NIS 2 Directive

In an effort to elevate the cybersecurity resilience of European Union (EU) member states, the Directive on the security of Network and Information Systems (NIS) was established in 2016 and revised in 2023 (NIS 2). NIS 2 fosters cross-border collaboration to enhance information flow on incidents, threats, and vulnerabilities. This initiative complements existing EU regulations, such as the General Data Protection Regulation (GDPR), Cybersecurity Act, Digital Operational Resilience Act (DORA), and the Cyber Resilience Act.

As the threat landscape changes, so should organisations, to better identify and mitigate emerging threats. The evolution from NIS to NIS 2 is aimed to bolster the EU's resilience to cyber threats. The EU introduced the NIS 2 Directive in December 2022, addressing previous issues and to fortify cybersecurity. NIS 2 broadens the scope, introduces more robust incident reporting, introduces potential sanctions, mandates training and emphasises use of encryption.

Overall, the scope of the original NIS remains intact, and NIS 2 adds eight new sectors, and simplifies identification with a new size-cap rule encompassing Essential and Important Entities. Keep in mind that under NIS 2 organisations fall into the scope of being Essential Entities with over 250 employees and an annual turnover above 50 million EUR, or a balance sheet over 43 million EUR. Alternatively, Important Entities have over 50 employees and an annual turnover or balance sheet above 10 million EUR.

EU member states must implement the NIS 2 Directive by October 17, 2024. Organisations within the scope must comply by October 18, 2024. Early preparation is essential to meet obligations promptly. Non-compliance may result in administrative fines, temporary management suspension, and reputational damage.

If you have identified that your organisation is within the scope of the NIS 2 Directive you should review and audit your vulnerability management program. Organisations within scope must adhere to Chapter IV, Article 21 of the NIS 2 Directive for cybersecurity risk management and reporting obligations. It underscores a systematic, risk-based approach to minimise cyber incidents and outlines essential security measures all organisations must implement to safeguard their network and information systems.

This Cyber Exposure Study provides guidance on leveraging Tenable products in support of NIS 2 Article 21, Cybersecurity Risk-Management Measures. Tenable provides the ability to comprehensively conduct risk management & reporting activities required by NIS 2.

The NIS 2 measures supported by Tenable are:

  • Article 21(2) (a): Risk Analysis and Information System Security: Cyber Risk-Based Approach.

  • Article 21(2) (b): Incident Handling: Incident Management and Reporting

  • Article 21(2) (c): Business Continuity: Business Continuity Process and Technology

  • Article 21(2) (d): Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

  • Article 21(2) (e): Network and Information Systems Security, including Vulnerability Handling and Disclosure: Preventative Network and Information Vulnerability Management

  • Article 21(2) (f): Policies and Procedures for Testing Cybersecurity Risk Management Measures: Policy Definition and Testing

  • Article 21(2) (g): Basic Cyber Hygiene Practices and Cybersecurity Training: Cyber Hygiene

  • Article 21(2) (h): Policies and procedures regarding the use of cryptography, and where appropriate encryption

  • Article 21(2) (i): Access Control Policies and Asset Management: Asset Discovery and Access Control

  • Article 21(2) (j): Use of Multi-Factor Authentication or Continuous Authentication Solutions: MFA