The European Union (EU) adopted the revised Network and Information Security Directive (NIS2) in November 2022. This is critical new legislation with an array of provisions poised to help the EU raise its cyber resilience. It is especially important in a time of growing geopolitical tensions and cyberattacks where European citizens and their economies depend on a stable and secure digital infrastructure. And, as the Directive states, “cybersecurity is a key enabler for many critical sectors to successfully embrace digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.”
Governments of the 27 EU countries will soon have a 21-month timeline to transpose and implement NIS2 into national laws. While some Member States have already started drafting detailed requirements and legal texts, we expect all EU countries to dedicate time to develop the new measures. This task is not easy, given the greatly expanded scope of NIS2 versus its predecessor in terms of the critical sectors covered by the Directive as well as the requirements on them. NIS2 introduces the potential of fines for the first time, and has an array of new provisions encouraging Member States to promote leading technologies and approaches to counter increasingly sophisticated and automated cyberattacks.
Palo Alto Networks looks forward to partnering with organisations in the Member States as they work to implement NIS2 and help to raise the EU's cyber resilience to drive its digital transformation.
The range of covered entities has been significantly expanded from the original 2016 law, and entities are classified as either “essential” or “important,” reflecting the extent to which they are critical in regards to their sector or type of service they provide, as well as their size.
“Essential entities'' now include new sectors like wastewater management, space (ground operations), managed service providers, and many central and regional public administration entities, in addition to energy, transportation, healthcare and others. “Important entities” includes postal and courier services, waste management, chemicals, food supply, all types of manufacturing and research institutions, which are all new.
Various trends spurred regulators to re-evaluate those sectors considered “critical,” and to take a more stringent and harmonised approach to cybersecurity policy across the EU. These trends include the increasing digitisation of many economic sectors, increasing reliance on remote work spurred by the COVID-19 pandemic, the Russian aggression against Ukraine, and the growing number of large-scale cyber attacks on critical infrastructures and government networks.
At the same time, the increased scope poses new challenges to government agencies on how to scale (and automate) their Computer Security Incident Response Team (CSIRT) services to the covered entities, as well as develop effective oversight vis-a-vis compliance.
NIS2 calls on the covered entities to implement a range of baseline risk management actions that are more detailed than those from the original law. These include technical and operational measures to manage risks and prevent or minimise the impact of incidents, including policies on information system security, incident handling and security in network and information systems acquisition.
NIS2 also introduces measures for ICT supply chain security, which will contribute to an effective risk management model. The European Commission will start drafting the implementing acts (secondary legislation) that will further prescribe the technical and methodological requirements for these measures in the next 21 months. We encourage the Commission to provide opportunities for private-sector engagement and technical input in this process.
NIS2 also expands cyber incident reporting requirements. Jurisdictions globally have been attempting to introduce more stringent incident reporting requirements, and NIS2 creates a multi-stage approach. Covered entities must submit an “early warning” to national CSIRTs or competent authorities within 24 hours after becoming aware of an incident, indicating whether a “significant” incident might have been caused by a malicious action or “could have cross-border impact.” This report must be followed by an incident notification to those authorities within 72 hours, followed by a more detailed report within one month.
A big challenge going forward is what Member States do with all of this incident information and how to act on it in an effective way with all the relevant stakeholders.
Incident reporting can play an important role in informing actions to both respond to incidents, but also contain and prevent further impact from the threat or vulnerability. The impact of incident reporting obligations should ultimately be assessed by how information from reported cyber incidents is analysed, enriched and disseminated (ideally in a de-identified or anonymised manner) to bolster the security of the broader cyber ecosystem.
To this end, we would encourage Member States to consider a few approaches:
1) Automate reporting and security analytics because people cannot manually process this information quickly enough.
2) Leverage uniform and consistent reporting forms, supported by programmatic reporting capabilities, that would enable CSIRTs to quickly and efficiently operationalise data and re-disseminate to industry in unattributed reporting.
3) Include reporting elements that would give CSIRTs the ability to provide some reciprocal benefits to the impacted party or broader cyber ecosystem. For example, request specific threat actor identifiers, tactics, techniques or procedures while scoping out victim identifiers/observables. All elements would help ensure that reported incident information is used to develop actionable intelligence that is rapidly pushed out to protect entities in real-time. Member States must also ensure the security of the underlying system to which incidents are reported. Persistent Russian access to US government systems through the SolarWinds campaign provides a critical lesson.
NIS2 offers Member States the option to impose administrative fines on essential and important entities for transgressions to NIS2, which did not exist in the original NIS law. Essential entities can be subject to fines of at least EUR 10 million, or a maximum of 2% of total worldwide annual turnover in the preceding financial year (whichever is higher). These figures are EUR 7 million and 1.4% for important entities. Fines imposed “shall be effective, proportionate and dissuasive,” and are meant to be a last resort, reflecting the fact the goal of NIS2 is to improve security (not to punish entities).
Not all activities laid out in NIS2 are intended for covered entities. Member States are encouraged to promote an array of actions to improve cybersecurity, such as to promote automation and artificial intelligence (AI) to improve detection and prevention, which is imperative to address today’s increasingly sophisticated and automated cyberattacks.
NIS2 also encourages national CSIRTs to be able to provide, upon request of a covered entity, “a proactive scanning of the network and information systems used for the provision of the entity's services” and assistance in monitoring “an entity's internet-facing assets… to identify, understand and manage the entity's overall organisational risks” (Recitals 43 and 44), which are key capabilities.
Attack surface management is increasingly important and leveraged by entities globally to provide an accurate accounting of their digital footprint and automate the discovery of vulnerabilities and exposures visible across that attack surface. Other necessary security approaches, like Zero Trust, are predicated on first establishing a process for accurate internet-facing asset discovery.
Database of Domain Names and Registration Data: NIS2 helpfully restores access to domain name registration information (WHOIS data) for legitimate access seekers that support cybersecurity efforts. This data is critical for cybersecurity companies to prevent and combat cybercrime. EU regulators rightly provide guidance to Member States to ensure that databases of domain names and registration data contain necessary, accurate and complete data.
Voluntary Threat Information Sharing: NIS2 encourages more voluntary cyber threat information sharing across the EU. Voluntary threat information sharing is a key tool to help critical infrastructure entities and CSIRTs understand threats and take steps to prevent successful cyberattacks. Cybersecurity companies play an important role in the threat sharing ecosystem. NIS2 acknowledges this by encouraging Member States to promote the inclusion of suppliers and service providers in information exchange arrangements.
Processing of Personal Data for Cybersecurity Purposes Under GDPR: NIS2 recognises that in order to improve cybersecurity, some degree of personal data processing is required. For instance, IP addresses can be relevant to identify cyberthreats, and IP addresses that may lead to the identification of an individual are considered personal data in the EU. In addition, some malware is embedded in word documents, PDFs and other files that may include personal data. The fact that cybersecurity requires some degree of personal data processing is why processing personal data for security purposes is broadly recognised as a “legitimate interest” in the GDPR. NIS2 clarifies and expressly states (Recital 121 and Article 2.14) that the processing of personal data for ensuring network and information security, in certain scenarios, could be considered as a legal basis, either as a legitimate interest or legal obligation, as described in Article 6 of GDPR. This clarification will help Member States reinforce the legal basis for personal data processing when transposing NIS2 into national law.
NIS2 is a major new law with an array of provisions poised to help the EU raise its cyber resilience. It opens a new chapter that will present new challenges and opportunities for the EU’s cybersecurity community for many years to come. As a member of the cybersecurity community, Palo Alto Networks has an interest in contributing to the cybersecurity of critical infrastructures across Europe, and we stand ready to work with all organisations across and between the EU Member States as they start to implement NIS2.