On 27 December 2022, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU (NIS 2 Directive) was published in the Official Journal of the European Union. Entering into force earlier this week on the 16 January, the Directive will apply from 18 October 2024. Below, our Head of eHealth Paul Gardner summarises the implications of NIS 2 and offers some advice on complying with the Directive.
NIS 2 Directive – Who needs to comply and what are the obligations?
NIS 2 replaces the current NIS Directive (Directive (EU) 2016/1148), setting out a regulatory framework for cybersecurity. All medium and large organisations operating within the sectors covered by the Directive, or those which provide services covered in the Directive fall within its scope. This includes healthcare providers, pharmaceutical companies, and manufacturers of medical devices considered critical in a public health emergency.
Appropriate & proportionate risk management measures
For qualifying organisations, NIS 2 mandates that management must approve the cybersecurity risk-management measures taken by their organisation, and that members of the management must follow specific training before subsequently providing training to their employees.
According to Article 21 in the Directive (Cybersecurity risk-management measures), organisations must take appropriate and proportionate technical, operational, and organisational measures to:
- manage the security risks posed to their network and information systems used for operations or service provision
- prevent or minimise the impact of incidents on recipients of their services and on other services
The measures should ensure a level of security that’s appropriate to the risks posed – taking into consideration the “state-of-the-art”, relevant European and international standards, and the cost of implementation. During the proportionality assessment of the measures to take, organisations should weigh up their size, their exposure to risks, and the likelihood and potential severity of incidents – including any societal and economic impact.
An “all-hazards approach”
Organisations are advised to ensure that the measures they take are based on an “all-hazards approach” that aims to protect their network and information systems and the physical environment of those systems from security incidents. The measures should cover the following as a minimum:
- The creation of policies regarding risk analysis and information system security, effectiveness assessment of cybersecurity risk-management measures, and the use of cryptography (and where appropriate, encryption)
- Incident handling
- Business continuity
- Supply chain security
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Basic cyber hygiene practices and cybersecurity training
- Human resources security, access control policies and asset management
- The use of multi-factor authentication / continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems, where appropriate
Advice for complying with the NIS 2 Directive
The NIS regulations reference that companies should consider compliance with international standards, and the guidance issued by the European Union Agency for Cybersecurity (ENISA) maps security objectives to several best practice standards.
Attaining ISO 27001 certification for information security management systems is the logical first step to achieving compliance with the NIS 2 Directive. An ISO 27001- compliant information security management system (ISMS) enables an organisation to reduce its risk and exposure to security threats by identifying the relevant policies that need to be documented, the technologies required to protect itself, and the staff training necessary to avoid issues. An ISMS also mandates that the organisation conducts annual risk assessments, which are helpful for staying ahead of the ever-changing risk landscape.
ISO 27001 will help your organisation to meet the NIS 2 requirements whilst also facilitating independently audited certification. This provides evidence to suppliers, stakeholders, and regulators that you’ve taken the appropriate and proportionate technical and organisational measures required –providing you with a competitive edge in the marketplace.
Any organisations looking to take further measures to demonstrate compliance with NIS 2 could consider the additional certification of ISO 22301 for business continuity management. ISO 22301 is structured to help you implement, maintain, and continuously improve your approach to business continuity. Whilst ISO 27001 includes business continuity management (BCM), it doesn’t define a specific process for BCM implementation. As such, ISO 22301 complements ISO 27001 with its inclusion of this process.
In short, the combination of ISO 27001 and ISO 22301 certification enables the creation of a compliant and effective integrated management system comprising of both an ISMS and a BCMS – ultimately empowering your organisation to continuously limit risk and exposure to security threats.