What the NIS 2 Directive means for device manufacturers
New EU legislation on cybersecurity is imminent. Are you ready?
As of October 17, 2024, the NIS 2 Directive will expand the scope of its 2016 predecessor, NIS, targeting more sectors with more stringent requirements and imposing higher penalties for non-compliance.
If you’re selling software in an EU country —as a service or within a product— you need to be aware of this; the fines for non-compliance are steep. However, the new rules aren’t all that straightforward, and it may not be immediately clear whether or not they even apply to you. With the deadline fast approaching, device manufacturers are understandably a bit nervous about what this means for the software within their products.
We’ve examined the proposed legislation and will share the key points for device manufacturers in this blog post. However, please remember that we are not legal professionals and that this is not legal advice.
What is NIS 2?
NIS 2 is also known as Directive (EU) 2022/2555 or, to give it its full name:
[takes deep breath]
DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
Replacing a previous NIS directive from 2016, NIS 2 sets out legal measures to achieve a higher common standard of cybersecurity across the European market.
While the European Cyber Resilience Act (CRA) aims to enhance cybersecurity and resilience for products with digital elements in the EU, NIS 2 concentrates on the processes and policies of organisations.
It’s important to note that NIS 2 provides a baseline for cybersecurity across the EU, but there will be some variance in how individual member states choose to implement these changes.
Who does NIS 2 apply to?
The NIS 2 Directive is aimed at organisations providing services or carrying out activities within the EU, deemed ‘essential’ or ‘important’ for societal and economic functions.
Essential: An essential organisation…
Belongs to one of the following sectors:
- Energy
- Drinking water
- Wastewater
- Transportation
- Banks and financial markets
- Digital infrastructure providers
- ICT service management
- Governments
- Healthcare (including R&D and the manufacture of critical medical devices)
- Aerospace
AND
Has a size of more than 250 employees or a turnover in excess of 50 million Euros
AND
Has the potential impact on society and the economy in the event of a cybersecurity incident.
However, any business that was within the scope of the original NIS is considered essential under NIS 2. Similarly, telecommunications, DNS, and TLD providers are always essential, regardless of size.
Important: An important organisation does not meet all the essential criteria but still requires a high level of cybersecurity. These include:
- Manufacturing of in vitro medical devices, electrical equipment, motor vehicles, machinery and equipment
- Postal and courier services
- Waste management
- Accounting firms
- Digital service providers (online marketplaces, online search engines and social networking platforms)
- Research organisations
- Production and distribution of chemicals, and
- Wholesale and industrial food production and processing
This is just a baseline. Individual EU member states have the power to upgrade an organisation’s importance, regardless of size, if they think it necessary.
If you still don’t know if your business is essential or important, try our quiz:
If your business is classified as either essential or important, you have several crucial obligations to fulfil. Let’s take a look…
NIS 2 risk management obligations
Essential and important entities must be able to show that they’re managing risks to their network and information systems. As you might expect, the official documentation is long and highly detailed so we won’t go into the specifics. As a brief overview, companies within the scope of NIS 2 will need the following:
Risk analysis and information system security policies
You must establish a comprehensive policy for the security of your network and information systems. This policy should align with your business strategy, outlining your approach to managing security, setting clear security objectives, and defining your acceptable risk tolerance level.
Additionally, you must develop and maintain a robust risk management framework. This framework will help you identify and address risks to your network and information systems. It should include the conducting and documenting of risk assessments as well as the implementation of a detailed risk treatment plan.
Incident handling policy
This document outlines the roles, responsibilities, and procedures for timely detection, analysis, containment, response, recovery, documentation, and reporting of incidents.
Business continuity and disaster recovery plan
This plan should be guided by risk assessment results and detail the necessary steps for restoring operations following an incident. It should include:
- purpose, scope and audience,
- roles and responsibilities,
- key contacts and (internal and external) communication channels,
- conditions for plan activation and deactivation,
- order of recovery for operations,
- recovery plans for specific operations, including recovery objectives,
- required resources, including backups and redundancies,
- restoring and resuming activities from temporary measures, and
- interfaces to incident handling.
Crisis management plan
You must have a plan to manage information flow and coordination with authorities in the event of a crisis. The plan should provide communication procedures with a designated Computer Security Incident Response Team (CSIRT) or competent authorities regarding incident notifications, as well as communication with internal and external stakeholders.
We’ll discuss your incident reporting obligations in a bit more detail later in the blog.
Supply chain security policy
This one is particularly significant for device manufacturers. A supply chain policy should consider the following:
- security requirements for suppliers and service providers,
- incident notification obligations for suppliers,
- vulnerability handling procedures for suppliers, and
- cybersecurity requirements for subcontractors.
Assessment of the effectiveness of risk-management measures
You must establish a policy to assess the effectiveness of your cybersecurity risk-management measures, which should be informed by risk assessment results and past incidents.
Basic cyber hygiene practices and cybersecurity training
All employees must be aware of cybersecurity risks and apply basic cyber hygiene practices. Companies must implement training programs that are relevant to job functions, cover security measures, and address known cyber threats.
Policies and procedures regarding the use of cryptography and encryption
Essential and important organisations must have policies and procedures related to cryptography to ensure the confidentiality, authenticity, and integrity of information.
Human resources security, access control policies and asset management
Device manufacturers are responsible for ensuring employees and—where applicable—direct suppliers and service providers understand and commit to their security responsibilities. Additionally, they must:
- implement logical and physical access control policies,
- manage access rights, and
- secure system administration.
There must also be a system in place for classifying information and assets based on their required protection level and a policy for the proper handling of these assets.
Required tech
NIS 2 also states that organisations should implement the following technology where appropriate:
- multi-factor or continuous authentication,
- secured voice, video, and text communications, and
- secured emergency communication
NIS 2 reporting obligations
In the event of a cybersecurity incident, essential and important organisations must follow a reporting procedure:
Notification of significant incidents: You must notify your CSIRT or competent authority of any significant incident right away.
An incident is considered significant if:
- it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity
OR - it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
The notification procedure should include:
- an early warning, without undue delay after becoming aware of the incident, outlining the incident’s characteristics and likely impact,
- an incident notification, no later than 72 hours after becoming aware of the incident, including detailed information about the incident,
- upon request, an intermediate report with relevant status updates, and
- a final report no later than one month after the incident notification, including a detailed description of the incident, its impact, mitigation measures and any cross-border impact.
Information of affected parties: Where appropriate, entities should inform recipients of their services about significant incidents and significant cyber threats.
Public disclosure: In cases where public awareness is necessary, the CSIRT or competent authority may inform the public about a significant incident, after consulting with the entity concerned.
Reporting to ENISA: The single point of contact in each Member State must submit a summary report to the European Network and Information Security Agency (ENISA) every three months, including anonymised data on significant incidents.
Consequences for not complying with NIS 2
NIS 2 includes administrative fines that can be imposed on organisations for breaching certain requirements.
Essential entities: a maximum fine of at least €10,000,000 or a maximum of at least 2% of the total worldwide annual turnover in the previous financial year, whichever amount is higher.
Important entities: a maximum fine of at least €7,000,000 or a maximum of at least 1.4% of the total worldwide annual turnover in the previous financial year, whichever amount is higher.
Another important addition to NIS 2 is the inclusion of new measures that will hold top management personally liable if their gross negligence is proven to have caused a cyber incident. This sends a clear message: IT departments should not be solely responsible for cybersecurity within an organisation—it is a much bigger issue.
Compliance monitoring
Once you’ve implemented or updated the above, you must also regularly review them to ensure compliance. As such, you’re expected to put an appropriate compliance reporting system in place. This system must be capable of providing management bodies with an informed view of your risk management.
The bare minimum
It’s important to remember that NIS 2 provides the minimum requirements for harmonising cybersecurity across the EU. Member states may choose to implement stricter measures if they wish.
And NIS 2 is just one part of an overall EU cyber strategy. This includes several related laws that ‘essential’ and ‘important’ organisations will need to consider when building their compliance frameworks.
Of course, even if your organisation isn’t considered ‘essential’ or ‘important’, robust cybersecurity is strongly advised for all device manufacturers. It is well worth examining your current policies and practices and seeing how they compare to the EU’s recommendations.
For more information on NIS 2…
The documentation surrounding NIS 2 is extensive, and we’ve only scratched the surface. If you have any questions or concerns about NIS 2, its scope, application, possible exemptions, or anything else, we advise you to consult with a compliance expert.
Did you know that we have a monthly newsletter?
If you’d like insights into software development, Lean-Agile practices, advances in technology and more to your inbox once a month—sign up today!
Find out more