One of Brussels’ beloved acronyms, 2016’s NIS was due an update. NIS2 aims to increase cybersecurity for operators of critical infrastructure in today’s digital landscape. Risk management processes will be central to its requirements, says FERMA’s Charles Low.
There is a theory that there is a Brussels effect, which is similar to a butterfly effect but for regulation and law-making.
The butterfly is Brussels – and whatever happens in Brussels ends up happening outside of Brussels. This has been the case for NIS, which comes from the Directive on Security of Network and Information Systems across the EU.
The NIS Directive set in place legal measures to increase the level of cybersecurity in the EU, focusing on protecting critical infrastructure. But that was back in 2016. The NIS needed to be updated and clarified, as well as enlarged in terms of scope and the sectors covered.
Increased digitalisation and higher interconnectedness meant the original NIS Directive did not adequately reflect the digitalised sectors providing critical services to the economy and society as a whole.
The update came on 18 October this year.
ENTER NIS2
NIS2 will apply automatically to all organisations identified as operators of critical infrastructure, which under NIS2 become essential entities. Enterprises that are identified as operators of essential services (OES) or digital service providers (DSP) shall be the same in NIS2.
It is important to emphasise that there is a so-called “size cap”, which determines if an entity falls under the NIS2.
The services provided by the enterprise also determine whether an enterprise is in the scope of NIS2. Broadly speaking, so-called highly critical sectors range from energy and banking, to drinking water and space.
The obligations for essential and important entities in scope of NIS2 include:
- registration with a national body
- implementation of cybersecurity risk management measures
- notification of ʻsignificant’ cyber incidents to the national cyber security incident response team (CSIRT)
- obligations for management, and cooperation with national and supranational authorities.
WHY IS THIS IMPORTANT FOR RISK MANAGERS?
Under NIS2, there will be an implementing regulation on the risk management measures in-scope entities must take.
Risk management processes are central to the requirements of NIS2. So risk managers should be at the core of their organisation’s cybersecurity risk management approach, as well as their ability to go beyond complying with the requirements in NIS2.
NIS2 requires appropriate and proportionate measures to be taken based on the organisation’s risk assessment, which include documenting policies on risk analysis and information system security, as well as policies and procedures to assess the effectiveness of cybersecurity risk management measures.
Beyond that, there are requirements on incident handling and business continuity and crisis management. One of the major requirements in the NIS2 is on cyber incident reporting, which will oblige companies to report on cyber incidents to their national competent authority.
This reporting obligation comes on top of various other reporting requirements, such as those in GDPR, Digital Operational Resilience Act (DORA), and so on.
FERMA has therefore launched a white paper in September, which has been produced with the support of WTW, to help guide risk managers in familiarising themselves with the reporting landscape.
Charles Low is head of EU affairs at FERMA.
No comments yet