The NIS2 Navigator’s Handbook E-Book

The NIS2 Navigator’s Handbook

Other publications by Van Haren Publishing

Van Haren Publishing (VHP) specializes in titles on Best Practices, methods and standards within four domains:

- IT and IT Management

- Architecture (Enterprise and IT)

- Business Management and

- Project Management

Van Haren Publishing is also publishing on behalf of leading organizations and companies: BRMI, CA, Centre Henri Tudor, CATS CM, Gaming Works, IACCM, IAOP, IFDC, Innovation Value Institute, IPMA-NL, ITSqc, NAF, KNVI, PMI-NL, PON, The Open Group, The SOX Institute.

Topics are (per domain):

IT and IT Management

ABC of ICT

ASL®

CMMI®

COBIT®

e-CF

ISM

ISO/IEC 20000

ISO/IEC 27001/27002

ISPL

IT4IT®

IT-CMFtm

IT Service CMM

ITIL®

MOF

MSF

NIS2

SABSA

SAF

SIAMtm

TRIM

VeriSMtm

XLA®

Enterprise Architecture

ArchiMate®

GEA®

Novius Architectuur

Methode

TOGAF®

Project Management

A4-Projectmanagement

DSDM/Atern

ICB / NCB

ISO 21500

MINCE®

M_o_R®

MSP®

P3O®

PMBOK ® Guide

Praxis®

PRINCE2®

Business Management

BABOK ® Guide

BIAN®

BiSL® and BiSL® Next

BRMBOKTM

BTF

CATS CM®

DID®

EFQM

eSCM

IACCM

ISA-95

ISO 9000/9001

OPBOK

SixSigma

SOX

SqEME®

For the latest information on VHP publications, visit our website: www.vanharen.net.

Colophon

Title:

The NIS2 Navigator’s Handbook

Subtitle:

Bridging the Cybersecurity Gap

Series:

Best Practice

Author:

Michiel Benda

Reviewers:

Ite van Aardenne (Intergamma), Geert Antheunis (Cronos), Hendrik Decroos (Infosentry), Ulf Feger (Arlanxco Deutschland), Paul Gooijen (Mosadex Groep), Joran Leenders (Ypto)

Publisher:

Van Haren Publishing, ’s-Hertogenbosch-NL www.vanharen.net

Lay-out and DTP:

Coco Bookmedia, Amersfoort-NL

ISBN Hard copy:

978 94 018 1227 6

ISBN eBook (pdf):

978 94 018 1228 3

ISBN ePub:

978 94 018 1229 0

Edition:

First edition, first impression, September 2024

Copyright:

Van Haren Publishing, 2024

The GAP analysis described in this book is available as a download. Use this QR code:

Although this publication has been composed with most care, neither author nor publisher can accept any liability for damage caused by possible errors and/or incompleteness in this publication.

No part of this publication may be reproduced in any form by print, photo print, microfilm or other means without written permission by the publisher.

In 1881 a document called the Bhakshali manuscript was discovered by a farmer in India. It was carbon dated to be from around the 3rd or 4th century CE. What makes the manuscript particularly interesting is that it shows the use of the number 0 (zero) as more than a placeholder, but rather as a mathematical tool. It is said to be one of the greatest breakthroughs in mathematical history. Yet, while the whole world uses the zero nowadays as an indispensable basis for anything mathematical, recognition for this breakthrough and the person responsible for it seem to have been lost to time. The digital era in which we find ourselves is essentially based on the simple premise of zero and one. You could argue that, thanks to this Indian breakthrough, we now have a digital world. Because we have a digital world, we now have cyberspace, and because of cyberspace we are now faced with the Directive that this book is all about, NIS2. In short, I owe the fact that I am writing this book to a long forgotten Indian genius who decided that a zero should be used in mathematical calculations.

Grateful as I am for the zero, the fact that you are now reading this is because I have the support of many people around me who believe in what I do. In 2022, when it became clear that NIS2 was going to impact a lot of organizations, I was talking to the staff at TSTC, a security training institute in the Netherlands. I work with them to provide training on several security management topics. In our talks, we agreed that NIS2 would receive a lot of attention in many organizations operating in the European Union. These organizations would need to be trained so that they could ensure their compliance with the Directive and ultimately the laws in each of the Member States. I decided to build a training course that would cover NIS2 and the subsequent requirements that organizations would face. Instead of addressing the Directive from a technical and security perspective, I focused the training on business needs and requirements aimed at the management bodies of organizations. NIS2 makes it explicit that management bodies must be trained in cybersecurity which, for obvious reasons, should be a training course that addresses cybersecurity in the context of business operations. A training course for management bodies must deliver value beyond the understanding of a Directive. After all, management bodies are there to govern. The delivered value is to help them govern, and what better way is there than to provide them with a clear insight into the areas of cybersecurity in their own organizations that require improvement. This led to the creation of a GAP assessment tool that they could use during the training to gain an understanding of the requirements. At the same time, the tool would also give them an understanding of their own compliance and what to do to become compliant in areas that require improvement.

I started writing the training and the tool in the spring of 2023. The first step was coming to terms with the complexity of the Directive itself. The multitude of references to articles in other legislations makes it difficult to read. To give you an idea, I counted 90 different references to provisions and recitals in different treaties, laws, regulations, recommendations, and directives. The next step was to place the 46 NIS2 articles in relation to the 144 recitals it contains, thereby identifying what NIS2 expects organizations to do. Only then did the true writing start.

It has been an impressive journey. I have learned a lot about NIS2, but also about a wide variety of other topics. The most surprising outcome for me was that I started putting together a training course and I ended up writing this book on top of the training course. This book shines a light on the requirements embedded in the NIS2 Directive. In it, I have tried to stay away from technical approaches, and where the approaches are inevitable (e.g. because the Directive explicitly refers to a technical measure) I have brought the topic back to basic terms that are hopefully comprehensible by anyone sitting in a management body, board of directors, or similar top management function. In writing the book I have discussed topics with a lot of different people in different areas of expertise, ranging from lawyers, CISOs, CIOs, and CEOs, to security engineers, business continuity professionals, and IT experts. Each of them has knowingly or unknowingly helped me put the wording of this book together.

Two people have gone through every single page of the book and provided detailed commentary, namely Ulf Feger and Ite van Aardenne.

Ulf Feger, Group CISO of Arlanxeo Deutschland, and I have been professionally related since mid-2018. I reached out to him because I value his knowledge of information security. His focus on both IT and OT environments across multiple countries in Europe has provided invaluable insights. Ulf has spent hours of his precious time going through the book, providing detailed feedback throughout his review. It is more than fair to say that Ulf’s insights and ideas have not only improved the quality of the book, but also enhanced my knowledge of the field. His contributions have been invaluable to me.

Ite van Aardenne, CISO of Intergamma, and, more importantly, a close friend, has provided indispensable advice on every aspect of the book. She was the first person I entrusted with the content, and not without good reason. She is open, critical, fair, and above all extremely knowledgeable in the field of information security. If you like what you are reading in the coming pages, please remember that this book would be less than half its worth without her unrelenting feedback. She has my eternal gratitude and friendship.

This book was somewhat of a surprise to me. I set out to write a training course and ended up with both a training course and a book. Writing a book takes a lot of time, and time is one of the most precious commodities of all. Time that I could (and arguably should) have spent with my family ended up being spent behind my laptop. Never in that entire period have either my wife or my daughters told me to stop, slow down, take it easy, drop the book, spend more time with them, or any other argument that would have made me come to my senses. I am so grateful for their understanding and support. It has allowed me to put together a book that I hope will make a difference to many people out there.

The book is an independent work. You will benefit from the contents of this book without following the training. The training does guide you through the book at a higher level. The book provides more details and practical considerations. Both the book and the courseware include a GAP assessment tool. The version in the book is more detailed than the one in the courseware, making the book suitable for an even wider audience.

I hope you enjoy the book and that it will bring you the benefit I intended it to have when I wrote it. Join me or other trainers for the training that will guide you through the content.

On a final note, I want to thank the anonymous Indian for bringing us the zero. In tribute to their impact on the world we live in, I have decided to start the chapter numbering of this book at 0.

Enjoy the read.

Michiel Benda, August 2024

“What makes this book unique is that it’s written by an information security expert who is also knowledgeable in laws and regulations and who has a well-trained eye for detail. Consequently, this book is not a legal interpretation of the NIS2 but contains analyses from an information security perspective with a strong focus on the business needs of the organization. This book provides practical guidance on what organizations must implement, including comprehensible background information that gives the needed context to the NIS2 and its requirements. The Gap Analyses that can be found in one of the annexes proves to be the cherry on top. It provides organizations with a clear overview of where you are and what you still need to do to become NIS2 compliant.”

Ite van Aardenne, CISO at Intergamma

“The book provides a comprehensive overview of the current status of the NIS2 Directive and the challenges that all companies and institutions must face in this context to achieve a basic level of cybersecurity maturity and resilience. Therefore, the development, scope, and concepts of the directive in the European context and its requirements are outlined.

The included appendices, e.g. the mapping of the NIS2 to ISO and the tabular GAP assessment for evaluating your own cyber security program, offer great added value.

NIS2 keeps you busy and you need guidance?

This book helped me as it provides a comprehensive overview of the current status of the NIS2 Directive and addresses the challenges all companies and institutions must face in this context to achieve a basic level of cybersecurity maturity and resilience. By reading this book you understand the development, scope, and concepts of the Directive in the European context.

Furthermore, the included appendices, e.g. the mapping of the NIS2 to ISO and the tabular GAP assessment will help you for assessing and evaluating your own cyber security program.

Have in mind this is not meant for one country only and it will be interesting how the Directive will mature in future - maybe towards an EU Regulation. It will also become challenging for companies spread across multiple European countries with their potentially different legal implementations. So, I see this as a start of a longer journey – for mature and not so mature entities.”

Ulf Feger, Group CISO at Arlanxeo

“It can’t be made easier, but it can be made clearer! Michiel Benda knows how to translate difficult to read directives into easy-to-read texts. The NIS2 Navigator’s Handbook offers a very structured and clear explanation of the NIS2. This includes not only what the NIS2 describes and how to implement it meaningfully, but also why the NIS2 was created and which parties played a role in it. The NIS2 Navigator’s Handbook - Bridging the cybersecurity GAP will help anyone who wants or needs to delve deeper into NIS2.”

Paul Gooijen, CISO at Mosadex Group

“The NIS2 directive is still being translated into legislation, and information is both scattered across various sources and requires interpretation. When reading articles about NIS2, often written by suppliers, these interpretations can vary significantly. Gathering and analyzing all this information to create an authoritative source of knowledge on NIS2 is quite a task. I’m very thankful to be able to reuse Michiel’s work in my daily activities as a security professional. Whether it’s to gain a better understanding, find an answer to a question, or get help in deciding how to approach NIS compliance within the company, this book is invaluable. I highly recommend it to anyone looking to implement NIS compliance, both within their own company or at a customer’s company. Additionally, people already receiving help in the form of consultancy can use the book to verify and control what’s happening.”

Joran Leenders, CISO at Ypto

As an entity falling under the NIS2 scope, your organization is required to have cybersecurity risk measures in place that are appropriate to the risks it faces. A base control set of mandatory controls is specified in NIS2. As management of such an entity, you must be in control of the cybersecurity risks, and you may be held liable for the cybersecurity resilience choices made in the organization. With a personal liability attached to compliance, regardless of how likely it is that you will be held liable, you will want to be able to keep control over the cybersecurity risks and the state of compliance of your organization. Your level of cybersecurity knowledge and skills may lead you to decide to rely on the experts in your team to provide you with sufficient insight.

This book is written for all members of management bodies, including the information security officer and data protection officer. The book describes the requirements in basic terms that are understandable for anyone, without going into the technical details of some of the requirements. Moreover, the book provides an extensive GAP assessment tool that will help you keep track of your compliance status in relation to the NIS2 requirements. The book can be read from cover to cover but is structured in a way that allows it to be used as an easy reference guide as well.

0.1 SOME CLARIFYING NOTES

For readability purposes, this book will refer to Directive 2022/2555 as “NIS2” or the “Directive”.

The book often refers directly to “you”, what “you” should do, or what something means for “you”. “You” in those cases refers to you as the representative of your organization rather than you as an individual. An organization is any legal entity that must abide by NIS2 requirements. It can be a governmental body, national institute, corporation, foundation, self-employed contractor, privately owned company, or any other entity that may need to apply the rules laid down in this Directive.

0.2 DISCLAIMER

This book provides clarification on the NIS2 content. It also helps you assess your organization in relation to the NIS2 requirements and provides you with an understanding of how to achieve compliance. Should you need a formal legal interpretation, you should consult a legal expert on how to interpret the Directive.

0.3 STRUCTURE OF THE BOOK

The book is structured in a logical sequential approach. Beyond the first chapter that contains an overall introduction, chapter 2 will help you understand the purpose of the Directive by leading you through the NIS2 background and origin. This background will help you put NIS2 in the larger context of the European initiatives and strategies aimed at making the EU more digitally resilient and self-supporting. The chapter will also give you some high-level information on the Directive and some idea of the main changes from the first version of the NIS. There have been significant updates since this first version, including the broadening of the scope of the companies that must comply with the Directive.

Chapter 3 takes a deeper dive into the Directive. Beyond an initial implementation timeline, some of the cybersecurity terminology that is used will be explained to you. This is followed by a section in which you will be introduced to a wide range of EU institutions and governmental bodies that play a role in the execution of the NIS2 Directive. Subsequent sections describe the expectation of a National Cybersecurity Strategy and the concept of certification schemes. Section 3.7 distinguishes the types of entities that fall within the NIS2 scope and helps you in classifying where (and whether) your organization falls within this scope. The final two sections of the chapter will explain the requirements that the entities must comply with, as described in NIS2 Chapter IV, and the requirements described in Directive articles 21 and 23 which focus on specific measures you must implement and your reporting obligations.

The contents of the chapter above may lead the reader to wonder what responsibilities the different roles in the organization have. To clarify this, section 3.10 describes the responsibilities for some of the key roles, including management, general employees and third parties.

Chapter 4 of this book helps you determine your own compliance with NIS2. As each requirement is explained, the book emphasizes the questions to ask and statements to verify that will help you determine the gap between your current state and NIS2 compliance.

FOREWORD

ENDORSEMENTS

0 PURPOSE

0.1 Some clarifying notes

0.2 Disclaimer

0.3 Structure of the book

1 INTRODUCTION

2 BACKGROUND

2.1 A Europe fit for the digital age

2.2 Cybersecurity in the EU

2.2.1 ENISA

2.2.2 EU Cybersecurity Strategy 2013

2.2.3 Network and Information Systems Directive

2.2.4 EU Cybersecurity Act 2019

2.3 Digital Europe Program

2.4 The Digital Decade policy program

2.4.1 EU Cybersecurity Strategy for the Digital Decade

2.4.2 Legislative strategy results

2.5 Updating the Network and Information Systems Directive

2.5.1 NIS shortcomings

2.5.2 Improvements in NIS2

2.5.3 The expansion of the scope

3 INSIDE NIS2

3.1 Recitals and provisions

3.1.1 Recitals

3.1.2 Provisions

3.2 Directive to law timeline

3.3 NIS2 Chapter overview

3.4 Security concepts in NIS2

3.4.1 Network and information systems

3.4.2 Security of network and information systems

3.4.2.1 Confidentiality

3.4.2.2 Integrity

3.4.2.3 Availability

3.4.2.4 Authenticity

3.4.2.5 Non-repudiation and reliability

3.4.3 Threat

3.4.3.1 Cyber threat

3.4.4 Vulnerability

3.4.5 Event

3.4.5.1 Threat event

3.4.6 (Security) Incident

3.4.7 Risk

3.4.8 Cybersecurity

3.4.9 Incident handling

3.4.10 Standard

3.4.11 Public administration entity

3.4.12 Trust service

3.4.13 Data center service

3.4.14 Cloud computing service

3.4.15 Content delivery network

3.4.16 Managed service

3.4.17 Managed security service

3.4.18 Online marketplaces

3.4.19 Online search engines

3.4.20 Social networking services

3.4.21 Domain name system (DNS)

3.4.22 Top-level domain name registries and domain name system service providers

3.4.23 Representative

3.4.24 National cybersecurity strategies

3.5 Union groups and committees

3.5.1 Cooperation Group

3.5.2 ENISA

3.5.2.1 Maintaining cybersecurity expertise

3.5.2.2 Providing operational support and training programs

3.5.2.3 Promoting the development and adoption of standards and certification

3.5.2.4 Raising awareness

3.5.2.5 Facilitating cooperation and collaboration

3.5.3 Cyber crisis management authority

3.5.4 EU-CyCLONe

3.5.5 Competent authorities

3.5.6 Computer Security Incident Response Teams (CSIRTs)

3.5.7 CSIRTs network

3.6 Entity scope

3.7 Entity types

3.7.1 Critical entities

3.7.2 Essential entities

3.7.3 Important entities

3.7.4 Differences between essential and important entities

3.7.5 Registration of included entities

3.8 Entity obligations

3.8.1 Protective requirements

3.8.2 Reporting obligations

3.8.3 Linking to the ISO/IEC 27001 and ISO 22301 standards

3.8.4 Cybersecurity certification schemes

3.9 Supervision and enforcement powers

3.10 Roles and responsibilities within the scoped entities

3.10.1 Top management

3.10.2 Chief Information Security Officer (CISO)

3.10.3 Data Protection Officer (DPO)

3.10.4 Employees

3.10.5 Third parties and the supply chain

4 DETERMINING YOUR STATE OF COMPLIANCE

4.1 Cybersecurity program

4.1.1 Determining context and stakeholder expectations

4.1.2 Taking the all-hazard approach

4.1.3 Management reporting

4.2 Cybersecurity training

4.3 Risk management

4.3.1 Enterprise risks versus information risks

4.3.2 Risk assessment

4.3.2.1 Risk identification

4.3.2.2 Risk analysis

4.3.2.3 Risk evaluation

4.3.3 Risk treatment

4.4 Policies

4.4.1 Policy purpose

4.4.2 Policy prerequisites

4.4.3 Policy structure

4.4.4 Policy exceptions

4.4.5 NIS2 cybersecurity policies

4.4.5.1 Information security policy

4.4.5.2 Code of Conduct and Acceptable Use Policy

4.4.5.3 Risk management policy

4.4.5.4 Information systems policy

4.4.5.5 Backup policy

4.4.5.6 Control effectiveness policy

4.4.5.7 Cryptography policy

4.4.5.8 Password policy

4.4.5.9 Access control policy

4.5 Resilience planning

4.5.1 Business continuity plan (BCP)

4.5.1.1 Key elements of a business continuity plan

4.5.1.2 Business impact analysis (BIA)

4.5.1.3 Communications

4.5.1.4 Skill and capacity requirements

4.5.1.5 Crisis management

4.5.1.6 Testing and training

4.5.2 Disaster recovery plan (DRP)

4.5.3 Incident response plan (IRP)

4.5.3.1 Event detection

4.5.3.2 Preliminary analysis

4.5.3.3 Digital forensics

4.5.3.4 Preliminary response

4.5.3.5 Alternate location recovery

4.5.3.6 Incident analysis

4.5.3.7 Eradication

4.5.3.8 Recovery

4.5.3.9 Restoration

4.5.3.10 Post-incident analysis

4.6 Organizational controls

4.6.1 Control effectiveness procedures

4.6.1.1 Control metrics

4.6.2 Cryptography use

4.6.3 Human resources security

4.6.3.1 Joining the organization

4.6.3.2 Moving in the organization

4.6.3.3 Leaving the organization

4.6.4 Supply chain security

4.6.4.1 Procurement

4.6.4.2 Contract management

4.6.4.3 Relationship management

4.6.5 Secure system lifecycle management

4.6.6 Vulnerability management

4.6.6.1 Vulnerability detection

4.6.6.2 Vulnerability handling

4.6.6.3 Coordinated vulnerability disclosure (CVD)

4.6.7 Asset management

4.6.7.1 Registration

4.6.7.2 Protection

4.6.7.3 Distribution

4.6.7.4 Maintenance

4.6.7.5 Recycling and decommissioning

4.7 Technical controls

4.7.1 Access control

4.7.1.1 Privileged access management

4.7.1.2 Multi-factor authentication (MFA)

4.7.1.3 Continuous authentication

4.7.2 Backup management

4.7.2.1 Backup

4.7.2.2 Restore

4.7.3 Basic cyber hygiene practices

4.7.3.1 Zero-trust principles

4.7.3.2 Network access control

4.7.3.3 Software updates

4.7.3.4 Device configuration

4.7.3.5 Network segmentation and micro-segmentation

4.7.3.6 Security Information and Event Management

4.7.3.7 Detection and response

4.7.4 Encryption

4.7.4.1 Encryption on stored information

4.7.4.2 Encryption of information in transit

4.7.4.3 Encryption of data in use

4.7.5 Vulnerability scanning

4.7.6 Secured voice, video, and text communications

4.7.7 Secured emergency communication systems within the entity

4.8 Entity type specific measures

4.8.1 Providers of public electronic communications networks and providers of publicly available electronic communications services

4.8.2 Trust service providers

4.8.3 Top-Level domain name registries, providers of domain name registration services, and domain name system service providers

4.8.4 Cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, and providers of an online marketplace, an online search engine or a social networking services platform

5 FINAL NOTE

ANNEX A SCOPE AND ENTITY TYPE OVERVIEW

ANNEX B CRITICAL, ESSENTIAL AND IMPORTANT ENTITIES

ANNEX C NIS2 TO ISO MAPPINGS

ANNEX D CISO JOB PROFILE EXAMPLE

ANNEX E CYBER THREAT EXAMPLES

E.1 Cyber threat actors

E.2 Cyber threats events

ANNEX F GAP ASSESSMENT

F.1 Cybersecurity program

F.2 Risk management

F.3 Policies

F.4 Business continuity & disaster recovery

F.5 Incident management

F.6 Secured system lifecycle management

F.7 Human resources security

F.8 Supply chain security

F.9 Asset and vulnerability management

F.10 Cryptography and encryption

F.11 Access management

F.12 Basic cyber hygiene

F.13 Secured communications

F.14 Control effectiveness

GAP assessment result

GAP statement mapping to NIS2 Chapter IV provisions

GAP statement mapping to the chapters of this book

ABOUT THE AUTHOR

INDEX

The 21st century has been marked by revolutionary advancements in cyberspace (see section 3.4.3.1 for a definition). These advancements came at a significant cost both directly and indirectly from a series of events. Here are some examples:

Starting on 27 April 2007, Estonia was targeted by a series of cyber-attacks. The attacks were made on various websites, including those of the Estonian parliament, banks, ministries, newspapers, and broadcasters. The attacks came amid the country’s dispute with Russia about the relocation of the Bronze Soldier of Tallinn, a Soviet-era remnant and grave marker. The attack was later claimed by Kremlin-backed groups and individuals. It was the second-largest instance of state-sponsored cyber warfare to date.

In 2010 the US National Cybersecurity Center issued a warning about the security risks of using Huawei and ZTE equipment, noting that they could be used for espionage. This warning was strengthened by a report in 2012 by the House of Representatives’ Intelligence Committee, which raised concerns about Huawei’s links to the Chinese government and the various forms of support from the Chinese government, including loans and subsidies. While Huawei to date denies the allegations that it is a tool of the Chinese government, several countries, including the USA, New Zealand, Australia, and Japan have nonetheless chosen to put a ban on the import and use of the products.

In May 2017 Microsoft Windows operating systems were attacked all over the world by the WannaCry ransomware cryptoworm. It was able to spread using EternalBlue, an exploit that was developed by the United States National Security Agency. A month prior to the attack, a group called The Shadow Brokers managed to access and steal EternalBlue. Microsoft had issue patched prior to the attack to close the exploit, but many organizations were behind on patching and used versions of Windows that were past their end-of-life.

A month after the WannaCry attack, Ukraine was hit by a powerful series of cyber-attacks using the Petya malware. It swamped Ukrainian organizations, including banks, ministries, newspapers, and electricity firms, but it also spread beyond the borders, leaving few countries in the world untouched. While appearing to be ransomware at first, it was discovered that the malware was designed to cause maximum damage, with the Ukraine being the main target.

Donald Trump was inaugurated as President on January 20, 2017. His election marked a period of uncertainty in the EU-US relationship. His administration adopted a more transactional and skeptical approach to existing alliances, including the one with the European Union. His stance on data privacy and surveillance caused a lot of concern about the protection of European citizens’ data.

With so many indicators from so many different angles, the EU was confronted with the fact that its resilience to unwanted external influences left ample room for improvement. Consequently, strategies were formulated, institutes were erected, and laws were drafted to become stronger and more resilient in the face of potential cyber warfare in the future and to become less reliant on other nations, be they partners or otherwise.

One of the direct results of the EU cyber strategy is what is commonly known as the NIS2 Directive, fully identified as Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.

On 27 December 2022, the Official Journal of the European Union, edition L333, officially published one new regulation and three directives. EU regulations are laws that are binding for all Member States and their citizens. Directives are different from laws in that they hold requirements for the contents of laws that Member States are instructed to draft and implement. The published directives and regulations are as follows:

DORA: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

NIS2: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive).

Amendments based on DORA: Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector.

CER: Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.

The four publications were purposefully released together, and they are closely associated with each other.

DORA (Digital Operational Resilience Act) is a regulation introduced for the financial sector. It is focused on resilience from a broad ICT perspective. Entities that must follow DORA are likely to have to follow NIS2 as well.

NIS2 is a directive focused on the cyber resilience of entities in the European Union that EU citizens are most reliant on for their safety, security, and welfare. It succeeds the NIS Directive of 2016.

The CER Directive focuses on addressing the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental, or intentional. It addresses an organization’s resilience beyond cybersecurity resilience and extends to physical threats such as terrorist offences, sabotage, and natural disasters. Entities identified as critical under CER are considered essential under NIS2. The requirements specified in NIS2 supersede any conflicting requirements in CER.

NIS2 is written with a clear purpose in mind. To better understand its purpose, it is important to understand some of the programs that the European Union runs, in particular those around digitalization and cyberspace.

This chapter focuses on some of these programs and how they have led to the development of NIS, and subsequently NIS2.

2.1 A EUROPE FIT FOR THE DIGITAL AGE

Digital technology is changing people’s lives. The EU’s digital strategy aims to make this transformation work for people and businesses, while helping to achieve its target of a climate-neutral Europe by 2050 e.g., through energy efficiency programs, sustainable and smart transportation, and remote work and virtual collaboration.

The “Europe Fit for the Digital Age” program was launched by the European Commission in December 2019 as part of its strategic priorities for the period of 2019-2024. It was introduced alongside other key policy initiatives aimed at shaping Europe’s digital future, such as the European Green Deal and the European Data Strategy. Through the program, the EU recognizes the significance of digital transformation and the need to adapt and prepare Europe and its population for the opportunities and challenges presented by the digital age. To support the program, the EU has made significant funds available through the NextGenerationEU funding program, as shown in the key numbers included in figure 2.1.

The “Europe Fit for the Digital Age” program is a broad strategic framework that encompasses various initiatives, policies, and objectives aimed at preparing Europe for the digital transformation and harnessing the potential of digital technologies for the benefit of the EU citizens and economy. It sets the overall vision and priorities for Europe’s digital agenda through which the EU wants to enhance its global competitiveness, promote innovation, protect digital rights, and foster a sustainable and inclusive digital society.

The program focuses on the following key priorities:

Digital skills: Promoting digital literacy and ensuring that Europeans have the necessary skills to thrive in the digital era,

Digital infrastructure: Expanding high-speed connectivity, including 5/6G networks and widespread access to broadband, to ensure reliable and fast digital services,

Digital economy and society: Supporting the growth of the digital economy, fostering innovation, and creating a favorable and secure environment for businesses to embrace digital technologies, and

Digital governance: Establishing clear rules and frameworks to address emerging digital challenges, including data protection, cybersecurity, and ethical use of artificial intelligence.

The “Europe Fit for the Digital Age” program is designed to shape Europe’s digital future, enable digital transformation across sectors, and empower citizens and businesses to fully participate in the digital society.

2.2 CYBERSECURITY IN THE EU

Digital technologies are a core part of the daily lives of all EU citizens and businesses. A disruption in technologies could significantly disrupt this ability to effectively function in a world society. Disruptive events such as the COVID-19 crisis and Russia’s war of aggression against Ukraine have confirmed how important it is for Europe to be less dependent on systems and solutions coming from other regions of the world. Malicious cyber activities threaten more than just the functioning of the EU economy, they also threaten its way of life and the freedoms and values of its citizens. These activities may even try to undermine the cohesion and functioning of the democracy in Europe.

Cybersecurity has been on the EU agenda since the beginning of the century. It has been gradually developing cybersecurity programs over the years to address the evolving cyber threats and ensure the security of its Member States. Cybersecurity is seen as a fundamental element for ensuring the resilience, security, and trustworthiness of Europe’s digital infrastructure, services, and economy.

Cybersecurity is seen as a crucial part of the “Europe Fit for the Digital Age” program for several reasons:

Protection of critical infrastructure: Critical infrastructure, such as energy, transportation, healthcare, and financial systems, heavily rely on digital technologies. It is vital to safeguard their uninterrupted operation to protect EU citizens and the economy, as well as to sustain the functioning of society as a whole,

Digital transformation and economic competitiveness: Digital transformation is essential to maintain global economic competitiveness. A secure and trustworthy digital environment is necessary to fully embrace digital technologies. Cybersecurity is fundamental to building trust and confidence in digital services, fueling innovation, economic growth, and competitiveness,

Protection of personal data and privacy: Personal data protection and privacy are high on the EU agenda. Robust cybersecurity measures are essential to protect data and prevent breaches,

Defense against cyber threats: Cyber threats such as cybercrime, state-sponsored attacks, and cyber-espionage continuously evolve. Cybersecurity is a critical defense component to counter these threats, protect national security, and maintain the integrity of EU institutions and processes, and

Digital trust and citizen empowerment: Everyone should be able to trust digital technologies and feel empowered in their digital interactions. Cybersecurity measures protect individuals from cyber risks, fraud, and online abuse, and allow them to fully participate in the digital society.

By considering cybersecurity as a crucial aspect, the EU aims to ensure the resilience, security, and trustworthiness of its digital space, protect its critical assets and infrastructure, and enable a safe and empowered digital society and economy.

The EU cybersecurity program has led to some notable accomplishments. Examples of these accomplishments include:

2004: European Union Agency for Cybersecurity (ENISA): ENISA was established in 2004 as the first EU agency dedicated to cybersecurity. Its primary role is to enhance network and information security within the EU by providing expertise, guidance, and support to Member States and stakeholders. ENISA focuses on promoting cooperation, sharing best practices, and developing technical standards and guidelines,

2013: EU Cybersecurity Strategy: The first comprehensive Cybersecurity Strategy was published in 2013. It laid out the priorities and objectives for enhancing cybersecurity across the EU. The strategy emphasized five strategic priorities: achieving cyber resilience, reducing cybercrime, developing a coherent EU cyber defense policy and capabilities, enhancing industrial and technological resources in cybersecurity, and establishing an international cyberspace policy. The Strategy was revised in 2020,

2016: Network and Information Systems Directive (NIS Directive): The NIS Directive was adopted in 2016 to enhance network and information systems security across critical sectors. It established security and incident reporting obligations for operators of essential services (OES) and digital service providers (DSPs) and promoted cooperation and information sharing among Member States, and

2019: EU Cybersecurity Act: The EU Cybersecurity Act, adopted in 2019, aims to strengthen the EU’s cybersecurity framework. It established a European cybersecurity certification framework to harmonize and improve the certification of products, services, and processes.

These initiatives were driven by the EU’s priorities to enhance cyber resilience, combat cybercrime, promote technological and industrial capabilities, and foster international cooperation in cyberspace. As cyber threats continue to evolve, the EU remains committed to advancing its cybersecurity programs and adapting to emerging challenges. One of the consequences of the threat evolvement was the need to update the NIS Directive so that it included more up-to-date requirements and covered a wider scope of entities that are essential to the welfare of European citizens.

2.2.1 ENISA

ENISA was established in 2004 as an independent EU agency that enhances cybersecurity and supports states in strengthening their cyber threat resilience. It is headquartered in Athens, Greece. Its primary objective is to promote a high and effective level of network and information security within the EU. It is a center of expertise in cybersecurity, providing advice, guidelines, and recommendations to Member States, institutions, businesses, and citizens. ENISA collaborates with various stakeholders, including national cybersecurity agencies, industry experts, academia, and international organizations, to foster cooperation and share best practices.

2.2.2 EU Cybersecurity Strategy 2013

The EU Cybersecurity Strategy, adopted in 2013, was focused on building a secure and trustworthy digital environment within the European Union. It aimed to enhance the resilience of critical information infrastructure, reduce cybercrime, develop cyber defense capabilities, and promote international cooperation in the field of cybersecurity.

The strategy outlined five main priorities:

1. Achieving cyber resilience of critical information infrastructure by promoting risk management practices, establishing the CERT-EU (Computer Emergency Response Team for the European Union’s institutions, bodies, and agencies), and fostering Public-Private Partnerships (PPPs).

2. Drastically reducing cybercrime by strengthening the legal framework and law enforcement capabilities.

3. Developing cyber defense policy and capabilities by developing a common approach to cyber defense and establishing a European cyber defense policy framework. This involved improving cooperation and information-sharing among Member States, conducting cyber defense exercises, and supporting research and development in the field of cybersecurity.

4. Enhancing industrial and technological resources for cybersecurity by encouraging research and innovation, promoting the development of cybersecurity standards, and supporting the certification of products and services.

5. Fostering international cooperation on the vision of an open, secure, and stable cyberspace by engaging with international partners and contributing to the development of international norms and standards for cybersecurity.

Since its adoption, the EU Cybersecurity Strategy has resulted in several notable achievements, including GDPR and a European Cybercrime Centre (EC3).

2.2.3 Network and Information Systems Directive

The EU Network and Information Systems (NIS) Directive is a legislation adopted in 2016. NIS is primarily aimed at improving cybersecurity. It relates to any “incident” that has an impact on a service, where that impact produces a significant disruptive effect. It also includes impacts that have “non-cyber” causes, for example interruptions to power supplies or natural disasters such as flooding.

NIS applies to two groups of organizations:

Operators of essential services (OES), and

Relevant digital service providers (RDSPs).