricter requirements.
Irfmeister's Adventures 
Leave a comment