Carrot or Stick: is NIS2 the Way Forward?

Written by

Six years is a long time in cybersecurity, so the EU’s Network Information Systems (NIS) directive from 2016 has a lot to catch up on. Alex Meehan asks whether the updated rules are sufficient for the modern threat environment

For some time, European companies and countries have been calling for a more robust response from the European Union (EU) to the problem of ransomware attacks and cybersecurity in general.

Society is ever more dependent on IT and digital infrastructure, and cybercrime, terrorism and digital warfare are only likely to become harder to deal with and more threatening in the future. Despite this, existing legislation that deals with these issues dates back to 2016 and became law in most EU member states in 2018. 

Known as the Network and Information Systems (NIS) directive, this law tries to ensure that Europe’s essential digital infrastructure in areas such as banking, transport, health and energy is kept safe. It introduced mandatory incident reporting and aimed to make companies take the issue of ransomware and network incursions seriously. 

Its goal was to set a standard and use it to achieve a high level of cybersecurity across the EU. However, in cybersecurity, six years is a long time, and policies that were fit for purpose in 2016 may no longer be up to the job. 

In particular, some industry commentators believe that the original 2016 directive left too many gaps and too much discretion to individual member states in terms of enforcement. There are other issues with it, such as who and what it identified as ‘operators of essential services.’ 

Just what is an essential service in 2022? It’s a good question and to answer it, the EU has decided to revisit the NIS directive and make it more fit for purpose. Its successor, the NIS2 directive, has been drafted and is currently winding its way through the European Commission on its way to becoming law in the EU. 

This new, updated directive has three main goals. The first is to increase cyber resilience across the EU, extending the remit of the existing legislation to cover more types of companies in more sectors than its predecessor. This time around, member states won’t be able to tweak the legislation before enacting it. The general idea is to update the law to reflect that we are becoming more dependent on IT as a society. Therefore, the rules around protecting that should reflect how important it is. 

The second is to reduce inconsistencies in the sectors already covered by the original NIS directive, as well as adding new industries and bringing more public and private entities under its umbrella. This is about enforcing uniform reporting responsibilities, improving supply chain resilience and generally tidying up the loose threads exposed by the implementation of the existing legislation written in 2016.

The third goal is to raise awareness across the EU around the importance of cybersecurity and improve member states’ abilities to defend themselves. This goal is to improve how the EU prevents, handles and responds to large-scale cybersecurity incidents. 

In May, the NIS2 directive hit an important milestone when the EU announced it had reached a political agreement between the European Parliament and member states on its provisions. However, it will still take some time before the changes take place. 

To begin with, member states now have between 18 to 24 months to turn the directive into national legislation, so it’s likely that NIS2 won’t become law until 2024. 

It’s an ambitious upgrade, and an EU commission official tells Infosecurity that it “builds on and strengthens everything that’s already in place from the NIS directive” and adds new measures designed to help establish security best practices in Europe.

"The existing rules on the security of network and information systems (NIS directive) was the first piece of EU-wide legislation on cybersecurity and it paved the way for a significant change in mindset"

“The existing rules on the security of network and information systems (NIS directive) was the first piece of EU-wide legislation on cybersecurity and it paved the way for a significant change in mindset as well as institutional and regulatory approaches to cybersecurity in many member states. It had notable achievements,” says Sonya Gospodinova, spokesperson for the EU Commission.

“However, the digital transformation of society, intensified by the COVID-19 crisis, has expanded the threat landscape and brought about new challenges which require adapted and innovative responses, so an update of the existing rules is necessary.”

To respond to the growing threat landscape, the revised NIS2 directive will cover more sectors and companies based on an assessment of their criticality for the EU economy and wider society. One of the main things it aims to achieve is greater harmonization of the rules generally enforced across Europe. The concern is that if different countries enforce different rules, the variations could become a significant barrier to progress.

“Cybersecurity requirements imposed by one member state that are different from those imposed by another can lead to fragmentation of the internal market, affecting in particular the cross-border provision of services. They can also lead to a decreased level of cyber resilience of other member states caused through the potential spillover effect of cyber threats and incidents,” comments Gospodinova. 

“EU-wide rules like the current NIS directive and the new NIS2 directive are intended to establish a common level of security for network and information systems, increasing convergence.”

A significant aspect of any legislation designed to change behavior is the penalties imposed on companies and organizations that don’t comply. In the case of the NIS2 directive, the range of sanctions allowed for is quite varied. 

They include binding instructions, an order to implement the recommendations of a security audit, an order to bring security measures into line with NIS2 requirements and administrative fines of up to $10m or 2% of the offender’s total annual worldwide turnover, whichever is higher.

Fines of this size have been effective in other jurisdictions, such as the UK and the US, in making companies take cyber breaches more seriously, but as always, enforcement is key. It remains to be seen how vigilant the EU will be in making prosecutions under the new directive. The reaction to the prospect of a new cybersecurity directive has been broadly positive.

“If I go for a meal in a restaurant in Dublin, I know that the owners have to comply with health and safety standards set out by the EU, and that gives me peace of mind that I’m not likely to get food poisoning,” explains Brian Honan, chief executive officer of BH Consulting and former special advisor on cyber security to Europol’s European Cyber Crime Centre. 

“If I go to restaurants in Germany, Spain or France, the same standards apply, and that’s a good thing for me as a consumer. But in cybersecurity, there hasn’t been the same level of focus on standards across different industries. If I want to do business with an organization in Europe, then apart from GDPR, what guarantee do I have that my information will be secure?”

Honan points out that the first NIS was aimed at a specific type of company, and outside of those, awareness of security best practices remains sporadic. This new directive is to be welcomed as it broadens the scope of those it applies to.

"If I want to do business with an organization in Europe, then apart from GDPR, what guarantee do I have that my information will be secure?”

“If you’re not a financial company, a large ISP or an energy provider, then the NIS directive probably doesn’t mean much to you. NIS2 should change that because it expands the list of operators of essential services, but more importantly, it introduces the idea of securing your supply chain,” he says.

“So NIS2 might not impact all businesses out there, but if those businesses are providing IT services to a company that is obliged to comply with the updated directive, it will impact them too.”

The question on some observers’ minds is just how effective this new directive can be? Do the people behind it work in the IT sector and do they have a good enough grasp of the realities of securing companies from cyber-threats?

“Compliance is typically, in my opinion, a failure of corporate governance. Compliance gets introduced because somebody somewhere wouldn’t do the right thing and the powers that be decide that they’re going to force everyone to do the right thing,” notes John Kindervarg, senior vice president for cyber security strategy with ON2IT. 

Kindervarg is a leading expert on cybersecurity, best known for creating the zero trust strategy adopted in 2021 by the US for federal agencies.

“The first compliance initiative was the Payment Card Industries (PCI) Data Security Standard (DSS) when the credit card companies got together to create the PCI DSS so they could say ‘if you want to take credit cards, you have to have this level of security.’”

In Kindervarg’s opinion, the PCI DSS represents the best kind of compliance initiative because it was industry-led and kept governments out of the picture. The people who drew up the PCI DSS understood the problem deeply, but many of those working on privacy and other kinds of data compliance today tend not to have this level of understanding. 

There is a danger that trying to create too sweeping a level of compliance can make things too difficult to be practical. 

“We have to have people creating these compliance mandates who understand the technology and what we’re doing, and I don’t think that’s happened in most of the cases I’ve seen. The payment cards industry brought in credit card security experts to design their compliance standards, but I don’t think that’s happening here,” he says. 

“If this is done badly, you can hit a tipping point where the compliance intended to make things better and safer makes it too hard to get anything done.”

What’s hot on Infosecurity Magazine?