/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
Edlyn Teske
Cryptomathic guides you towards compliance.
EU Directive 2022/2555 on Network and Information Systems, also known as NIS2, entered into force on Jan 16, 2023. EU Member States must transpose NIS2 into their national legislative framework by Oct 17, 2024.
This article focuses on the significance of NIS2 for enterprises in the 18 industrial sectors that fall under this regulation, and how Cryptomathic can facilitate compliance.
A separate article will soon come out from Cryptomathic on Regulation (EU) 2022/2554 (DORA – the Digital Operational Resilience Act) which applies to IT security of financial institutions.
NIS2 builds on NISD (EU Directive 2016/1148) but is more stringent and expands the set the entities affected by this new set of rules. Specifically, NIS2 affects all medium-sized and large enterprises (as per Article 2 of Recommendation 2003/361/EC, see also Figure 2 below) that belong to one of the 18 sectors classified as ‘of high criticality’ or as ‘critical’ (cf. Figure 1 below).
Those entities, as well as their suppliers, must implement and document a variety of measures to avoid, detect, and report cybersecurity incidents.
For comparison, the 2016 NISD left it to the member states to assess and identify which entities were subject to the NISD regulations, and it included only 6 sectors; this approach led to significant differences in the application of NISD across member states. Meanwhile, the new scope definition implies a significant increase in affected enterprises. For example, the Belgian Centre for Cyber Security forecasts for Belgium an increase from about 100 entities affected by NISD to about 2500 entities affected by NIS2.
Figure 1: Scope extension from NISD (2016) to NIS2 (2022)
NIS2 imposes onto affected entities a comprehensive set of cybersecurity risk-management measures (Article 21) as well as extensive reporting obligations (Article 23). The required measures include incident handling plans, crisis management plans, policies on the use of crypto, access control policies, use of state-of the art authentication, supply chain security, and cybersecurity training.
The NIS2 Directive also brings higher and more specific fines and penalties for entities that infringe NIS2 Articles 21 and 23. Senior management can be held accountable for such infringement. The execution of the penalties is up to the national authorities who also will be requesting reports and doing audits and random checks. (NIS2 Articles 32,33, and 34.)
Which specific supervisory and enforcement measures are being applied depends on the classification of an entity as ‘essential’ or ‘important’, which is determined by an entity’s sector (of high criticality or critical) and size (medium or large) (cf. Figure 2 below).
.png?quality=high)
Figure 2: Essential and important entities as per NIS2
As directed by NISD Article 19, ENISA has drawn up guidelines on the implementation of the security requirements formulated in NISD Articles 14 and 16. These guidelines, and relevant standards in this context, are:
- Minimum Security Measures for Operators of Essentials Services — ENISA (europa.eu)
- ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
- CSWP 29, The NIST Cybersecurity Framework 2.0 | CSRC
- ISA/IEC 62443 Series of Standards | ISAGCA
Likewise, by NIS2 Article 25, ENISA is tasked to develop guidelines on the implementation of the cybersecurity risk management measures as specified in NIS2 Article 21. Since the NISD requirements are a subset of the NIS2 measures, it is reasonable to assume that the new ENISA guidelines will be built on their previous, NISD-based guidelines, which provide detailed controls grouped into four security domains: Defense, Governance and Ecosystem, Protection, and Resilience.
Teaming up with an external vendor such as Cryptomathic will facilitate NIS2 compliance. Our Cryptomathic Key Management Solution (KMS) is built to comply with ISO/IEC 27001 and a wide range of key management standards. In the table below we illustrate how the Cryptomathic KMS supports compliance with the ENISA controls across all four ENISA security domains.
Compliance requirements mapped to Cryptomathic's key management system's features:
%20(2).png?quality=high)
Contact Cryptomathic today to accelerate your enterprise's compliance with NIS2!