EU-NIS2 to Increase Cyber Security

The EU-NIS2 and EU-RCE Directives are to be transposed into German law by the Bundestag this year and become legally binding. Even if the parliamentary process is delayed beyond October 2024, companies should still prepare.

The first part of “Migration to ISO 27001:2022 – SEEBURGER mapping table” explained SEEBURGER’s procedures for dealing with ISO 27001 controls. The second part “EU-NIS2 verification through mapping to ISMS ISO 27001 controls” highlights how the requirements of EU-NIS2 and EU-RCE can be met with the help of an ISO 27001-certified information security management system (ISMS). Read this article to find out more about the requirements of EU-NIS2 and EU-RCE and what companies affected by EU-NIS2 can do.

What is EU-NIS2 and EU-RCE?

The EU-NIS2 (2022/2555 European Union Directive on the security of network and information systems) and the EU-RCE (2022/2557 European Union Resilience Coordinator’s Office) initiative are intended to strengthen cyber security and resilience for important and critical infrastructures.

This blog refers to the EU directives. There are also a number of other developments to be expected from the respective NIS2 Implementation law in each EU member country. In Germany, for example, this is going to be the “NIS2UmsuCG” by the Federal Office for Information Security (BSI).

EU-RCE and EU-NIS2: Who is affected?

Many companies in the EU will be directly affected by EU-NIS2 (2022/2555), as the scope of application is comparatively large and the thresholds are lower than under the previous regulatory regime.

New companies affected by EU-NIS2 include:

• Cloud computing services, CSP: Digital service that enables on-demand management and remote access to a scalable and elastic pool of shared computing resources, even across multiple locations.
• Managed services provider, MSP: Installation, management, operation, maintenance of ICT products, networks, infrastructure, applications, network and information systems through support or active management for customers.

Check whether your company is within the scope of application and whether you meet the threshold values when the respective implementation law has passed your respective national parliament.

According to Article 21, paragraph 2 d) of the EU-NIS2, the measures must at least address the security of the supply chain, including security-related aspects, for the relationships between the individual entities and their direct suppliers or service providers. Therefore, suppliers will also be indirectly affected as some of their B2B customers fall within this scope and cyber security cooperation is required.

What measures will companies face as a result of EU-NIS2?

The EU-NIS2 Directive (2022/2555) defines minimum cyber security requirements for Essential Entities (= very important) and Important Entities. Operators of critical infrastructure are also considered an Essential Entity, but with additional requirements.

• Level 1: Important Entities fall under the EU-NIS2 Directive (2022/2555) and, in Germany, under the NIS2UmsuCG.
• Level 2: Essential Entities (= very important) fall under the EU-NIS2 Directive (2022/2555) and, in Germany, under the
• Level 3: Operators of critical infrastructures are Essential Entity (= very important) and fall under
  • the EU-NIS2 Directive (2022/2555) and, in Germany, under the NIS2UmsuCG and
  • the EU-RCE (2022/2557) and, in Germany, under the new KRITIS umbrella law (KRITIS-Dachgesetz).

Due to this, Article 20 (Governance), Article 21 (Measures) and Article 23 (Reporting deadlines to the BSI) of EU-NIS2 (2022/2555) are particularly worth reading.

In the EU-RCE (2022/2557), Article 12 (Risk assessment) and Article 13 (Measures) are especially worth a look. These articles describe the BCM requirements for critical infrastructure operators in detail, which result from EU-NIS2 Articles 21.1 and 21.2 c.

The supplier structure must be screened and evaluated accordingly. Individual questionnaires are not scalable for either customers or their suppliers. The simpler way is to query the widespread certifications and attestations relating to IT security.

EU-NIS2 reporting deadlines

EU-NIS2- Reporting deadlines in the event of damage

According to Article 23, digital service providers must report any security incident that has a significant impact on the provision of a digital service offered in the European Union to the competent EU-NIS2 authority. In Germany, the competent EU-NIS2 authority is the Federal Office for Information Security (BSI). The following EU-NIS2 notification deadlines are important:

• Initial notification within 24 hours: A preliminary notification must be submitted within 24 hours of becoming aware of an incident.
• Detailed report within 72 hours: This must be followed within 72 hours by a full report, including an initial assessment of the incident.
• Final report within one month: A final report describing the incident, the nature of the threat and the cross-border impact must be submitted no later than one month after the incident is reported.

Reporting deadlines for personal data

If there is a suspicion that personal data has been compromised or extracted, the responsible data protection supervisory authority must also be notified within 72 hours of becoming aware of the situation. The data protection authority in the respective federal state is usually the first point of contact. It makes sense to use the contents of the detailed 72-hour notification to the responsible EU-NIS2 authority, i.e. the BSI in Germany, in a similar way for the data protection notification.

Decisions on notifications to other data protection supervisory authorities in other EU countries must be made promptly. The latter is not trivial if, for example, you have branches in other EU member states. It should be noted that these authorities may have their own reporting portals with different content and formats.

Further checks concerning EU-NIS2 reporting deadlines

It is also necessary to ensure the following:

• Reporting obligations to other supervisory authorities in countries outside the EU (e.g. the FBI in the USA) are in place.
• Customers are informed in accordance with the EU-GDPR.
• Contractual obligations to notify customer contacts exist.

This means that reporting channels to the responsible bodies, templates for content and responsibilities should be clarified in advance. If you stumble unprepared into such a situation in the event of a crisis, you risk losing too much time.

Conclusion

EU-NIS2 is intended to increase cyber security and requires affected companies to implement appropriate security measures. Companies should check whether they are affected by the law in the relevant EU member state and take the necessary compliance measures.

Further information

In the EU-NIS2 (2022/2555), read Article 20 (Governance), Article 21 (Measures) and Article 23 (Reporting deadlines to the BSI) for Level 1 to 3 from page 47 onwards: https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32022L2555&qid=1708086228674

In the EU-RCE (2022/2557), read Article 12 (Risk assessment) and Article 13 (Measures) from page 19 onwards: https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32022L2557

Read this overview of the sectors: https://www.openkritis.de/it-sicherheitsgesetz/sektor_informationstechnik-telekommunikation.html

Source: https://blog.seeburger.com/eu-nis2-to-increase-cyber-security/