In 2016, with the first NIS Directive, the European Union introduced a set of rules aimed at ensuring a common high level of cybersecurity throughout its territory. In particular, the aim was to protect against incidents affecting systemic players, which could have major repercussions at EU level.
The new requirements mainly concerned players identified in each Member State as operators of essential services in certain sectors considered vital, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructures.
Broader scope, stronger measures
Moving rapidly into the digital economy, where everything is increasingly connected and interconnected, the European legislator adopted a revised version of this directive at the end of 2022.
"Through NIS2, the aim is to modernise the existing legal framework to keep pace with the digitisation of the economy and society, while taking account of the changing landscape of cybersecurity threats," explains Renaud André, Business Manager & Client Development at EBRC.
"With this in mind, the Directive extends the scope of cybersecurity rules to new sectors and entities, with a view to further improving the resilience and incident response capabilities of public and private players, as well as the competent authorities and the EU as a whole."
Entry into force in mid-2024
Adopted at European Union level, the directive must now be transposed into national law in each Member State, to effectively enter into force before October 2024. Although the list of essential operators will not be made public, for security reasons, it should include more players.
Each of the entities affected by this directive will be required to raise its level of security and meet a set of requirements for the regulator’s purposes, including, for Luxembourg, the ILR and the CSSF.
“At the heart of our digital society, beyond the major players such as banks, airport companies, energy suppliers and digital service operators like EBRC, smaller structures may find themselves affected by this directive," says Renaud André. “Many innovative players, for example, can play a role in the management of operations considered to be systemic, in the fields of health, finance, payments and even energy.”
Preparing without delay
Ahead of any new notification, all the players likely to be affected must now take stock of the new requirements set out in the new directive and the expectations of the regulators.
"These requirements include documenting the security measures taken, implementing crisis management procedures and reporting incidents within set deadlines", adds Renaud André. These requirements can be relatively complex to understand and costly to implement. Therefore, it is important to be prepared.
"It all starts with identifying the issues and risks, for the company or with respect to its service providers. By working with the regulators, using a constructive and proactive approach, the players must implement or reinforce their security measures as soon as possible, by looking for the most appropriate solutions."
Taking a structured approach
There are many potential responses to these issues. There are, however, a number of standards on which a robust approach to security and resilience must be based.
These include ISO27001, which describes good practice in setting up an information security management system, and ISO22301, which covers business continuity management. For services hosted in the cloud, there is also the European cybersecurity certification scheme for cloud services (EUCS), which is still in the pipeline.
EBRC’s Business Manager goes on to say: "A good understanding of these standards will serve as the basis for preparing for these new requirements. Through our services, having obtained the certifications relating to these standards for ourselves, we can help the entities concerned to structure their approach and comply with the directive. In addition, with the expertise of the POST group, we can support the implementation of technical solutions that guarantee a high level of security and resilience for everyone involved".
For the players concerned, now classified as essential entities (EE) or important entities (IE), it will be a matter of relying operationally on players who are aware of and involved in these issues in the same way.