The NIS2 directive on network and information security, which entered into force on 16 January 2023, aims to upgrade EU rules on cybersecurity. The European Union’s directive now covers more sectors--such as the manufacturing of critical products like pharmaceuticals--and promotes information sharing between member states.
“The idea behind it is to have a horizontal approach for cybersecurity. And there are more specific security measures that need to be in place for the different entities in the different sectors,” explained Sheila Becker, head of network and information systems’ security at the Luxembourg Regulatory Institute (ILR).
More responsibility at the C-level
One major change, for example, is that CEOs--or others at the top level of management--will now be held liable for infringements of the rules. “If there is an infringement, with regards to not notifying or not respecting the security measures, there could be a penalty that could impact also the CEO,” added Becker. Executives also need to undergo training to raise awareness of cybersecurity changes, as well as provide training for their personnel.
“That’s really, I think, one of the biggest changes--it’s not only the sectors that have been expanded. But really the biggest impact will be that the C-level is involved,” said Becker. “They can no longer say, ‘I don’t want to care about cybersecurity.’ They need to take care of it.”
Under NIS2, companies will need to implement policies to handle cybersecurity incidents, backup management and disaster recovery plans, as well as crisis management plans. “Supply chain security is way more important than before,” said Becker. “That’s, I think, a really big step ahead, because we noticed also during the pandemic that the supply chain is so important, and that’s why they integrated it in the NIS2.”
Increased information sharing and cooperation at the EU level
Sharing information on topics such as vulnerabilities, indicators of compromise and incidents is “key for cybersecurity,” said Becker. Luxembourg is also part of the NIS cooperation group, which consists of representatives of the EU member states, the European Commission and the EU agency for cybersecurity (Enisa). “We are just one player out of 27.”
But is it risky to share too much information on cybersecurity vulnerabilities? “The idea is not to say, ‘I’m in this business and I have this vulnerability,’” said Becker.
“It’s giving awareness, giving information to others,” added Luc Tapella, director of the ILR. The goal is not to point fingers. “It’s more: ‘This has happened, or this can happen. Take care, because it can also happen to you’.” It’s important to share information as fast as possible so that others are alerted and can react more quickly.
The NIS2 directive also establishes the European cyber crises liaison organisation network (EU-Cyclone) so that responses to large-scale cybersecurity incidents can be better managed, to improve coordination regarding newly discovered vulnerabilities and to promote information sharing between EU members.
How will NIS2 be implemented in Luxembourg?
NIS1 was already in place in Luxembourg, so a certain way of working has been established in the grand duchy. A similar process will be used to help implement the NIS2 directive with the additional sectors who are now impacted.
The first step is to inform the market that there’s a new NIS directive to be aware of, Tapella explained. Part two is to conduct a campaign of sensibilisation so that the companies who are affected know that they must comply, and the third phase is for the ILR and companies to work together.
“We have set up a platform, a tool which is called Serima [taken from the first letters of security risk management, editor’s note], which helps [companies] to do the risk analysis. Everyone who is concerned, offering essential services, has to do a risk analysis,” said Tapella. “And for that purpose, we have developed a tool, which is for free for those who are concerned.” The ILR also carries out workshops and trainings to support these companies.
It’s a learning process. We try to help them so that they get better, more aware, and put more things in place.
Companies carry out their risk analyses, then send the results to the ILR, which then follow up on the risks that companies have identified. “In Luxembourg, we have already anticipated something which is now in the second NIS directive,” said Tapella. “The results we get, after risk analysis by sector, we send the results of each company to each CEO.” The CEO can then see the positive and negative points, as well as how their company compares to the market average.
It’s important for CEOs to be aware of where the risks might be, as well as see the evolution from year to year, explained Tapella. The ILR also carries out a yearly exercise where they simulate an attack and see how companies react, which allows companies to identify new risks. “It’s a learning process,” he said. “We try to help them so that they get better, more aware, and put more things in place.”
The Serima platform, which is not only used in Luxembourg but in Belgium as well, can also be used for incident notification in the future. If there is an incident in the water sector, for example, this can have an impact on hospitals. The platform will help to alert others who are concerned by a certain risk so that they can prepare. The ILR works closely with their “Belgian friends”, as Tapella put it, to offer more services to all players concerned.
Bigger organisations often have bigger budgets and can afford to put more measures in place, compared to a smaller entity with fewer people, fewer resources and less money. “With our platform, it’s the same platform, the same tool for everyone,” he said. Results can be compared over time and “we can help them so that everyone is getting on the same level.”
Every member state now has 21 months to transpose the text into law. But it’s already important to start raising awareness among sectors so that companies know that they have to comply.
“I think the idea here is to get those who are not so far, to get them more involved, more conscious about what’s happening,” said Tapella. “Zero risk does not exist.” Instead, it’s important to raise awareness. “If you have created awareness, it will be more difficult for the hackers to get in” and cause damage.
The ILR and the Belgian Institute for Postal Services and Telecommunications will hold the second Nisduc conference on NIS2 in Brussels on 25-26 April 2023. Registration opens in February.