The Network and Information Security Directive 2 (NIS2) came into force on 16 January 2023. It aims to increase the cybersecurity capabilities of countries across the European Union by increasing supervision and promoting cooperation and exchanges of information at the EU level.
“In 2013, EU bodies realised that IT security was lacking in many ways for sectors deemed critical. There was no common political understanding on cybersecurity needs and no common rules,” explained Frédéric Lens, CEO of F3C Systems, an IT security company based in Luxembourg. “EU bodies agreed on a cybersecurity strategy, which led to the NIS [Network and information security] Directive in 2016.”
The NIS directive, which covered sectors such as banking and financial market infrastructure, healthcare, water supply or digital service providers, helped boost the security of network and information systems in the EU. But its implementation across the internal market was difficult and fragmented.
“There was nevertheless a fundamental flaw in the NIS directive,” said Lens. “It could be transposed by the member states with a certain level of freedom.” Different countries had different rules for different sectors.
So how does NIS2 strengthen cybersecurity?
“To put it quite bluntly, the goal is to up the game quite a bit,” replied Lens. “And to harmonise. The improvements focus on harmonising rules, reducing inconsistencies and improving the communication between competent authorities.” Between the publication of the two directives, an open public consultation took place, which, for example, highlighted inconsistencies in how different countries labelled operators of essential services (OES) and digital service providers (DSP).
“The first fundamental change is in the way OES and DSP are identified by imposing the rules of every entity working in the sectors and subsectors identified by the [European] Commission,” said Lens. “There is no more distinction between the two companies in the same sector, which could be the case with NIS.”
“Which brings us to what I believe is the most fundamental shift of this directive: NIS2 removes the possibility for member states to adapt security requirements,” Lens highlighted. “Everyone is treated the same, regardless of the territory of operation, as long as business is conducted with the EU and under the supervision of Enisa [the European Union Agency for Cybersecurity].”
Expanding the scope
The new directive includes online marketplaces, search engines and social media platforms in its scope. Even if a business is based in, for instance, the United States, but has activities in the European Union, those companies are still covered by the directive.
“It’s not only EU entities that need to comply. As long as you have an IT company that is doing business with Europe--like Facebook--it has to comply,” explained Lens. “This is super powerful. It’s like GDPR [General Data Protection Regulation] at the time.”
This sounds quite difficult to enforce. “It’s impossible to enforce,” replied Lens. “But this was already the case with NIS. Unless the states are doing their job of checking the compliance and implementation of NIS2, nothing will happen. And that’s one of the points of Fedil,” he added, referring to a position paper published by Luxembourg’s industry federation.
The text of the directive, however, doesn’t include any requirements on audits, for example, or even who is supposed to conduct the audits. “These should be systematic,” said Lens.
Including more sectors
NIS2 includes more sectors, classifying them as either essential or important entities, such as providers of public electronic communications networks or services, digital services like social networks and data centre services, wastewater and waste management, space or postal services.
“Companies have to start taking cybersecurity seriously,” said Lens. “It will not happen from one day to another, as the directive has to be transposed in national law. I hope there will not be too much lag before the entities start taking measures to improve their security posture.”
But could this lead to a burden on certain sectors and smaller companies in Luxembourg? “We have lots of banks, lots of financial institutions, and these are already in the NIS1 directive, so they have already invested a lot of time and money in procedures and risk management and technical arsenal to protect themselves,” said Lens. “But this is not the case for smaller entities.”
“That’s where the state comes in,” said Lens. “It needs to fund cybersecurity for smaller entities.”