NIS2: Next Step Forward on EU Security Requirements
The European Union (EU) is poised to take the next step forward on implementing the second Network and Information Security Directive (NIS2). All eyes are now on the upcoming Implementing Regulation, which will detail incident reporting thresholds and cybersecurity measures that will apply to critical sectors across EU member states. As the EU Commission is expected to finalize the Implementation Regulation shortly, organizations can prepare by familiarizing themselves with the major requirements of NIS2.
NIS2 focuses on strengthening EU resilience through new and amended obligations for cybersecurity risk management practices, incident reporting, and security audits. NIS2 imposes obligations on entities across critical sectors to adopt numerous cybersecurity measures, including controls related to vulnerability management and disclosure. NIS2 also introduces supervisory measures for national authorities in individual Member States, as well as stringent enforcement requirements.
In addition, NIS2 establishes a framework for coordinated vulnerability disclosure (CVD) across the EU. NIS2 requires EU Member States to create policies for“managing vulnerabilities, encompassing the promotion and facilitation of” CVD, and for each Member State to designate one of its computer security incident response teams (CSIRTs) as a CVD coordinator.
Brief Background on NIS2
NIS2 builds and expands upon the original NIS Directive, which was introduced in 2016 as the first EU-wide legislation on cybersecurity. Two notable differences from the first iteration of the directive are that NIS2 significantly expands the “essential” and “important” entities to which the directive applies, and imposes administrative fines in the event of non-compliance.
NIS2 applies to public or private entities that provide a service within the EU that is listed in Annex I (Sectors of High Criticality) or Annex II (Other Critical Sectors) of the directive. Under NIS2, the designation of “essential” or “important” is based on a company’s size and the criticality of the services they provide. “Essential” entities are proactively supervised, whereas “important” entities will fall under reactive supervision.
Under NIS2, entities providing “essential” or “important” services must comply with the same set of 10 cybersecurity risk management measures, such as vulnerability handling and disclosure, testing the effectiveness of security safeguards, and incident response. Some of these measures will be further detailed in the Implementing Regulation (a draft is available here). NIS2 is a “minimum harmonization” law, meaning that Member States can, in some areas, impose additional obligations in their implementing laws beyond those set out in the NIS2 Directive itself. Topics covered by the Implementing Regulation, however, should apply consistently across member states.
For entities found out of compliance with NIS2, administrative fines can reach up to 10 million Euros, or 2% of the company’s annual revenue for “essential” entities, whichever is higher. Notably, NIS2 also mandates personal liability for corporate executives in the event of non-compliance.
How to Prepare: Security Controls for In-Scope Entities
Article 21 of NIS2 outlines ten cybersecurity risk management measures to be adopted by in-scope entities. This includes security in network and information systems acquisition, development, and maintenance, as well as vulnerability handling and disclosure.
A robust vulnerability disclosure process, in addition to regular security testing like penetration testing, will help ensure organizations comply with NIS2, and identify and remediate security weaknesses in their systems more quickly and effectively. Implementing a strong CVD process will also help meet the requirements of any national transposition of NIS2 that go beyond the directive’s requirements, as is the case with the Belgian transposition which actually requires entities to implement a CVD policy.
As the NIS2 deadline nears, in-scope organizations should take action now by establishing a vulnerability disclosure program (VDP). In September, HackerOne launched Essential VDP — a free, self-serve tier of HackerOne Response, our Vulnerability Disclosure Program (VDP) product. This product will be useful for “essential” and “important” companies that have to apply vulnerability handling and disclosure measures as part of their cybersecurity risk management compliance with NIS2.
Additionally, in 2023, the NIS Cooperation Group released guidelines for Member States on implementing national CVD policies. The cooperation group is a platform for EU collaboration with representatives from EU Member States, the European Commission, and the European Union Agency for Cybersecurity (ENISA). The guidelines explicitly endorsed vulnerability rewards programs such as bug bounty programs as an impactful means of implementing CVD.
CVD for EU Member States
As Article 12 of NIS2 outlines, each Member State must designate one of its CSIRTs as a coordinator for a national CVD program. The CSIRT coordinator will identify and contact the entities involved in a vulnerability disclosure, assist those reporting a vulnerability, negotiate disclosure timelines, and manage vulnerabilities that affect multiple entities.
In addition, ENISA must develop and maintain a European vulnerability database, with “appropriate information systems, policies, and procedures….to ensure the security and integrity of the European vulnerability database.” Mirroring the functions of the U.S.-based National Vulnerability Database (NVD), this EU database will include information describing a vulnerability, the affected products or services, the associated severity, and the availability of related patches and remediation guidance.
NIS2 Next Steps
The European Commission is expected to issue a finalized Implementing Regulation in the coming days. The Implementing Regulation will provide a consistent EU approach to incident reporting thresholds and cybersecurity measures. At the same time, member states are busy transposing NIS2 into their own national laws, a process known as transposition.
Transposition of NIS2 presently has a deadline of 17 October 2024. Some Member States, like Belgium, have already achieved transposition, though several other Member States, like the Netherlands, have publicly stated they anticipate a longer transposition process, likely well into 2025.
It will be important to track the European Commission’s forthcoming publication of the Implementing Regulation, as well as the progress of Member States’ transposition of NIS2 into their national laws. Tracking these and other developments will help businesses know what EU agencies and Member States expect with regard to NIS2 compliance.
Conclusion
Businesses should anticipate that NIS2 will come into effect at the EU-level over coming weeks and months. To help prepare, we recommend that businesses in the EU should determine whether they are in-scope for NIS2, and in which specific Member State jurisdictions. Businesses should work with their IT and compliance teams to determine whether their current security controls meet the risk management measures required under NIS2. HackerOne’s vulnerability management solutions, including our vulnerability monitoring and Essential VDP services, are an excellent way to begin fulfilling NIS2 vulnerability handling and disclosure requirements.
By strengthening the security practices of important and essential entities, NIS2 will help protect health and safety and ensure critical services are resilient to disruption. HackerOne looks forward to working to achieve a high common level of security across Europe.
The Ultimate Guide to Managing Ethical and Security Risks in AI