direttiva NIS Piergiorgio Venuti

NIS: what it is and how it protects cybersecurity

Estimated reading time: 6 minutes

The NIS Directive (Network and Information Security) was issued in 2016 by the European Union with the aim of achieving a high level of security of networks and information systems in the European Union.

It applies to essential service providers, such as energy, transport, banks, healthcare, and digital service providers, such as search engines, cloud and e-commerce. NIS has introduced a series of measures to strengthen cybersecurity.

NIS objectives

The main objectives of NIS directive are:

  • Improve prevention of cybersecurity incidents
  • Increase ability to detect and manage computer attacks
  • Limit impact of outages and disruptions of essential services for European citizens.

This is achieved through introduction of security standards, reporting obligations, cooperation between member states.

Scope

The subjects covered by NIS are:

  • Essential service operators (ESO): crucial public and private entities for maintaining vital civil, economic and social activities
  • Digital service providers (DSP): online search engines, cloud computing and online marketplaces

For ESOs, NIS applies to energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution sectors.

NIS2: main updates introduced in 2021

In December 2020, the European Commission proposed an update to the NIS Directive, called NIS2, to improve its effectiveness in light of growing cyber threats.

Sectors included in NIS2

In addition to sectors already covered by NIS, NIS2 directive will include:

  • Postal and courier services
  • Waste (wastewater and waste management)
  • Essential public infrastructures (national and cross-border)
  • Manufacturing sector
  • Product safety
  • Space and satellite activities
  • Public administration
  • Education (schools, universities, research centers)

Enhanced cybersecurity for companies of all sizes

Particular attention will be paid to strengthening security standards applicable to small and medium-sized enterprises (SMEs), often the Achilles heel in cybersecurity.

Large companies will also see growing obligations, with fines up to 2% of global turnover for breaches of information security requirements and failure to notify incidents.

This will push top management to seriously invest in cybersecurity.

International cooperation

Closer cooperation between member states will be promoted, establishing cross-border procedures for incident management and crisis management to effectively counter large-scale attacks.

Cooperation mechanisms with third countries are also planned for a global approach to strengthening international digital resilience.

NIS2 supervisory bodies

The proposed NIS2 directive confers new powers to regulatory bodies established at national level (or identified among existing ones) to oversee implementation of legislation.

Competent authorities

Their specific tasks include:

  • Security audits
  • Inspections and investigations of regulated entities
  • Dynamic analysis of IT risks
  • Requests for information
  • Power to impose sanctions.

They will also have task of increasing population awareness and understanding of cyber risk.

For example, in Italy the National Cybersecurity Center already performs some of these functions.

NIS cooperation group

A cooperation group will be established bringing together these national authorities together with ENISA and European Commission to coordinate cross-border issues and exchange information.

Obligations for essential and digital service operators

NIS2 mandatory subjects

The subjects to whom NIS2 obligations apply are divided into 3 categories:

  • Essential service operators (energy, transport, banking, healthcare, etc.)
  • Digital service providers (cloud, web search engines, e-commerce)
  • Public entities (central and local administrations)

Required safety measures

Regardless of size, all NIS2 entities must meet requirements in terms of:

  • Cybersecurity governance
  • Risk management
  • Operational resilience
  • Monitoring, detection, classification of incidents
  • Business continuity and disaster recovery
  • Information sharing with competent authorities

More stringent security standards are required for entities that support critical services or process significant amounts of personal data.

For example, they will be required to conduct regular penetration testing and cyber crisis exercises to test response plans.

Mandatory incident notification

All NIS2 entities, including SMEs, will have to notify national authorities without undue delay of significant cyber incidents that could disrupt essential services or impact security of data and systems.

Penalties are expected in case of failure to notify.

Expected impact on EU digital resilience

With extensive implementation of NIS2, the European Union aims to significantly reduce the risk and impact of cyber attacks against critical infrastructures and digital services in the coming years.

Success indicators

Some key indicators have already been identified to measure progress in European digital resilience:

  • Average time to detect cyber intrusions
  • Average time to respond and resolve a cyber attack
  • Number of personal data breaches reported annually
  • Economic losses caused by disruptions of critical services

Expected social impact

Benefits for European citizens will come from greater protection of essential services such as healthcare, transport and energy from cyber attacks, and consequently less disruption impacting social life.

Qualitative improvements in digital services are also expected, thanks to investments in data security and infrastructure reliability.

Entry into force and transition

The new NIS2 directive is still in the final stages of the European legislative process, with approval by the EU Council and Parliament expected for 2022.

Obligations taking effect

Once published in the Official Journal of the European Union, member states will have 21 months to incorporate NIS2 into national law.

From that moment on, companies and public bodies covered by the legislation will have 15 months to fully comply with the new obligations.

So NIS2 requirements are expected to become binding between 2023 and 2024, depending on transposition times.

SME support

Given the complexity of the matter, European guidelines and support documentation will likely be published to help small and medium enterprises implement processes and technologies compliant with regulations.

Funding and tenders are also planned to economically support smaller operators in necessary ICT security investments.

Transposition in Italy already completed and new deadline

In Italy, NIS2 directive was transposed last July 31, 2022 with “Legislative Decree no. 123 of June 30, 2022”.

The text faithfully reflects framework and content of European legislation, adapting national law.

Final deadline for compliance

Following entry into force of transposition legislative decree, October 17, 2024 now represents the final deadline by which essential service operators and digital service providers operating in Italy must fully comply with new network and information systems security obligations introduced by NIS2.

After that date, entities not yet fully compliant with directive requirements risk pecuniary fines. For this reason, investments in IT security can no longer be postponed.

Indirect impacts on supply chain and public procurement

Although NIS2 obligations directly apply only to specific operators of essential services and providers of certain digital services, the directive will have a “dragging” effect also on many other companies.

Commercial motivation to comply

In particular, compliance with NIS2 requirements could soon become a de facto prerequisite when participating in public or private calls for tender.

Similarly, it may be an appreciated competitive factor for customers who want to ensure all suppliers in their supply chain meet advanced infrastructure reliability and information security standards.

Cybersecurity certifications

Precisely in order to demonstrate their level of adequacy, it is foreseeable that even companies not subject to NIS2 will increasingly resort to voluntary certifications and third-party independent security audits.

In this way, even without regulatory obligations they can still reap commercial benefits from investing in their cyber resilience level.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • [SYSS-2024-030]: C-MOR Video Surveillance - OS Command Injection (CWE-78) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-030 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04...
  • [SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-029 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Dependency on Vulnerable Third-Party Component (CWE-1395) Use of Unmaintained Third Party Components (CWE-1104) Risk Level: High Solution Status: Fixed...
  • [SYSS-2024-028]: C-MOR Video Surveillance - Cleartext Storage of Sensitive Information (CWE-312) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-028 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Cleartext Storage of Sensitive Information (CWE-312) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public...
  • [SYSS-2024-027]: C-MOR Video Surveillance - Improper Privilege Management (CWE-269) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-027 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure:...
  • [SYSS-2024-026]: C-MOR Video Surveillance - Unrestricted Upload of File with Dangerous Type (CWE-434) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-026 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure:...
  • [SYSS-2024-025]: C-MOR Video Surveillance - Relative Path Traversal (CWE-23) September 6, 2024
    Posted by Matthias Deeg via Fulldisclosure on Sep 05Advisory ID: SYSS-2024-025 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure: 2024-09-04 CVE...
  • Backdoor.Win32.Symmi.qua / Remote Stack Buffer Overflow (SEH) September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Symmi.qua Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" […]
  • HackTool.Win32.Freezer.br (WinSpy) / Insecure Credential Storage September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/2992129c565e025ebcb0bb6f80c77812.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: HackTool.Win32.Freezer.br (WinSpy) Vulnerability: Insecure Credential Storage Description: The malware listens on TCP ports 443, 80 and provides a web interface for remote access to victim information like screenshots etc.The […]
  • Backdoor.Win32.Optix.02.b / Weak Hardcoded Credentials September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Optix.02.b Vulnerability: Weak Hardcoded Credentials Description: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump […]
  • Backdoor.Win32.JustJoke.21 (BackDoor Pro) / Unauthenticated Remote Command Execution September 6, 2024
    Posted by malvuln on Sep 05Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) Vulnerability: Unauthenticated Remote Command Execution Family: JustJoke Type: PE32 MD5: 4dc39c05bcc93e600dd8de16f2f7c599 SHA256:...

Customers

Newsletter

{subscription_form_1}