NIS2: how to get ready?

Encryption ABC's

Strategic cybersecurity developments as the NIS2 directive becomes applicable

PRIM'X - NIS2

As cyberthreats increase, the NIS2 directive is a Europe-wide opportunity for thousands of entities that have everyday interactions with citizens to better protect themselves. It will be enacted into French law by October 17, 2024 at the latest.

From NIS1 to NIS2

After eight years (2016-2024), the Network and Information System Security (NIS1) Directive is handing over to the NIS2 Directive which widens its scope and requires organizations to provide more protection.

In line with NIS1, the NIS2 directive strengthens the security standards that certain private companies or public organizations (of which the interruption of business would have a significant impact on society) must meet, failing which they will be sanctioned.

New sectors of activity and two strategic entities

The first significant difference between the two versions of the directive is their scope: NIS1 covered 19 sectors of activity, NIS2 now covers 35.

The new sectors include:

  • postal and shipping services,
  • waste management,
  • the manufacture, production and distribution of chemicals,
  • industry,
  • the food processing industry,
  • and digital service providers.

Another change is the addition of a family of target businesses/organizations. Whereas the NIS1 directive only covered one category of strategic organizations (OESs, operators of essential services), NIS2 now makes the difference between two key players: essential entities and important entities.

What are the differences between them?

  • Essential entities are public or private structures operating in sectors categorized as highly critical with over 250 employees or sales in excess of 50 million euros.
  • Important entities, whether public or private, have between 50 and 250 employees or sales of between 10 and 50 million euros. Their activities are not considered “highly critical”, but their stoppage would nevertheless have a significant impact on society.

The scope has therefore been extended from 300 to around 15,000 businesses in France.

Taking the supply chain and a strengthened sanctions system into account

The NIS2 directive also takes into account the entire supply chain in response to “supply chain” type attacks that target the subcontractors of software publishers, integrators or any other key players in the value chain. That means that the subcontractors of essential or important entities will also need to comply with the NIS2 obligations.

This taking into account of supply chain-related risks follows a number of high-profile cyber attacks, such as the one that hit Solarwinds in 2020. For several months, the IT infrastructure management software publisher was compromised, unknowingly distributing a software component of its Orion platform containing a back door. According to Solarwinds, up to 18,000 of its customers downloaded the compromised updates. Those organizations included several CAC 40 companies and US government departments.

NIS2 also differs from NIS1 in that its sanctions regime has been strengthened. A sanction covering a percentage of the worldwide sales of the entity in question will now be applicable for non-compliance with the directive:

  • For essential entities, the sanctions can be up to a 10 million euro fine or 2 % of worldwide annual sales.
  • For important entities, the sanctions can be of up to 7 million euros and 1.4% of sales.

The main duties under NIS2

The NIS2 Directive approach is to encourage essential and important entities to take appropriate and proportionate technical, operational and organizational measures to manage security-related network risks and those of the information systems they use.

The measures are based on an “all-risk” approach to protecting networks and information systems as well as their physical environment from incidents.

They include the following elements:

  • implementation of risk analysis and information systems security policies,
  • incident management,
  • business continuity (backup and disaster recovery management),
  • supply chain security.

Essential and important entities must also implement procedures to:

  • assess the effectiveness of cybersecurity risk management measures,
  • deploy basic cyber hygiene practices and cybersecurity training,
  • guarantee human resource security,
  • implement access control and asset management policies.

The directive recommends enhanced security, in particular through the use of cryptography and data encryption technologies. For example, the use of multi-factor or continuous authentication solutions, secure voice, video and text communications, and secure emergency communication systems inside the entity is also strongly encouraged.

An incentive to use certified European products

Another important point to note is that the NIS2 directive encourages the entities concerned to use certified products. Article 24 states that: “To demonstrate compliance with particular requirements of Article 21, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 (Cybersecurity Act). Furthermore, Member States shall encourage essential and important entities to use qualified trust services”.

As part of NIS2, the use of more encryption and certified products implies calling on specialist players. Certification is at the heart of PRIM’X’s strategy: certificates are maintained and reissued for different versions and platforms to keep pace with developments in technology, the state of the art in cryptography, and threats. In addition to certifications, our encryption solutions pass national, trans-national or market-specific counter-assessments.

The purpose of the NIS2 directive is to strengthen the resilience of French and European organizations. Even though the level of cyber maturity of French companies is rising (49%, compared to 46% a year ago), it is still insufficient to provide lasting protection from the multitude of cyber threats according to the latest  benchmark edition by consulting firm Wavestone