On 28th November, European Member States formally adopted the revision of the Network and Information Security Directive (NIS2) (EN, DE, FR). The Directive will enter into force before the end of the year, but will only be applicable after EU Member States transpose the Directive into national law - by September 2024. So now is the time for a heads-up about the upcoming changes and what they will mean for your cybersecurity operations.
Why should you care?
- The NIS2 Directive will become the new set of cybersecurity obligations for organisations across many sectors deemed critical to the economy.
- All 27 EU Member States will have to incorporate these new obligations in their national laws before September 2024.
- These obligations include a stricter incident-reporting deadline (early warning within 24 hours) and the application of cyber risk-management measures.
- There are high fines for non-compliance, and C-level staff will have new responsibilities in the area of cyber. Enforcement measures will include on-site inspections, audits, and even temporary suspensions or prohibitions of C-level executives.
What’s NIS about?
Back in 2016, the original NIS Directive was the first European legislation on cyber. It required Member States to identify operators of essential services and to introduce new cybersecurity obligations for these operators, especially in terms of incident-reporting. You may not be aware of the NIS Directive itself, but you will be familiar with how your national government implemented it (for example, the identification of Operateurs de Services Essentiels (OSE) in France or KRITIS operators in Germany).
The Directive, however, was implemented inconsistently across Member States, leading to fragmentation, where some companies were considered an ‘essential service’ in some countries but not in others. For example, the number of identified services ranged from 12 to 87, and the number of operators ranging from 20 to 10,897. This led the European Commission to revise NIS and make NIS2, with more clarity on which organisations are in scope, and stipulating specific requirements for those organisations.
Does NIS2 apply to you?
Unlike NIS, NIS2 establishes a clear list of sectors falling under scope and stipulates that all entities active in these sectors shall be automatically considered ‘essential’ or ‘important’ entities if they employ more than 250 people and have an annual turnover of more than 50 Million Euros and/or an annual balance sheet above 43 Million Euros. Essential and important entities face the same obligations, but important entities face a lighter enforcement regime.
The usual sectors are covered (energy infrastructure, airports, railways, healthcare, water, banks) but there is also a broader list that includes cloud providers, data centres, public electronic communications networks, managed service providers, postal services, food production, waste water, waste management, chemical manufacturing, the space sector, and more. NIS2 also covers public administration bodies at central and regional level, but excludes parliaments and central banks. Guillaume Poupard, Head of ANSSI in France, estimated that there would be ten times more sectors covered than under NIS.
Member States can also add some entities to their national list, such as local government bodies, education institutions, and companies falling under the size threshold but considered critical for the country. This will be decided by national governments at a later stage, as they will have 27 months to develop their list of essential and important entities following the entry into force of the Directive (until March or April 2025).
What are the new obligations under NIS2?
One of the biggest changes mandated by NIS2 is about incident-reporting obligations.
Under NIS2, “significant” incidents shall be reported within 24 hours. To avoid different definitions and thresholds across Member States, the European Commission will define cases when incidents are deemed significant, but it’s likely to be a broad interpretation.
Essential and important entities shall report incidents to their national computer security incident response teams (CSIRTs) or their competent authority. NIS2 introduces a three-step process for reporting deadlines:
- An early warning shall be given within 24 hours “after having become aware of the incident”.
- This warning shall be followed by a full notification within 72 hours, including an initial assessment of the incident;
- A final report shall be prepared within one month of the submission of the incident notification, including a detailed description of the incident, the type of threat and the cross-border impact.
These deadlines are tight, but Splunk helps security and IT teams to meet them with early detection and automated processes. For example, the Security Operations Team at .italo, a provider of essential services (public transport) in Italy, uses Splunk with Splunk Enterprise Security for early detection of security problems, for their investigation and to aid their response. By having all audit data centralised and being able to ask questions retrospectively through Splunk’s powerful Search Processing Language (SPL), SecOps teams can produce a post-mortem analysis and a full report within days rather than weeks.
NIS2 also requires covered entities to put in place a list of risk-management measures.
The following list is a minimum set, i.e. organisations need to have a risk management measure in each of these areas:
- risk analysis and information system security policies;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- basic computer hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management.
How can Splunk help?
While Splunk can’t roll out your cryptography or security policies for you, it’s vital that you are able to monitor those measures are working as expected once they have been rolled out. Splunk has proven experience in many of those areas, for example:
- Provide the data needed for better handling and response to those who need it, when they need it, to adhere to NIS2’s 24-hour requirement for incident notification, and increase the efficiency of root cause analysis for the 72-hour report;
- Collect and analyse data for security incidents and risk exposure in real-time, enriching with dynamic risk scoring, for better prioritisation of incidents;
- Quickly understand the availability of critical services, leverage data to find the root cause of outages, and collaborate with operational teams to resolve the incident;
- Detect cyber attacks quicker and earlier in the attack chain, through rule-, advanced statistics- and ML-based detections, so attacks become a “near miss” rather a “large scale cybersecurity incident”;
- Leverage efficient detection engineering practices and accelerate putting new detection techniques into production for quick enhancement of coverage and visibility;
- Establish a (semi-) automated platform to connect individual tools together in cyber security to unblock bottlenecks, synchronise cross-team efforts and increase efficiency;
- Leverage threat intelligence, to consume and share back relevant security data with government institutions, suppliers and among peers;
- Audit data access, even across large volumes of data, to verify policies are working and that data is handled in a secure and compliant manner;
- Monitor patch levels, create an asset inventory and verify implementation of cyber hygiene policies to track risk exposure, and provide security information easily for regular audits and ad-hoc compliance requests;
- Build capabilities and mature practices, with Splunk’s extensibility and interoperability, driven by our utilisation of the Open Cybersecurity Schema Framework (OCSF) and OpenTelemetry (OTel) standards.
Will NIS2 apply to the UK?
NIS2 won’t apply to the UK directly, but the UK Government is currently reviewing the effectiveness of the 2018 NIS Regulations, which had been introduced to implement the original NIS Directive. Areas for improvement have been identified in recent stakeholder consultations, and legislation is forthcoming to make the NIS Regulations future-proof. As part of the upcoming changes, the UK could consider sectoral expansion and to “strengthen existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents”.
National governments will have to introduce national legislation to reflect the obligations of the EU Directive, with a deadline of September 2024. Many organisations are looking at how they might comply now, to be ready for that deadline.
Splunk will monitor the transposition of NIS2 by national governments, to track possible differences in implementation, and will continue to support customers locally.
Stay tuned for future updates on NIS2 implementations, and watch the recorded fireside chat with our Splunk experts.
With special thanks to Clara Lemaire and Matthias Maier for collaborating in the writing of this blog post.