NIS2 – Key Challenges on the Horizon

By Christian Luidold April 25, 2023

NIS2 – Key Challenges on the Horizon

About ten years ago the proposal of the original NIS-Directive was introduced into our lives. It was the first cybersecurity act in the EU, creating a new baseline for cybersecurity. Unfortunately the effects of the original NIS weren’t as good as initially hoped. Its objectives of increasing the level of security of network and information systems across the union were hindered by problems regarding different levels of resilience among member states, insufficient resilience of individual organisations, and ineffective oversight by government authorities. The decision was made to issue an updated act to take its place. In a little over 1,5 years, by October 18th 2024 to be precise, the successor will be incorporated into national law by each member state.

There are two core requirements constituting main changes in NIS2: Risk management, and reporting obligations. Both of them lead to significant challenges for organizations and supply chains as a whole, requiring information management and risk awareness across whole ecosystems and networks. This is forcing companies to rethink their approach to addressing security topics. Security awareness and a risk-oriented approach are novel to a large number of organizations who are used to look at information security primarily as a technical field. With NIS2.0 the focus is definitely shifting to organizational and business-related questions. According to the newly introduced regulations risk management and reporting obligations are becoming central.

The two major points related to risk management in the context of NIS2 are governance and the handling of risk, resulting in a demanding mixture of domain expertise, legal issues, and standards conform approaches to risk handling.

  1. Governance, which forces new responsibilities onto the top level management (i.e., chief executive officer or legal representative level) and includes personal liability if those responsibilities are not covered. Additionally, top level management is required to follow training and encourage to offer similar trainings to their employees on a regular basis.
  2. Risk management measures, which consists of taking appropriate and proportionate measures to manage risks and prevent or minimize the impact of incidents.

Associated with the above requirements are new reporting obligations. While these were in NIS1.0 limited to critical infrastructures, they now include the whole supply chain of critical infrastructures. Reporting obligations require organizations to immediately report significant security incidents to a CERT/CSIRT and communicate the recipients of their services any measures or remedies to take in response of this incident, as well as inform about the significant threat itself. The timeline for reporting obligations are as follows:

  • within 24 hours of becoming aware of the incident: early warning including whether the significant security incident is suspected to be caused by unlawful or malicious act or could have a cross-border impact.
  • within 72 hours of becoming aware of the incident: incident notification including the initial assessment of the security incident (incl. severity, impact, indicators of compromise if available).
  • upon request of a CERT/CSIRT or competent authority: intermediate report on relevant status updates.
  • not later than one month after submitting the incident notification: final report including a detailed description, the type of threat or root causes, applied and ongoing mitigation actions, and the cross-border impact where applicable.

In practice the burden imposed by the reporting obligations will be felt immediately by affected organizations. This is exactly the point where CS-AWARE-NEXT can provide a solution for reducing the associated effort. The extended platform to be developed in the project will in the context of NIS2.0 support the detection and documentation of attacks and developing threats, thereby reducing an organizations time to react and even more significantly the effort input into providing the information necessary in reports.