“Have Your Say: Comment on the NIS2 Cybersecurity Risk Management Draft Regulations by July 25, 2024”
It’s time to ‘Have Your Say’ on the future of cybersecurity regulations in the European Union. The draft implementing regulation for the NIS2 Directive is now open for public feedback through the ‘Have Your Say’ portal until July 25, 2024. This consultation period allows stakeholders to contribute to refining the regulation, with all feedback shaping the final regulations.
What is the purpose of the Implementing Regulation?
The draft regulation outlines specific rules for applying the NIS2 Directive, focusing on details for the technical and methodological requirements for cybersecurity risk management measures. It further sets criteria for identifying significant incidents affecting various providers. Failure to comply with these requirements may result in essential entities subject to fines up to €10,000,000 or at least 2% of the total worldwide annual turnover and important entities subject to fines up to €7,000,000 or at least 1.4% of the total worldwide annual turnover.
Who is in scope of the Regulation?
The regulation applies to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of social networking services platforms, and trust service providers (“relevant entities”). These relevant entities play critical roles in the Digital Infrastructure, ICT Service Management, and Digital Provider Sectors.
When will the regulation be implemented?
The new draft regulation is set to be finalised before October 17, 2024. On this same date, NIS2 will also be transposed into Irish law. Starting October 18, 2024, the implementing regulation’s requirements will directly apply to all relevant entities. This timing underscores the regulation’s critical importance for compliance and cybersecurity.
Cybersecurity Risk Management Measures
The NIS2 Directive mandates that critical national infrastructure entities implement 10 essential cybersecurity risk management measures, detailed in 13 specific items within the draft implementing regulation. Relevant entities are required to report a ‘significant incident’ to competent authorities within a timely manner.
To effectively prepare for compliance and enhance cybersecurity resilience, entities should consider implementing the following measures based on European and International Standards:
Information Security Policy:
An effective Information Security Policy should align with security objectives and business goals, include risk tolerance levels, top-level policies list, required documentation and ensure compliance through regular updates, and defined responsibilities.
Risk Management Policy:
This involves creating a risk management framework, communicating clear procedures for risk analysis and treatment, performing risk assessments, identifying risk owners, and using standards-based methodologies. Regular reviews and updates ensure that the organization adapts to new threats and maintains high security standards, taking into account cyber threat intelligence.
Incident Handling:
Organizations should establish a detailed Incident Handling Policy outlining roles, responsibilities, and procedures for detecting, analyzing, containing, responding to, recovering from, documenting, and reporting incidents. Relevant entities should implement practices like monitoring, logging, event reporting, incident response procedures, and post-incident reviews to effectively detect, respond to, and prevent incidents.
Business Continuity, Backup and Crisis Management:
Establishing and maintaining business continuity, disaster recovery, backup management, and crisis management plans, regularly testing and updating them to ensure readiness for incidents and disruptions.
Supply Chain Security:
Establish, implement, and apply a supply chain security policy, including criteria for selecting and contracting suppliers based on cybersecurity practices, resilience, and compliance with specified security requirements.
Security in Systems Acquisition and Maintenance:
Establish and implement processes and procedures for securing the acquisition, development, and maintenance of ICT services or products, including setting security requirements, managing updates, validating compliance, and conducting security testing throughout their lifecycle
Effectiveness Assessment:
Establish, implement, and apply policies and procedures to assess the effectiveness of cybersecurity risk-management measures, including monitoring, measurement, analysis, and evaluation based on risk assessments and past incidents.
Basic Cyber Hygiene and Training:
This includes awareness-raising programs on cybersecurity risks and basic cyber hygiene practices for all employees, alongside providing role-specific security training aligned with network and information security policies and procedures.
Cryptography:
This involves setting guidelines for cryptographic measures, protocols, key management, and practices to safeguard information integrity and confidentiality according to organizational risk assessments and asset classifications.
Human Resource Security:
Employees and relevant parties should understand and commit to cybersecurity responsibilities through policies covering cyber hygiene, role awareness, background checks, and procedures for employment changes and disciplinary actions.
Access Control:
Establishing and enforcing policies for controlling logical and physical access to network and information systems, ensuring proper authentication, managing access rights based on business needs and security requirements, and regularly reviewing and updating these measures to mitigate risks effectively.
Asset Management:
Relevant Entities should classify information and assets based on their sensitivity and criticality, establishing policies for their secure handling throughout their lifecycle, maintaining an accurate inventory, and implementing procedures for the return or deletion of assets upon termination of employment.
Environmental and Physical Security:
Relevant entities should ensure the security and resilience of network and information systems against physical and environmental threats by protecting supporting utilities, implementing protective measures, and controlling physical access to sensitive areas.
Significant Incidents Criteria
While the NIS2 Directive does not explicitly state what constitutes a significant incident, the draft implementing regulation outlines the criteria for determining a ‘significant incident’ that all relevant entities must follow. Incidents are deemed significant if they meet either the general or specific criteria.
The general criteria include financial loss exceeding €100,000 or 5% of annual turnover, reputational damage reported in the media or impacting regulatory compliance, theft of trade secrets, death or considerable damage to health, unauthorized access, and recurring incidents.
Specific criteria vary by provider. For instance, DNS Service Providers face criteria such as service unavailability for over 10 minutes or response times exceeding 10 seconds for more than an hour, while Managed Service Providers and Managed Security Service Providers are evaluated based on service unavailability, SLA breaches, and data compromise affecting over 5% of users.
Your feedback through the ‘Have Your Say’ portal will play a crucial role in shaping the final regulation, ensuring it meets the diverse needs and challenges of digital service providers across the EU. Visit the Have Your Say portal to contribute your insights and help shape the future of cybersecurity regulations in Europe.
HOW CAN CENTRIPETAL HELP
Relevant entities subject to NIS2 should begin to perform risk analysis and assess their security posture. To help prepare, Centripetal can provide real-time automated shielding and monitoring, proactively protecting your organization from all known cyber threats, in real-time with CleanINTERNET®.
