Understanding EU's NIS2 Cybersecurity Directive

While an increasingly digitized world and interconnectivity bring enormous opportunities for cyber-related threats, the tenth edition of ENISA’s Threat Landscape reports cybersecurity attacks continued to increase in the second half of 2021 and 2022, not only in terms of vectors and numbers but also in terms of their impact. The complexity and scale of cybersecurity incidents are growing, as is their economic and social impact, and we’ve seen a new paradigm brought by the Russia-Ukraine crisis that further impacts critical infrastructure. Due to these circumstances, the European Union recently adopted the revised version (“NIS2”) of the Network and Information Security Directive (“NISD”), which provides legal measures to improve the overall level of cybersecurity in the EU, and among others, the EU-wide cooperation on incidents and threats.

NISD became the first EU-wide legislation on cybersecurity and the policy was adopted in 2016 to implement risk management and incident reporting obligations for specific entities. Also because of NISD, there today is a better understanding of the state of cybersecurity across Europe. The graph below was published by the EU Cybersecurity Agency (ENISA) and shows the damage related to the last single security incident experienced by the surveyed organisations.

ENISA’s 2021 NIS Investment Report reveals the average budget for NIS Directive implementation projects was approximately €175k and almost half of the organisations allocated €100k-€250k. When implementing the NIS Directive, 64% of surveyed organisations procured security incident & event log collection solutions, as well as security awareness & training services. NIS2 is further adopting new measures and widening the scope of rules.

What is the NIS2 Cybersecurity Directive?

• Reinforced rules for a high common level of cybersecurity across the EU
• Supervision for medium and large organizations across more than a dozen key sectors
• Requires establishment of a higher level of mandatory, reviewable and sanctionable cybersecurity measures for risk management, security governance, incident reporting/recovery, resilience and network, system and application security
• Requires risk reviews of security practices for major connected 3^rd party services providers
• NIS2 correlates with the CER directive (see below) and both seem to address the hybrid cyber-physical nature of OT

Currently, the directive is being prepared for official publishing by the EU parliament. It will then be adopted by national legislative bodies across the EU Member states and come into effect no later than 2024.

NIS2 is part of the EU’s cybersecurity strategy between 2020-2025 and coherently complemented by other policies. Especially relevant for operational environments is the Critical Entity Resilience (CER) directive which is closely interrelated with NIS2. Also, the EU Cyber Resilience Act (CRA) has significant consequences for vendors and service providers of operational equipment.

CER Directive:
Transposited in parallel to the NIS2 Directive, together they address current and future online and offline risks, from cyberattacks (NIS) to physical attacks and natural disasters (CER). The CER directive is, like NIS2, currently in final publication state. CER focuses on physical rather than digital resilience measures for critical entities. National authorities perform reviews and assess the effectiveness and accountability of the risk management process, they can also provide significant support to entities.

EU Cyber Resilience Act (CRA):
Is a legislative proposal to regulate a broad range of digital devices, their hardware, and solutions with embedded software and applications. It imposes obligations on manufacturers, importers, and distributors of these products across their life cycles. It also defines essential requirements for the design, development, production and operation of digital products and adds requirements for vulnerability and incident handling for manufacturers and obligations for operators.

NIS2 is the successor of the NIS Directive (NISD), which was the first EU-wide legislation on cybersecurity. It was published in 2016 and local application came into effect in 2018 from the national interpretations of NISD, we know that operational technology was in scope at least for the energy sector. All entities in scope, including their significant connected subcontractors, software, and service providers, should act now to prepare for compliance.

The entities in scope, including their significant connected subcontractors, and software and services providers, should act now to prepare for compliance.

When NIS2 becomes effective, all entities are obligated to report severe security incidents, undergo increased supervision, and ensure far-reaching organizational and technical measures are in place.

NIS2 comes with increased security requirements over NISD:

• NIS2 is applicable to more sectors, approximately 10-folding the number of businesses in scope
• This includes the supply chain security for critical subcontractors, essential software/libraries, also managed security services providers are now in scope
• Essential entities will be regularly assessed, important entities are planned to be assessed only after a significant threat or incident occurred
• Appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service must be established
• Increase of cybersecurity risk management measures and reporting obligations
• Management bodies of the entities should approve the cybersecurity risk measures, supervise their implementation and be accountable for non-compliance.
• All entities are encouraged to share threat and vulnerability intelligence and leverage knowledge and experience to enhance capabilities to assess, monitor, defend and respond to cyber threats
• Government bodies will establish or use an existing single point of entry for incident reporting, increase the national supervision and reporting obligations, stricter enforcement, liability and sanctions are imposed across the EU

Is OT security in scope of the NIS2 Directive?

With the extension of the sectors in scope to include manufacturing, it could be assumed the operational domain is covered by NIS2. However, OT Security has not been explicitly mentioned in any regulation. This changed in the 4^th quarter of 2022. Several papers from EU regulators appeared, that explicitly include operational environments as part of the regulated cyberspace:

• ENISA, for the first time, covers a chapter on OT Security in the actual 2022 NIS Investment report, also mentioning cyber-physical system security as an emerging topic
• ENISA mentions Operational Technology in the 2022 Threat Landscape report
• The increased interdependence between physical and digital infrastructure and the impact of cyber activities is appreciated in proposal notes of the upcoming CER Directive (final publication planned in parallel to NIS2)
• Operational technology is defined in the regulation on cybersecurity requirements for products with digital elements (2022) and the related commission staff working document

Even when not explicitly mentioned, it can be assumed that operational technology is going to be in scope for NIS2. The character of digital threats but physical impact make OT Security a hybrid between the NIS and CER Directive.

What does that mean for the entities in scope?

We know there is already a skills shortage in cybersecurity and especially for OT, but there is a notorious lack of experts with a combined industrial operational risk understanding and security expertise. Entities and regulators will have to find ways to identify and evaluate the most efficient, automated, and integrated approaches for continuous and active management of risks, including OT. NIS2 will require organizations to understand their risks and actively manage their security measures. A one-time, project-based security investment into a single-dimensional technology without proper management integration will not be sufficient to cover the increasing requirements of multiple directives. A checklist for OT security technology evaluations can be found at the end of the document.

Checklist for NIS2 Directive

The checklist below serves as a guide to understanding if you’re in scope and what topics are regulated:

1. Sectors in scope

NIS2 introduces a new classification of entities in scope. If you’re considered essential, regulatory requirements will be slightly tighter than for important entities. Check the two lists below to see if you are considered in scope, and in which classification category. Subsectors with potential OT security-related regulation are marked with a cross, sectors without industrial environments are not covered in detail, and they are mentioned in brackets.

Essential Entities:

If your sector is considered essential, you might even be considered a critical entity by the CER directive. In this case, you will be also contacted by local authorities.

Industries classified as Essential Sectors in scope of NIS2

Important Entities:

Subsectors classified as Important Entities in scope of NIS2

You may still be impacted if:

• Your sector is in one of the above lists and your business is considered (by your Member State) as of national importance. This can be the case when the services provided are essential, the entity is the sole provider, and a service disruption has an impact on public safety, security or health.
• You have been identified as a critical entity by the CER directive. Critical entities are mandatorily also in scope of NIS2. Critical entities are contacted by local authorities.
• You’re a major services provider to a client that is considered in scope of NIS2. In this case, you will not face mandatory duties but will require some cybersecurity practices, like a defined process for vulnerability disclosure and communication with the client. Providers of managed security services are in scope.

If you’re unsure, entities can reach out to ENISA for clarification. The EU agency will create and maintain a registry for essential and important entities for NIS2.

Member states can exclude areas of defense, national security, public security or law enforcement from the directive.

2. Business size

For the two main types of entities and with a focus on industrial environments, only medium and large enterprises are in scope.

• Medium enterprises: 50-250 employees, 10-50m revenue, up to 43m EUR balance
• Large enterprises: >250 employees, >50m revenue, >43m EUR balance
• Special entities of national importance: Any size

If at this point, you are in scope, you must provide contact details:

• Initially notify ENISA of your entity name, addresses of main and other legal establishments in the EU, and up-to-date contact details, including email addresses and telephone numbers within 12 month
• Foreign corporations not established in the EU but providing services (e.g., data center and content providers) must provide a designated representative contact
• Update of changes within 3 months the change became effective

If you are not in scope, you can still participate and report significant incidents, cyber threats or near misses on a voluntary basis.

3. Regulatory requirements

Like NISD, NIS2 only provides a minimum mandatory set of measures to cover. These are not necessarily interconnected or even directly related. In many cases, additional steps, processes, or security functions lay in between. Security measures are not specified in detail. This is normal for EU directives; they only describe a broad outcome and allow national legislations to choose the desired level of detail they regulate. Later, there will also come an implementing regulation for NIS2 with more detailed requirements, which are binding to the Member states. The following list contains minimum mandatory areas of coverage for all entities, exceptions are mentioned. As a general rule, essential entities are subject to a stronger supervisory regime, while important entities are subject to lighter supervisory: They have no initial obligation to systematically document compliance with cybersecurity risk management requirements, up to the point of a major incident or threat happens. At that point, they will be supervised.

The image below gives an overview of the minimum required and reviewed cybersecurity measures (orange), and additional requirements (blue boxes) to be NIS2 compliant.

Governance

• Cybersecurity risk management measures (see below) are defined and implemented
• The measures are approved by management bodies which are also held accountable for non-compliance
• Specific training to apprehend security risk and its impact on operations
• If non-compliance is detected, without undue delay, necessary corrective measures should be taken to bring the service concerned into compliance

Minimum cybersecurity risk management measures

All entities must take appropriate and proportionate technical and organizational measures to manage the cybersecurity risks posed to the security of networks and information systems. These measures shall ensure the level of security is related to the risk presented. Especially systems that are used in the provisioning of services shall be considered. All measures and respective non-compliance is accounted for by management.

The following measures represent the minimum requirements to be covered:

• Risk analysis
• Information system security policies
• Incident handling (prevention, detection, and response to incidents)
• Business continuity and crisis management
• Supply chain security with suppliers or service providers
• Security in network and information systems acquisition, development, and maintenance
• Vulnerability handling and disclosure. This includes vulnerabilities specific to each supplier and service provider, overall quality of products, and cybersecurity practices of their suppliers and service providers including their secure development procedures.
• Auditing of policies and procedures to assess the effectiveness of cybersecurity risk management measures
• Use of cryptography and encryption for data protection
• New measures can be added based on cyber threats, technological developments, or sectorial specificities

Supply chain security risks are defined as the relationship between entities and their suppliers and where both, supplier and customer are targeted. Relationships can be in the digital and physical worlds.

Supply chain includes:

• Subcontractors and service providers
• Open-source or 3^rd party libraries and software packages that are required for operations to function
• 3^rd party infrastructure used
• 3^rd party managed security services providers
• For the OT domain, this could also include major 3^rd party engineering offices that configure and maintain industrial equipment

Quick checklist for the first steps:

• Relevant assets are detected to a very high degree within the appropriate timeframe. Does this also apply for OS-based and embedded systems in OT?
• Security policies are documented, communicated and assessed.
• Is a process to report (potential) significant incidents in place?
• Assets in scope have been identified, are monitored, and vulnerabilities and threats are managed.
• The entity is capable to identify, monitor and alert, and possesses capabilities to respond to a threat.
• A ticketing system to manage and document incident detection triage and response are in place.
• Critical processes and their assets are known, documented and security measures are in place.
• Supply chain risks are identified and mitigating measures are in place.
• Can evidence from a security management system be relied on for industrial assets?

Incident reporting obligations

Incident reporting, government support, and information sharing across entities are among the main areas of regulation. The importance of the topic is reflected in tight deadlines and can become subject to sanctions. A notification does not make the notifying entity subject to increased liability.

The process consists of these steps:

1. An incident or threat is identified
2. Initial notification is sent by an entity within 24 hours
3. Authorities sent an initial response within 24 hours and provide guidance on mitigation measures
4. Intermediate report on relevant status updates sent by the entity on request by authorities
5. A final incident report is sent by an entity (within one month after notification)

What incident to notify?

• An incident that caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned
• An incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses
• An incident having a significant impact on the provision of the services
• Any significant cyber threat that those entities identify that could have potentially resulted in a significant incident (near misses)
• Indication whether the incident is presumably caused by unlawful or malicious action

The NIS2 specification for a significant incident is expected to be related to the number of users affected by the disruption of an essential service, the duration of the incident and the geographical area affected by the incident.

Who and when to notify?

• The national competent authority or CSIRT’s
• Recipients of the services (incidents and potential incidents)
• Without undue delay, within 24 hours after having become aware of the incident

A final incident report must be sent no later than one month after the submission of the notification. It must at least include:

• A detailed description of the incident, its severity and impact
• Type of threat or root cause that likely triggered the incident
• Applied and ongoing mitigation measures
• Whether the incident is caused by unlawful or malicious action

Quick checklist for reporting readiness:

• A representative is defined, has the authority to take decisions on its behalf, exercise control and ensure compliance with the obligations
• Has a NIS2 incident communication process been defined, communicated and trained?
• Has incident detection and response been trained?
• Can evidence be provided to government bodies?
• Vulnerabilities, threats and incidents are detected. At which quality? Is the process automated?
• Is the organization capable to identify the root cause? Does this include attack time and path?
• Does the OT response allow operators on-site to approve changes to their equipment?

Prepare for supervision of national authorities

Supervision is a national task and NIS2 substantially increases the coverage and requirements for entities. At this checkpoint, essential entities face tighter requirements than important entities. For important entities, regulatory interference and subversion are only triggered, when a severe impact or threat (or indication of one) occurs.

Member States, with their national competent authorities, are exercising their supervisory tasks in relation to the entities, and have the power to subject all entity types to:

• On-site inspections and off-site supervision after an incident occurred or a threat becomes public
• Targeted security audits
• Security scans
• Requests for any information necessary to assess cybersecurity measures like documented cybersecurity policies and compliance with the obligation to notify ENISA of entity name and contact details
• Requests to access data, documents, or any information necessary to perform their supervisory tasks

Additional supervision to subject essential entities to:

• On-site inspections, off-site supervision and random checks without any cause (incident)
• Regular audits
• Provide evidence of implementation of cybersecurity policies
• Provide results of security audits carried out by a qualified auditor and the respective underlying evidence

At the EU level, ENISA develops and maintains a European vulnerability registry and a peer-review system to assess (and harmonize) member states requirements, obligations and methodology.

Power of national authorities

So far, we have looked at the regulation from the entity’s viewpoint. NIS2 regulates many aspects of the national and joint cybersecurity governance between member states, but we will focus on regulated topics that directly impact entities. The list below gives an idea of the level of detail the directive seeks to cover.

National authorities define and establish bodies for the governance of entities in scope. They oversee NIS2 regulatory compliance and will establish a single point of contact for cybersecurity and supervision. They also assure all entities share cybersecurity information that aims to prevent, detect, respond to or mitigate incidents.

Sorted by impact, competent authorities from member states exercise supervisory tasks and have the power to:

• Shape the directive
  • Define certain maximum fines
  • Lay out cybersecurity risk management and reporting obligations
• Enforcement
  • Issue binding instructions
  • Cease conduct that is non-compliant with the obligations
  • Order entities to bring their risk management measures and/or reporting obligations in compliance
  • Order entities to implement the recommendations provided as a result of a security audit
  • Order entities to make public aspects of non-compliance
• Supervision for both entity types
  • Impose administrative fines on essential and important entities
  • Ensure entities take appropriate and proportionate technical and organizational measures to manage cybersecurity risks
  • Ensure that entities notify the national competent authorities or the CSIRTs of any cybersecurity incident having a significant impact on the provision of the service they provide
  • Request information necessary to assess the cybersecurity measures adopted by the entity, including documented cybersecurity policies
  • Request access data, documents or any information necessary for the performance of their supervisory tasks
• Essential entity supervision
  • Have obligation to continuously supervise essential entities
  • Suspend the concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements
  • Establish a deadline with essential entity to take the necessary action, remediate deficiencies, comply with the requirements of those authorities
  • Request evidence from essential entities of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence
• Support
  • Provide crisis management for large scale incidents
  • Empower CSIRT’s (Computer Security Incident Response Teams) to monitor cyber threats, vulnerabilities and incidents at national level, provide early warning of cyber threats, vulnerabilities and incidents, responding to incidents in essential and important sectors
  • Request information on initial entity registration

What can essential entities do to cover NIS2?

Entities should use the directive to develop and establish an OT security organization, a collaborative IT-OT approach is most effective when harmonized. The following steps can be performed if no security management is in place yet:

1. Obtain support from management (GM, CISO, COSO or director operations) and approval of management accountability at a national level for an OT security program to comply with NIS2.
2. Determine your security governance model. In most cases, companies have central governance, local key stakeholders and local operations.
3. For IT security-driven governance that covers IT and OT, make sure the operational site is included and collaborated with from early stages on. Without OT support, the cybersecurity initiative is not going to be effective.
4. Identify stakeholders from the business, CISO and COSO (Chief Operational Security Officer), OT and IT, legal, and HR.
5. Perform a brief business impact analysis to identify critical industrial processes, supporting processes and critical vendors from the supply chain with impact your service delivery.
6. For budget and risk estimates, use survey data (ENISA NIS investment report, threat reports). Consider outage costs, loss of production, add recovery and the efforts needed to get back to normal operation, add estimated NIS2 penalty costs and damage to connected businesses.
7. Define a security policy that describes processes for asset inventory and asset management, network segmentation, vulnerability and patch management, change management, general security baselines, user access and password management, monitoring and logging, incident management with the detection-analysis-response process, antivirus, use of cryptography, backup and recovery. Evaluate solutions (see section below).
8. Based on the critical industrial processes from 5 above, identify related systems, components, networks and controllers and their ownership
9. Identify relevant 3^rd party providers for NIS2-related services, review contracts for security coverage, and make changes to the procurement process when necessary
10. Assign responsibility for NIS2 to existing roles on location and process level
11. Evaluate the business impact from 5 above, define a high-level business continuity plan, make sure recovery measures are considered
12. Make sure there is a documented NIS2 incident management, incident communications and improvement process in place and relevant roles are defined, aware and trained
13. Perform a self-assessment, followed by internal or external audit and train remediation of findings
14. Prepare for an audit by your local government body

How Verve supports clients in their NIS2 coverage

No matter where you are in the cybersecurity journey from a basic understanding to more mature adoption, it’s critical to significantly increase your level of defense and reliability with an end-to-end solution to assist with the cybersecurity risk and incident reporting measures.

NIS2 comes with a substantial expansion of cybersecurity risk management and governance requirements, the existing gap of security labor especially in operational cybersecurity will require effective, integrated and automated solutions to be adopted in operational environments. These solutions must be flexible enough to be adapted to different risk scenarios and organizational capabilities.

Verve’s approach delivers distinct benefits in operational environments:

Deep asset visibility – Capture visibility of all OT assets in depth (OS-based, embedded, network-based,etc.). Capture a centralized view across sites and vendors.

NIS2-relevant for granular asset visibility across countries, plants, vendor equipment, security aspects, rapid identification of all relevant assets governance-, risk or compliance management has to be applied for, provides always up-to-date base library for assets, and capability to link assets to critical processes.

Better risk management – 360-degree risk score of assets (patch, vulnerabilities, users/accounts, passwords, encryption used, AV status, etc.) in single, central console. Enables trade-offs of best risk remediation.

NIS2-relevant for defining risks and developing measures, threat-, vulnerability- and risk detection, monitoring and maintaining system and network security, incident detection, critical change detection, helps identify corrective measures for auditing and compensating controls (especially important for often limited OT environments), integration of 3^rd party information like OEM vendor patch recommendations.

Rapid response and remediation with integrated actions – Integrated change, patch, configuration, software, user, and other remediation actions. Faster mean-time-to-remediation, lower patch downtime.

NIS2-relevant for active measures like threat and incident prevention and response, response orchestration capability, patch prioritization capability, increased cyber resilience, provides flexibility in developing most effective measures at OS, application or network level.

Lower labor costs – Centralize analysis of all endpoints (and integrate with enterprise IT) but enable local control over actions. Expert resources to deploy and manage.

NIS2-relevant as it allows highly effective operation models with central governance and local execution, helps with IT-OT collaboration, harmonizes security with fewer efforts, and accounts for operational and security risks.

Operationally safe & efficient – Built-in OT safeguards and operational benefits such as improved network and system reliability. Tested across all OEM vendor systems.

NIS2-relevant for providing security without introducing new operational risks.

Several regulatory requirements can be covered with technology in a semi or fully automated way. However, technology is only as good as the underlying organizational process, and the revised directive will require both entity types in scope to prepare a risk and security management that is backed by organizational processes. Simply acquiring technology as a security project is not going to be good enough with NIS2. In industrial environments, the workload is high today already, so the overall security coverage, reliability and capability to automate will mostly likely impact its success.

Here’s a quick checklist when evaluating OT cybersecurity solutions:

• OT coverage

  • Is enough security context information provided to identify compensating controls?
  • Are industrial controllers, OS-based endpoints and network gear (dis-)covered?
  • How many OEM brands do you have? How OT vendor agnostic is the security solution?
  • Are OEM vendor recommendations considered for patching?
  • Can patch deployments and security changes be approved? Also by operations on site?
  • Is bandwidth usage minimal and can security communication be fine-tuned?
  • Does the solution adapt to the existing operational processes or does the organization need to adapt to the technology?
  • Does the solution work in air-gaped environments?

• Security coverage

  • Which security measures are covered out of the box, which can be integrated, and which must be covered with additional solutions?
  • What quality and reliability is the security data provided?
  • Is an integrated security picture provided across different security software solutions?
  • Is the technology generating alerts on all relevant events?
  • What types of actions are supported? Can they be orchestrated?
  • What percentage of the security policy can be reviewed by the solution?
  • What capabilities support a secure operation of the solution, its data and its user access?
  • Can incidents not only be detected but also remediated across vendors in an OT-accepted way?
  • How comprehensive is the solution in its coverage for protect, detect, respond, recover? How much does it add to the process resilience?
  • Is the solution capable to detect and take the NIS2 directive related measure such as:
    • a reliable, actual asset library
    • patch- and vulnerability management,
    • would a locally compromised asset be identified?
    • can changes be detected and orchestrated?
    • can user access be reviewed?

•  Efficiency

  • How much is and can be automated?
  • How actionable are the alerts generated?
  • How much additional workload is added to organizational processes?
  • What is the false positive/negative rate when discovering existing vulnerabilities and applying patches?
  • What is the performance from threat detection to remediation? How long does it take to do that across a single plant, all plants in a region, or globally?
  • How many solutions would be required to perform an incident detection and response with compensating measures across two plants?

• Completeness

  • Are all relevant asset types, their vulnerabilities and patch level in scope identified? In which time frame?
  • To which percentage is OT-specific equipment included?
  • Are solution benefits agreed by operations?

Verve Industrial Protection has a successful track record in assisting industrial companies to increase their maturity relative to different security standards through our professional design, and support services as well as by deploying the Verve Security Center.