Exploring Data Protection Beyond GDPR – What You Need to Know About NIS2 Directive

Data protection laws are constantly changing in today’s world, so you can never be sure that you are up-to-date. There are so many of them that it’s sometimes hard to keep up with all. So, let’s introduce you gradually to some of the most important ones. Taking a look at the NIS2 Directive from our founder, Adam Brogden’s perspective, let’s explore what it is and how it works.

What is the NIS2 Directive?

The NIS2 (Network and Information Systems) Directive is a piece of legislation that aims to improve the cybersecurity of networks and information systems across the European Union (EU).

Building on the NIS1 strategy on the security of network and information systems, in order to achieve a high level of preparedness of Member States, the NIS2 Directive requires Member States to adopt a national cybersecurity strategy. This is a state level Directive mandating EU states to establish appropriate controls.  These need to be enshrined in law by October-2024 in each member state but it is important to recognise that this is not the compliance date for companies – this is expected to be implemented sometime in the future.

NIS2 is known as the first EU wide cyber security law and applies to public and private entities alike.  These organisations need to complete assessments and put in place appropriate policies and procedures and security measures.

The NIS2 Directive introduces a standard set of cybersecurity requirements across all EU member states, highlights better practices, creates strict incident reporting requirements, and introduces enforcement measures and sanctions. It also requires the establishment of an EU-wide collaboration and vulnerability-sharing program.

NIS2: Scope and objectives

The NIS2 covers entities from the following sectors of high criticality: energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, water and road); banking; financial market infrastructures; health including  manufacture of pharmaceutical products including vaccines; drinking water; waste water; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of  public electronic communications networks and publicly available electronic communications services); ICT service management (managed service providers and managed security service providers), public administration and space.

Other critical sectors: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital providers (online marketplaces, online search engines, and social networking service platforms) and research organisations.

Another requirement of NIS2 for businesses is to implement appropriate technical and organisational measures to ensure the security of their networks and information systems. This includes measures such as access controls, encryption, and monitoring systems. By implementing these measures, businesses can significantly reduce the risk of cyber-attacks and data breaches.

NIS2 addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships. At European level, the Directive strengthens supply chain cybersecurity for key information and communication technologies. NIS2 includes a list of 10 key elements that all companies have to address or implement as part of the measures they take, including incident handling, supply chain security, vulnerability handling and disclosure, the use of cryptography and where appropriate, encryption.

Relationship between NIS2 and other frameworks

NIS2 measures are based on “all-hazards approach” aiming to protect both network and information systems and physical environment of those systems from incidents. The requirements include: Policies, Incident Management, Supply Chain Security, Training, Asset Management, Reporting Obligations. As such, they are not too dissimilar from ISO / Soc2 / GDPR framework requirements.

How does the UK align itself with this Directive?

NIS concerns ‘network and information systems and their security. These are any systems that process ‘digital data’ for operation, use, protection, and maintenance purposes.

NIS requires these systems to have sufficient security to prevent any action that compromises either the data they store, or any related services they provide.

NIS applies to two groups of organisations: operators of essential services (OES) and relevant digital service providers (RDSPs).

The ICO defines network and information system as:

(a) an electronic communications network within the meaning of section 32(1) of the Communications Act 2003;

(b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or

(c) digital data stored, processed, retrieved or transmitted by elements covered under point (a) or (b) for the purposes of their operation, use, protection and maintenance;

This is basically any computer system used to process ‘digital data’. Digital data is any information stored in digital form on a network and information system. This information can include personal data even where the data is only processed for the operation, use, protection and/or maintenance of network and information systems. This is one reason for the inter-relationship between NIS, ISO27001 and the UK GDPR.

Taking this one further step, the security of a network and information system is defined by the ICO as:

‘The ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.’

What needs to be done

1. It is essential to take steps to comprehend the application of NIS2 regulations.

2. We need to gain a deeper understanding of NIS2’s definition of network and information system security and anticipate how regulators will interpret it in relation to our products.

3. We must ensure that we have the necessary governance structures, training programs, policies, and procedures in place. However, we can postpone some aspects of this until we have a better understanding of the regulatory landscape.

4. A comprehensive review of these regulations and how they are interpreted by other regulators and industry groups is imperative.

Conclusion

NIS2 has taken a long time to develop and is most certainly coming. It is now time for companies to consider where NIS2 applies to them and decide how to act.

The EU Directive is aimed at ensuring EU states establish appropriate NIS2 compliance regimes. There is little information available from any of the Regulators about NIS2 and what their enforcement regime will look like, but the clock is ticking

Even if NIS2 isn’t directly applicable there is a requirement for companies to complete supplier due diligence – this will most likely include potential clients asking for policies and procedures relating to NIS2 – even if the answer is that NIS2 is not applicable from a technical perspective there will be a requirement to show that the more procedural requirements of NIS2 have been met.

Data Protection is something all parties should be familiar with. For questions, more information and support, be sure to write to us at [email protected] or call us at +1 303 317 5998.