NIS 1 and NIS 2 - What You need to know

Understanding NIS 1 and NIS 2: A Comprehensive Guide

Cybersecurity has become a priority for governments and organizations alike. The Network and Information Systems (NIS) Directive was an important step taken by the European Union (EU) to improve cybersecurity in its member states. With the introduction of NIS 2, the Directive has been updated to address new challenges in the digital landscape. 

This blog looks at the development, requirements and applicability of NIS 1 and NIS 2 and how organizations can comply with the regulations. It also looks at how ISO 27001 can be mapped to NIS 2 to streamline the compliance process.

NIS 1 Directive

The original NIS Directive, also known as NIS 1, was adopted by the EU in 2016. It aimed to increase the overall level of cybersecurity in the EU by ensuring that operators of critical infrastructure in key sectors such as energy, transport, banking, financial market infrastructures, health, water and digital infrastructures implement stringent security measures. The NIS 1 required Member States to develop national cybersecurity strategies, establish Computer Security Incident Response Teams (CSIRTs) and introduce risk management procedures.

Challenges with NIS 1

While NIS 1 was a ground-breaking step, it also had its limitations. It focused primarily on a limited number of sectors and lacked a unified approach to cybersecurity in the EU. In addition, new threats and vulnerabilities required an updated framework that could address these challenges more effectively.

‍

Introduction of NIS 2 Directive

NIS 2, adopted in December 2022, builds on the foundation of NIS 1 but introduces several significant enhancements. The key objectives of NIS 2 are to:

1. Expand the scope of sectors: NIS 2 covers a broader range of sectors, including public administration, space, manufacturing of critical products, and more. This reflects the increasing reliance on digital services across various industries.

1. Enhance security requirements: NIS 2 introduces stricter security requirements, including the implementation of state-of-the-art technologies, supply chain security, and incident response measures.
2. Improve coordination and enforcement: NIS 2 mandates closer cooperation between member states and introduces stricter enforcement measures, including higher penalties for non-compliance.
3. Address supply chain risks: Recognizing the importance of supply chains in cybersecurity, NIS 2 requires organizations to assess and manage risks within their supply chains.

‍

Requirements and Applicability of NIS 2

Who Needs to Comply?

NIS 2 applies to a wide range of organizations across multiple sectors. These include:

• Critical Infrastructure Operators: Companies involved in energy, transport, banking, financial markets, healthcare, and water supply must comply with NIS 2.
• Digital Service Providers: This includes cloud service providers, data centers, and online marketplaces.
• Public Administration: Government bodies at all levels are required to implement NIS 2 measures.
• Manufacturers of Critical Products: Companies involved in the production of essential goods, particularly those related to cybersecurity, are also covered.

‍

NIS 2 contains 45 articles. These articles cover a wide range of topics, including the scope and objectives of the directive, security requirements, incident reporting, risk management, supervision, and enforcement measures, among others.

‍

Not every company needs to meet all the requirements of the 45 articles in NIS 2. The specific obligations that apply to a company depend on factors such as:

‍

Sector and Type of Service: NIS 2 categorizes entities into two main groups: essential and important entities. Essential entities include critical infrastructure sectors like energy, transport, banking, and healthcare, while important entities cover sectors like digital services and public administration. The obligations vary based on the criticality of the services provided.

‍

Size and Impact: The directive applies differently to organizations based on their size and the potential impact of their operations on the economy and society. Larger organizations or those with a higher potential impact are subject to more stringent requirements.

‍

Risk-Based Approach: NIS 2 emphasizes a risk-based approach, meaning that the specific security measures and incident reporting requirements can be tailored based on the level of risk faced by the organization.

‍

While most organizations that fall within the scope of NIS 2 will need to comply with the core cybersecurity requirements (e.g. risk management, incident reporting and supply chain security), they may not need to implement all of the provisions of each article.

Instead, they need to focus on the articles that are directly relevant to their business and the specific risks they face. Compliance usually involves a combination of meeting the mandatory requirements and applying best practice where appropriate.

In fact, of the entire NIS 2 Directive, only three articles are actually relevant to companies seeking to comply.

‍

Key Requirements

To comply with NIS 2, organizations must:

1. Implement Robust Security Measures: This includes risk management, incident response, and continuous monitoring of cybersecurity threats.
2. Conduct Regular Audits: Organizations are required to perform regular audits to ensure compliance with the directive.
3. Report Incidents: Any significant cybersecurity incidents must be reported to the relevant authorities within a specified timeframe.
4. Supply Chain Security: Organizations must assess and manage cybersecurity risks within their supply chains, ensuring that third-party vendors also comply with security requirements.

‍

How to Approach NIS 2 Compliance

Approaching compliance with NIS 2 involves a structured process that ensures your organization meets the directive’s requirements effectively. The 15 steps can be seen as a comprehensive guide to achieving compliance. Here's a breakdown of how to approach it:

By following these 15 steps, your organization can systematically approach NIS 2 compliance. This structured approach not only ensures adherence to the directive but also strengthens your overall cybersecurity posture, making your organization more resilient to cyber threats.

‍

Mapping NIS 2 with ISO 27001

ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a framework for managing sensitive company information, ensuring that it remains secure. Many of the requirements of NIS 2 can be mapped to the controls and practices outlined in ISO 27001, making it easier for organizations already certified to comply with NIS 2.

‍

Key Areas of Alignment:

Risk Management: Both NIS 2 and ISO 27001 emphasize the importance of risk management. Organizations can leverage their existing ISO 27001 risk assessment processes to meet NIS 2 requirements.

Incident Response: ISO 27001’s incident management processes align with NIS 2’s requirements for reporting and responding to cybersecurity incidents.

Continuous Monitoring: The continuous improvement process in ISO 27001 supports NIS 2’s requirement for ongoing monitoring and review of cybersecurity measures.

Supply Chain Security: ISO 27001’s controls for third-party management can be adapted to meet NIS 2’s supply chain security requirements.