The NIS2 and CER directives are vital regulations for businesses in the EU and especially the Nordic regions. NIS2 aims to bolster cybersecurity in the EU by broadening its scope to include more sectors and offering guidelines for consistent cybersecurity measures.
Under NIS2, essential entities must adhere to supervisory requirements, while important entities are obligated to meet identical requirements but may face distinct supervisory measures and penalties.
In contrast, the CER directive takes a holistic approach, preparing ‘critical entities’ for various challenges, such as cyber risks and physical vulnerabilities. These regulations are set to impact the EU digital market significantly by establishing unified and robust cybersecurity standards across member states.
This piece provides a comprehensive guide to understanding both directives, covering key elements and implications. Additionally, it explores how businesses can prepare for compliance as well as the support services NCG can offer.
The NIS2 and CER directives are two significant regulations for which businesses in the EU region must prepare. These directives aim to enhance cybersecurity and resilience in the European Union by setting unified and strong cybersecurity standards across member states.
NIS2 Regulation
NIS2, or the Network and Information Systems Directive 2, introduces critical regulations to enhance the cybersecurity landscape. It has a thorough scope, replacing the prior ‘NIS Directive’ – which extends its reach to a wider range of organizations and refines the approach to cybersecurity. Key provisions focus on strengthening the resilience of ‘essential’ entities, outlining stringent requirements for safeguarding network and information systems. These provisions include robust incident reporting mechanisms, risk management protocols, and the adoption of state-of-the-art security measures. Measures should be based on an all-hazards approach, aimed at protecting information and network systems, and the physical environment of those incidents.
The scope of NIS2 extends across various industries, encompassing sectors deemed essential for societal and economic functions. From energy, transport and healthcare to finance and DNS service providers, the regulations under NIS2 apply universally. Further, all entities identified as ‘critical entities’ per the CER, regardless of their size – fall within the scope of NIS2.
The NIS2 Directive underscores the importance of robust security measures and incident reporting protocols, implements a more stringent enforcement framework, and places significant emphasis on enhancing supply chain security, especially with concerns on ICT product security.
In line with Article 21 of the NIS2 Directive, ‘essential’ and ‘important’ entities are obligated to implement suitable and proportional technical, operational, and organizational strategies to mitigate risks to the security of network and information systems utilized in their operations or service provision. This includes efforts to prevent or mitigate the impact of incidents on service recipients and other related services, constituting cybersecurity risk management measures.
CER Directive
The Critical Entities Resilience Directive (CER) establishes a comprehensive framework designed to assess and ensure that essential services used for the overall maintenance of societal functions can continue to be provided in an unobstructed manner. Its key features include the evaluation of essential and significant entities based on predefined criteria, promoting a proactive approach to resilience. It functions on the principle that ‘resilience’ should encompass not only cybersecurity, but also should extend to physical threats including natural disasters, acts of terrorism and other related dangers.
The recently introduced CER Directive supersedes the 2008 European Critical Infrastructure Directive, providing coverage for critical entities operating in 11 specific sectors. These sectors include energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food.
The primary objectives of the CER are to strengthen resilience against cyber and non-cyber threats, foster a culture of continuous improvement, and elevate the overall preparedness and resilience posture of organizations. Per Article 13 of the Directive, critical entities must take technical, security and organizational measures to ensure or improve their resilience measures.
Some of the key requirements of the CER Directive include:
- Conducting risk assessments with consideration for all natural and human-related risks
- Reviewing and identifying relevant risks and measures to ensure resilience
- Ensuring a process for background checks for those who may hold a sensitive position in the organization
- Documenting resilience plans / BCPs
- Documenting a process for notifying competent authorities of incidents
- Appointing a delegate as a point of contact for communications with local authorities; and
- A process for periodically reviewing the risk assessment.
Relationship Between NIS2 & CER
The relationship between the CER framework and NIS2 is symbiotic, as both initiatives converge to fortify the EU’s resilience of critical and essential entities. It’s no coincidence that these two legislations came into force on the same day, as they complement each other to strengthen essential services – whilst still having a different scope. While NIS2 sets the regulatory landscape with specific requirements and a focus on cybersecurity, the CER Directive expands beyond cybersecurity resilience, taking a broader approach to protection and preparedness of these entities.
This interplay between NIS2 and the CER underscores the holistic approach adopted to mitigate risks and improve the overall resilience of critical entities throughout the EU.
Implications for Businesses
In the wake of the NIS2 and CER Directives, businesses operating throughout the EU find themselves at a critical juncture where cybersecurity and broader resilience compliance is not just a legal obligation but a strategic imperative. Both Directives are to be implemented by October 17th, 2024, urging affected organizations to act swiftly in implementing the guidance.
Let’s explore the multifaceted implications these regulations carry for organizations, ranging from compliance requirements to the potential consequences of non-compliance.
Potential Consequences of Non-compliance
Failure to adhere to the NIS2 and CER Directives carries substantial penalties for organizations. The maximum fines for non-compliance could amount to €10 million or 2% of the global annual turnover for “essential” entities or €7 million or 1.4% for “important” entities.
- Fines and penalties: Non-compliance with NIS2 and the CER exposes businesses to substantial fines and penalties. Regulatory authorities are empowered to impose financial sanctions for violations, emphasizing the importance of aligning cybersecurity practices with the prescribed standards. To mitigate the risk of financial repercussions, businesses must diligently adhere to the compliance requirements outlined in these directives.
- Damage to reputation and customer trust: Beyond financial consequences, the repercussions of non-compliance extend to the realm of reputation and customer trust. A cybersecurity breach resulting from failure to comply with NIS2 and the CER can erode the trust of customers and stakeholders. The potential damage to reputation may have lasting effects on business relationships and market standing.
Therefore, businesses must recognize the broader impact of non-compliance on their brand image and proactively work towards building and maintaining trust through robust cybersecurity measures.
Preparing for NIS2 and CER Compliance
As the NIS2 and CER directives have come into force, organizations must prepare for compliance to ensure the security and resilience of their operations.
Member States will transpose the NIS2 Directive into national law by October 17, 2024. Organizations must proactively prepare for compliance before this deadline to guarantee adherence to the legislation’s stipulated requirements.
The following key steps are essential in preparing for NIS2 and CER compliance:
1. Specify Your Organization’s Requirements
Comprehend the essential prerequisites of NIS2 and the responsibilities outlined in the CER Directive. Also, determine the applicable scope and evaluate whether your organization fits the criteria of “essential entities” or “important entities” within the directives. For NIS2, refer to Annex I of the Directive for the sectors of ‘high criticality’, and Annex II for the ‘other critical sectors’. Further, refer to Article 2 (non-exhaustive list) for the CER Directive’s list of ‘essential services’.
2. Perform a Gap Assessment for Improvement
Conduct a thorough gap assessment to gauge compliance with NIS2 and CER requirements. Identify gaps in policies, risk analysis, incident handling, business continuity, supply chain security, and network and information systems acquisition, development, and maintenance. Some of the requirements found in NIS2 can be mirrored against the CER Directive, so don’t perform two separate similar assessments, let the Nordic Cyber Group use our automated tools to assess both at once.
3. Develop a Compliance Roadmap with Timelines
Secure necessary funding and resources for compliance. Create a precise roadmap, incorporating specific timelines and milestones for implementing mandated security measures and achieving full compliance. Ensure alignment with directive deadlines to avert potential penalties for non-compliance
By proactively identifying the specific requirements, conducting a thorough gap assessment, and developing a clear roadmap for compliance, organizations can effectively prepare for the NIS2 and CER directives, enhancing their cybersecurity posture and resilience.
4. Start with the Strategy
Both the NIS2 and CER Directives outline the requirements of having a comprehensive and robust Strategy to enhance and enable the resilience of critical and essential entities. Article 7 of the NIS2 Directive outlines that each Member State shall adopt a national cybersecurity strategy, including considerations for a governance framework, a mechanism to identity assets and an associated risk assessment, incident preparation and response identification measures, and policies to address cybersecurity in the supply chain for ICT products and services to name a few.
Similarly, Chapter II (Article 4) of the CER Directive necessitates that all Member States shall, for example, ‘adopt a strategy for enhancing the resilience of critical entities’, including a description of measures necessary to enhance the overall resilience of critical entities, a description of the risk assessment, a description of the processes supporting critical entities, measures to enhance cooperation between the public sector and a list of the main authorities and relevant stakeholders.
Commencing with this overarching and intertwined document allows you to set the scene for your organization, and the compliance journey ahead.
Implementing NIS2 and CER Compliance
Once the specific requirements for your organization have been identified and a roadmap for compliance has been developed, the next step is to implement the necessary measures to achieve compliance. This involves addressing the gaps identified in the gap assessment and ensuring that your organization meets the requirements outlined in the NIS2 and CER directives. Some valuable sources for successful implementation in organizations include:
- The European Commission has published a guide on implementing the NIS2 Directive, which can serve as a valuable resource for organizations seeking to comply with the directive.
- The UK’s National Cyber Security Centre has issued guidance on NIS Directive implementation, serving as a beneficial resource for organizations aligning with the NIS2 Directive.
Adhering to these strategies and best practices empowers organizations to enact the requisite measures, ensuring compliance with the NIS2 and CER directives and fortifying their cybersecurity stance and resilience.
How We Can Support
As a leading, certified resilience firm, we understand the complexities and challenges associated with achieving compliance with the NIS2 and CER directives. We offer tailored services to support organizations across the EU in their compliance efforts.
Our services related to NIS2 and CER compliance include:
- Comprehensive Compliance Assessment: Our team thoroughly assesses your organization’s cybersecurity posture and identifies specific areas that require attention to meet the NIS2 and CER requirements, through a comprehensive gap assessment. Our automated and integrated tools will ensure our assessment ticks off various regulations with no double-handling.
- Customized Roadmap Development: We work closely with your organization to develop a personalized roadmap for compliance, outlining clear timelines and milestones to ensure a smooth and efficient compliance process.
- Policy and Procedure Development: Our experts assist in developing and implementing robust policies and procedures to address the specific requirements of the NIS2 and CER directives.
By leveraging our expertise, we can provide the necessary guidance and resources to help your organization navigate the complexities of these directives and achieve a robust cybersecurity posture.
Reach out today to learn more about our services!