The NIS2 Directive (https://eur-lex.europa.eu/eli/dir/2022/2555) will certainly open a new chapter in Europe’s cyber defence. Although the expectations that all Member States will have to apply it by 18 October 2024 at the latest, details are still poorly understood by the organizations covered by the new legislation. While NIS2 will certainly be discussed on many platforms over the next year and a half, there are a number of details hidden in the text of the legislation that require deeper analysis. Let’s start right away with an introduction to NIS2 and the role of Managed Security Service Providers (MSSPs)!
Today, it is difficult to imagine the secure operation of a modern enterprise’s electronic information systems without the involvement of an external MSSP. This is most evident in the area of incident management, where it is not feasible for most organizations to set up their own Security Operation Centre, as neither the technology, nor the human resources, nor the appropriate process are available, and these would be disproportionately expensive to procure and set up. This fact is also stated in NIS2 (83) which states that „Essential and important entities should ensure the security of the network and information systems which they use in their activities. Those systems are primarily private network and information systems managed by the essential and important entities’ internal IT staff or the security of which has been outsourced. The cybersecurity risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entities regardless of whether those entities maintain their network and information systems internally or outsource the maintenance thereof.”
According to the Directive, ’managed security service provider’ means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. But what does this mean in practice? NIS2 imposes a number of cybersecurity tasks on essential and important entities that they may not have dealt with before. Not least because the scope of entities covered by the Directive has been significantly extended compared to previous European and national legislation. By way of example only, organizations which manufacture motor vehicles, trailers and semi-trailers (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e32-148-1) were not necessarily obliged to deal with security measures under Article 21 (2) (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e3337-80-1):
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Of course, any legislation is only as good as the amount of compliance, which is why NIS2 introduces the possibility of fines (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e4350-80-1) , similar to the approach taken for GDPR. For example, failure to implement the listed countermeasures for essential entities will be subject to a maximum of at least EUR 10 000 000 or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher. For important entities, this is EUR 7 000 000 or 1.4%.
Building cybersecurity processes is not primarily important for regulatory compliance. In recent years, we have helped to manage a number of incidents where the organization’s management never imagined that they would be the target of a ransomware virus. Having seen first-hand the financial and reputational damage caused by the destruction of such malicious code, we recommend a thorough study of NIS2 because the information it contains can help you build risk-appropriate security before an incident occurs. Considering also the size of the penalty that can be imposed by the national authority, information security in a planned way is certainly a more cost-effective solution than scrambling and fire-fighting. An MSSP, which is also subject to the requirements of NIS2, can be of great help in this respect. But we will write about this and more NIS2 secrets in a future blog post. Stay tuned for more!