NIS-2 : The impact of the Network and Information Security Directive on cyber security in Europe
On 10 November 2022, the Members of the European Parliament gave their assent to the NIS-2 Directive, a key step towards greater harmonisation and a significant strengthening of cyber security in the European market.
1. Strengthening cyber security measures
The NIS-2 directive is the new cybersecurity regulation. It introduces obligations for entities operating in various sectors considered crucial. As an example, it currently concerns around 600 different types of entity in France.
Before 2016, the cyber threat was managed at national level, with the result that Member States lacked coordination in the management, treatment or prevention of cyber risks. In July 2016, the adoption of the NIS Directive as the first European legislation on cyber security provided a common framework for the whole of Europe and laid the foundations for large-scale cyber risk management by establishing, in particular, the concept of Operators of Essential Services (OES). This designation public and private organisations that play a crucial role in the general interest, and whose IT security failures would have an impact on the continuity of certain services considered essential or even critical.
The NIS Directive also defined the concept of Digital Service Providers (DSPs), encompassing legal entities providing digital services, such as marketplace platforms (like Amazon), search engines or cloud services, in order to strengthen cyber security and the resilience of essential digital services in Europe.
Among its obligations, the directive required OSEs to notify their lead agency, such as ANSSI in France or Bundesamt für Sicherheit in der Informationstechnik (BSI) in Germany, of incidents affecting the systems that support essential services, and to implement security controls supervised by their lead agency or by qualified trusted service providers. The aim of this requirement was to prevent or at least reduce the potential consequences of IT security incidents such as cyber attacks. In other words, Member States had to ensure that these companies and organisations put in place appropriate security procedures to protect their IT systems and minimise damage in the event of a security incident.
What's the point of NIS-2?
The European Commission's review of the original NIS Directive stems from the exponential growth in cyber threats across all sectors, both public and private, which has led to the need to adapt existing regulations to better protect infrastructure, essential services and sensitive data across the European Union. This development has prompted the European Commission to broaden the scope of the 2016 NIS Directive and better prevent threats while consolidating the European Union's position as a key player on the global cybersecurity stage.
This is why the NIS-2 directive goes further, considerably extending the objectives and scope of the system to offer enhanced protection by increasing the number of regulated sectors from the initial 19 to 35 (see graph 3 below).
2. Who is affected by NIS-2?
The essential and important entities
Unlike NIS1, the NIS-2 directive formalises a precise list of sectors covered by its application and divides players into two groups according to their size: essential entities and significant entities (see chart 3). Although both categories are subject to the same obligations, large entities benefit from a less restrictive implementation regime.
The NIS Directive focuses primarily on sectors considered essential for the functioning of society and which require a coordinated approach at EU level to strengthen cybersecurity. NIS-2 excludes certain public administration entities, in particular those involved in national security, public safety, defence or law enforcement under art. 2 (8), as these areas are considered to fall within the regalian competency of the Member States, whose specificities are governed by their own national laws and regulations. However, public administration entities whose activities are only marginally related to these areas are not excluded from this directive.
3. Security at the heart of Directive’s concerns
To meet the obligations of NIS-2, the organisations affected by the directive will have to strengthen the security of their digital infrastructures, but not only that. Prevention encompasses several areas of intervention to anticipate both physical and logical attacks, both of which can be linked for the same purpose. This is where identity management becomes essential to enable permanent control of physical and logical access, to ensure that only authorised people or connected objects can enter premises with restricted access, access sensitive information systems or exchange secure data.
Secure identities provide a first line of defence, offering appropriate control depending on the level of authentication required (or at least necessary). A pioneer in secure identity management that meets the highest standards and complies with European regulations, the Nexus Smart ID suite meets these challenges by helping to cover most of the security criteria imposed by NIS-2, thanks in particular to its ability to :
- Issue and manage trusted identities,
- Deploy multi-factor authentication,
- Supervise access to the organisation's resources,
- Automate procedures,
- and Simplify the encryption and electronic signature of emails.