Directive NIS 2

Directive NIS 2

 

On 16 January, 2023, Directive (EU) 2022/2555 of the European Parliament and of the European Council entered into force on measures to ensure a common high level of cybersecurity across the European Union. This directive, also referred to as Directive NIS 2 or "Network and Information Security 2", addresses the dynamic landscape of cyber threats by enhancing risk management practices, aiming at guaranteeing a common high level of cybersecurity throughout the Union.

 

The NIS2 directive must be transposed by each EU member state into national law by 17 October, 2024. 

 

The ILR (Institut Luxembourgeois de Régulation) will then ensure, as regulator, compliance with national law, by resorting, if necessary, to severe administrative sanctions and corrective measures. The Luxembourgish Government has already drafted a first transposition of the Directive into national law on March 13 2024, amending the law of July 23 2016 (transposition of the NIS 1 Directive).

Broader scope of the NIS2 Directive: assess whether your organisation falls in the scope of the Directive

The NIS2 substantially broadens the scope of the original NIS Directive, which previously applied only to ‘Operators of Essential Services’ and ‘Digital Service Providers’. Going forward, the NIS2 will apply to a larger pool of service providers as long as they qualify as ‘essential’ and ‘important’ entities under the directive. 

As mentioned above, the NIS 2 Directive undergoes a significant expansion in its scope, spread across 18 distinct sectors of activity. These sectors, as delineated in the directive, fall into two primary categories:  highly critical and critical. 

Highly critical sectors encompass energy (electricity, district heating and cooling, petroleum, natural gas, hydrogen), transport (air, rail, water, road), and banking. Entities within these sectors will now be classified as either significant entities (EI) or essential entities (EE). This represents a departure from the original NIS directive, which addressed "Essential Service Operators" (OSEs) and "Digital Service Providers" (DSPs).

However, not all organisations which operate under the defined sectors are going to fall within scope of the NIS2: business owners will also need to look at the location of their activities and the size of their business (as defined in terms of European law). Given the new principle of NIS2 by which organisations automatically fall within scope if they meet the criteria and are required to register themselves, it is highly recommended to carry out a scoping exercise to map the potential impact of the regulation. 

Does the NIS 2 directive apply to your organisation?

Take the test in less than a minute using our online diagnostic tool from PwC.

In detail

Under the provisions of NIS 2, the management bodies of entities deemed essential or important are required to formally approve cybersecurity risk management measures, rigorously supervise their implementation, and may be legally required to be responsible for offenses committed by their organisation.

In this context, all members of the management bodies will also have to regularly undergo training in order to acquire sufficient knowledge and skills to identify risks, evaluate cybersecurity risk management practices and assess their impact on the services provided by their organisation

According to NIS 2, essential and important entities are required to report to the national CSIRT, without undue delay, any incident having a significant impact on the provision of their services, and any cross-border impacts of the incident.

To meet these reporting obligations, organisations might be required to must  provide the following types of reports:

  • Early warning: issued without undue delay and no later than 24 hours after becoming aware of the incident, specifying whether the event is suspected of being the result of illegal or malicious activity or whether it could have cross-border repercussions;

  • Incident notification: issued without undue delay and no later than 72 hours after becoming aware of the incident, updating the information provided in the early warning and giving a preliminary assessment of the severity and effects of the incident;

  • Intermediate status report: issued at the request of CSIRT, highlighting relevant incident and crisis management updates;

  • Final report: must be submitted no later than one month after notification of the incident. It must contain a detailed description of the incident, including its root cause, mitigation strategies adopted and any cross-border impacts.

Attention point with respect to the ILR approach:

The incident reporting requirements mentioned above shall complement the following obligations for incident having a significant impact on essential services and affecting networks or information systems already imposed by the ILR:

  • Preliminary notification within 24 hours after having discovered the incident;

  • Complete notification after maximum 15 days of the preliminary notification. Or, in case the incident would be insignificant, to notify it to the ILR within the same timeframe;

  • Additional notification of new important information is discovered by the operator during 2 months of the final notification.

To enhance the cybersecurity of organisations, information exchanges and communities among essential entities will be facilitated to share information on a voluntary basis on cyber threats, near misses, vulnerabilities etc. Suppliers and service providers will be able to participate in the information sharing sessions. The entities will be required to notify the competent authorities of their participation in such arrangements.

Under NIS 2, organisations are required to take a proactive rather than a reactive approach to risk management, introducing robust information security policies, including specific perimeters such as OT cybersecurity (Operational Technology). These policies aim to guarantee a systematic and in-depth analysis of risks, a homogeneous taxonomy, risk mapping that fully takes into account local specificities, as well as a harmonised risk management process.

Furthermore, these policies should be designed based on an all-hazards approach, proportional to the risk, size, cost, impact and severity of incidents faced by individual organisations.

In alignment with the principle of proportionality, organisations are required to conduct comprehensive risk assessments on their systems, identifying potential vulnerabilities and threats. Organisations shall prioritize risks exceeding their risk appetite and implement a robust framework of mitigating measures. The NIS2 Directive expects organisations to implement industry-recognised and state-of-the-art cybersecurity measures, such as:

  • Policies on risk analysis and information system security

  • Incident handling 

  • Business continuity, disaster recovery and crisis management

  • Supply-chain security (i.e. considering the vulnerabilities specific to each direct supplier and service provider and the overall quality of their products and cybersecurity practices)

  • Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. 

  • Cyber hygiene practices and cybersecurity training

  • Policies on the use of cryptography and encryption 

  • Human resources security, access control policies and asset management

  • Use of multifactor authentication or continuous authentication solutions (i.e. secured voice, video and text communications and secured emergency communication systems within the entity)

Taking into account this principle of proportionality, organisations are expected to implement industry-recognised and state-of-the-art cybersecurity measures, including in the following areas: 

  • Incident prevention, detection and response

  • Business continuity and crisis management

  • Control of risks linked to third parties

The ILR approach:

In order to ensure compliance with the NIS2 Directive and facilitate organizations in the risk analysis, the ILR has developed a prototype regulation platform called SERIMA (SEcurity RIsk MAnagement). This platform will enable interaction between regulated entities and the ILR.

As a matter of fact, regulated entities will carry out their risk analyses according to a common methodology, called MONARC NC3. MONARC is a tool and a method that enables an optimized, precise and repeatable risk assessment.

SERIMA platform will support entities in identifying critical assets and potential threats. It helps organizations understand which parts of their network and information systems are most vulnerable, and provides tools to assess the likelihood and impact of different types of cyber threats.

The ILR will pursue a collaborative approach to enable maturity improvements among Luxembourgish companies. 

In the event of breaches, the ILR is authorised to impose severe sanctions, such as suspension of certifications, a temporary ban on the exercise of management functions, as well as administrative fines of a maximum amount amounting to at least 10 million euros, or at least 2% of the total worldwide annual turnover of the preceding financial year of the enterprise to which the essential entity belongs, whichever is greater.  

However, sanctions would only be pursued as a last resort after collaborative efforts.

Our services

At PwC, we support companies by providing comprehensive solutions tailored to meet the compliance with NIS 2 Directive. Our services encompass assessments, compliance support, and executive training. 

  • We conduct thorough assessments to evaluate your current systems and processes, identifying areas that require attention to align with NIS2 requirements; 

  • Our teams offer hands-on compliance with the Directive and its local transposition, by supporting the implementation of necessary changes given the Directive requirements and the landscape of cyber risks;

  • We provide targeted training sessions for Top Management, empowering them with the knowledge and skills needed to understand cyber risks, guide the organisation's cyber strategy, and thus ensure compliance with NIS2 regulations as they will be accountable for any breach of the company’s obligations. 

With our approach, we aim at safeguarding your business integrity and fostering success in an evolving regulatory landscape.

Contact us

Maxime Pallez

Cybersecurity Director, PwC Luxembourg

Tel: +352 62133 41 66

Frédéric Chapelle

Advisory Partner, Technology, PwC Luxembourg

Tel: +352 49 48 48 4185

Stay Connected: