Understanding NIS2: Essential and Important Entities

NIS 2 aims to enhance the security of networks and information systems in the EU. Its main goal is to level up the cybersecurity game across Europe. It requires organisations in critical sectors to take cybersecurity seriously. The transposition of the NIS2 Directive into national law by member states emphasizes the deadline for compliance and the implications for cybersecurity regulations within each country’s legal framework. These organisations perform crucial functions such as healthcare, water management, etc. Any disruption to such crucial functions could adversely affect millions of homes, the economy, or society.

To understand the origins of the NIS, the NIS directive was first developed in 2016; however, it had flaws that resulted in inconsistent efforts among EU member states. The NIS 2 addressed the original’s shortcomings by expanding its scope and establishing strict compliance requirements. It also introduced the classification of essential entities (EE) and important entities (IE).

NIS2 compliance classifies entities by importance, which is then divided into essential entities. Various prerequisites apply to either entity category.

What is NIS2?

The NIS2 Directive (EU 2022/2555) is a European Union regulation aimed at enhancing the cybersecurity capabilities of Member States. It is an update to the original NIS Directive, which was introduced in 2016. The NIS2 Directive aims to improve the security requirements for operators of essential services and digital service providers, including cloud computing service providers, managed service providers, and security service providers. The directive is expected to have a broader scope than the original NIS Directive, covering more organizations and sectors, including public administration entities, postal and courier services, and DNS service providers.

How Does NIS 2 Define Essential and Important Entities?

NIS 2 has classified the organisations that must comply with the directive into essential and non-essential entities. It has differentiated the two entities based on their functions and societal impact.

Essential Entities

These organisations provide services essential for public safety and economic stability. These essential entities work in the energy, banking, healthcare and other sectors. Any disruption to these services can have drastic consequences on the country’s economy, and that’s why they are classified as essential.

Important Entities

These organisations also provide vital services, which are less impactful than essential entities. However, disruptions in their operations could still significantly impact the people or the economy. Important entities include postal and courier services, digital service providers and waste management.

Scope of NIS2

The NIS2 Directive applies to a range of entities operating across 11 essential and 7 important sectors, including healthcare, energy, transportation, water, digital infrastructure, financial services, public administration, education, research and development, and space. Essential entities and important entities are defined in the NIS2 Directive, and company size and turnover play a role in determining which entities are considered essential or important. The directive also applies to entities that provide their services or conduct their activities within the EU, including managed security service providers and ICT service management providers.

What are NIS2 Essential and Important Entities?

The NIS 2 directive clearly defines which industries are essential and which are important.

List of Essential Entities (EE) and Important Entities (IE):

Requirements of the NIS2 Directive for cloud computing service providers and managed service providers alike

The NIS2 Directive measures are based on an “all-hazards approach” aiming to protect both network and information systems and the physical environment of those systems from incidents. The requirements include:

• Protecting network and information systems from security incidents
• Protecting the physical environment of those systems from incidents
• Implementing measures to prevent and minimize the impact of incidents
• Implementing measures to ensure business continuity in the event of an incident
• Implementing incident reporting obligations and reporting obligations for security incidents
• Ensuring supply chain security, including third-party risk and fourth-party risk

How to Become NIS 2 Compliant?

Since NIS 2 compliance has only been available for a while, many organisations might find implementing all the guidelines mentioned challenging. But fret not; we have provided a step-by-step guide to becoming NIS 2 compliant.

1. Check Applicability

First, you must review the essential entities identified in NIS 2 to check whether your organisation falls within its scope. If it does, you must comply with NIS 2.

2. Perform a Risk Assessment

If you are either an essential or an important entity, the next step is performing a risk assessment of your assets. This risk assessment or penetration test will evaluate your security controls and find vulnerabilities. If any vulnerabilities are found, the security team will recommend fixing those issues. These risk assessments are usually performed by third-party vendors or managed service providers (MSPs).

3. Implement Cybersecurity Measures

As discussed in the above step, the security team will share a report of their findings and recommendations, and it is up to you to implement these. Your organisation must implement these recommendations as soon as possible before attackers exploit these vulnerabilities. These recommendations can include hardening network security, strengthening access controls, etc.

4. Establish Incident Reporting Plans

Even after implementing all the recommendations, work still needs to be done. Your organisation should review and update its incident response plans to effectively respond to real-world threats. This playbook will define the roles and responsibilities of all team members during security incidents.

5. Employee Training

Organisations should conduct regular training sessions for employees so that they understand cybersecurity risks and best practices. More often than not, human error allows attackers to burrow into the system and steal sensitive data.

6. Incident Reporting Obligations

This step is a part of the NIS 2 directive, which states that an incident should be reported to relevant authorities when a security breach occurs. Reporting a security incident and providing remediation steps will maintain your trust with your customers and partners.

7. Show That You Are NIS 2 Compliant

All your hard work and determination boils down to this step. You should ensure that you have documented all the steps, as these will prove your implementation. Keep a detailed record of your logs and other data to demonstrate compliance to auditors. Once the auditor has reviewed and verified the documentation, you will be NIS 2 compliant.

8. Review and Update

Okay, so now you are NIS 2 compliant. However, you will still need to review and update the documentation and security controls regularly. Since the threat landscape is always changing and there are constantly new threats to worry about, staying updated on what is happening in the cybersecurity sphere is essential.

9. Cooperate and Share

If your organisation has managed to mitigate cyber attacks, sharing your knowledge with the industry is always a good practice. It will help other organisations to protect themselves from these attacks and thus improve the defences of all the EU member states.

Organisations should also share this information with relevant authorities to respond quickly in the future and stop these attacks from disrupting essential services.

Compliance and Fines

Fines for non-compliance with the NIS2 Directive can be substantial, with fines of up to €10 million or 2% of the entity’s global turnover, whichever is higher. In the most severe cases, fines can be as high as €20 million or 4% of the entity’s global turnover, whichever is higher. National authorities also have the power to impose other measures such as orders to suspend or restrict an entity’s activities to protect the security of networks and information systems. Essential entities will have to comply with supervision requirements from the introduction of NIS2, while important entities will be subject to ex-post supervision, meaning that action will be taken if authorities receive evidence of non-compliance.

How Can We Help?

NIS2 compliance can be complex, especially if this is your first time getting NIS2 compliant. You would have to do so many things to become compliant, and all these processes can feel overwhelming. But you don’t have to worry about that. We at Cyphere understand how challenging it can be for you, and hence, we provide solutions to achieve NIS 2 compliance effectively and efficiently.

Our team will conduct risk assessments and penetration testing to identify vulnerabilities in your systems and provide you with contextual advice for risk remediation. We will also share a detailed report containing the findings and the remediation plan so you can start the implementation process quickly.

Our team of experts will further assist you in developing incident response plans and providing training sessions for your staff. We will provide continuous support even after the assessment to ensure your organisation is secure from cyber threats.

Summary

As we have learnt, NIS 2 is vital for essential entities working in the EU. Threat actors targeting critical services are not unheard of, and many such attacks have been carried out for political and financial gains. Hence, considering these incidents, taking the NIS 2 directive seriously and addressing cybersecurity risks is essential.