As EU member states scramble to transpose NIS 2 into national law, affected organisations are doubtless accelerating their compliance efforts as the transposition deadline (17 October) approaches.
There may be much work to do. After all, there were recent reports of French organisations being underinformed about their new obligations.
NIS 2 aims to elevate and harmonise cyber-resilience across the bloc more effectively than its predecessor directive. Among other notable additions, national cybersecurity strategies and cybersecurity risk-management rules for “essential” or “important” entities must incorporate supply chain security and coordinated vulnerability disclosure (CVD) policies.
Belgium, the only member state to fully transpose NIS 2, has also mandated that qualifying entities publish a CVD policy. While this goes beyond what NIS 2 demands, perhaps some other member states will follow suit for reasons we’ll explain later.
NIS 2 should be of interest outside the EU too. Like the General Data Protection Regulation (GDPR), this landmark legislation may well inspire copycat regulations outside the bloc (it’s worth noting too that the UK is still updating its own NIS regulation post-Brexit).
This NIS 2 summary outlines the directive's key points, as well as the benefits of Vulnerability Disclosure Policies (VDPs), Bug Bounty Programs and Continuous Threat Exposure Management (CTEM) for cost-effectively achieving compliance.
What is the NIS 2 Directive?
NIS 2 is the second iteration of the NIS (Network and Information Security) Directive, which broke ground as the first EU-wide cybersecurity rules when they came into force in 2016.
Like NIS, the successor legislation is intended to achieve “a high common level of security of network and information systems across the Union”. It aims to do so by obliging:
- Member states to adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity and computer security incident response teams (CSIRTs)
- Member states to give organisations tools, mechanisms and encouragement to share information on vulnerabilities, threat actors and so on
- Organisations providing “essential” or “important” services to implement cybersecurity risk-management measures and promptly report “significant” security incidents
- Member states to supervise and enforce compliance
The legislation sets out minimum requirements designed to achieve these goals that national laws will have to at least match, if not exceed.
NIS 2 deadlines for compliance
The NIS 2 Directive entered into force in January 2023, from which point member states had 21 months to transpose its requirements into national law. The deadline of 17 October is now only four months away, with all but two countries (Croatia and Belgium) yet to transpose at the time of writing.
Regarding the obligations of in-scope entities, some requirements will apparently enter into force immediately, while others will be subject to a grace period.
Qualifying organisations must self-assess whether they fall within the scope of NIS2 and notify the relevant state regulator that they fall within NIS 2’s scope by 17 April 2025 (for some entities the deadline is 17 January).
Why the original NIS Directive was superseded
The 2016 regulation was judged to be failing to embed sufficient and consistent cyber resilience across the EU and its critical sectors, create a common understanding between states about the threat landscape, or create a joint crisis response capacity.
Among other measures, NIS 2 sets out to remedy these shortcomings by applying to a wider range of sectors, introducing incident reporting deadlines and strengthening information-sharing measures. It also introduces minimum financial penalties for violations and makes “management bodies” liable for infringements.
Vulnerabilities and supply chains to the fore
A dramatic surge in both the number of new software vulnerabilities and supply chain attacks post-2016 meant NIS 2 was drafted in a much-changed threat landscape to its predecessor.
While the word “vulnerability” appeared only once in the first NIS (and then only in relation to the obligations of CSIRTs), the term “coordinated vulnerability disclosure” appears 11 times in the NIS 2 Directive. Both member states and essential/important entities have obligations around vulnerability management or disclosure. The directive prescribes the creation of a European vulnerability database.
The first NIS was drafted before the game-changing SolarWinds software supply chain attack in 2020, which resulted in the downstream compromise of 18,000 customers (including government agencies). Whereas the first iteration did not even feature the term “supply chain”, NIS 2 mandates state-level risk assessments and entity-level measures on supply chain security.
NIS 2 sectors and entities
The NIS 2 Directive broadens the scope of critical sectors and divides them into “essential” and “important” entities.
Four new sectors are added to the essential (or “high criticality”) tier, with space, waste water, ICT service management and public administration joining energy, transport, banking, financial market infrastructure, health, drinking water and digital infrastructure (which now also includes trust, cloud and other additional services).
The important category is populated by postal and courier services, waste management, chemicals, food, manufacturing, research and digital service providers, which span online marketplaces, search engines and social networks.
The NIS 2 regulation introduces, with certain exemptions, size and annual turnover parameters too (minimum 250/50 employees and €50m/€10m turnover for essential/important services). Member states have the discretion to make exceptions for high-risk entities that fall outside of these parameters.
Ireland’s National Cyber Security Centre has published a useful table (PDF) for understanding whether your organisation will be subject to NIS 2.
It has been estimated that around 100,000 companies in the EU will have to become NIS 2-compliant. YesWeHack qualifies as an ‘important’ entity and we have taken steps to comply.
NIS 2 risk-management rules
NIS 2 essential and important entities must comply with risk-based security requirements arranged around six themes.
On governance, management bodies must approve, oversee and be held liable for infringements of these NIS 2 controls. They must also undergo cybersecurity risk-management training and encourage their employees to regularly do likewise.
Cybersecurity risk-management measures, meanwhile, “shall be based on an all-hazards approach” and cover a multitude of security areas, from cryptography to human resources security.
These measures should also tackle potential vulnerabilities in their supply chains, while entities should take into account Union-level coordinated security risk assessments of critical supply chains carried out by the NIS Cooperation Group.
Where entities use third-party ICT services, they may be required to use providers that are certified under pending European cybersecurity certification schemes. Member states are also expected to encourage the use of ‘trust services’, as well as European and international cybersecurity standards and technical specifications.
Finally, NIS 2 introduces deadlines for reporting ‘significant’ security incidents and simplifies the criteria for reportable incidents since the previous conditions led to overreporting. CSIRTs or competent authorities must be sent an early warning within 24 hours, an incident notification within 72, an intermediate report (where applicable), a final report within a month of the incident notification, then (for ongoing incidents) a progress report. The CSIRT/competent authority should provide feedback, potentially with mitigation measures. Where appropriate, organisations should also notify and provide advice to affected users.
NIS 2 vulnerability management requirements
The risk-management measures qualifying entities must take should encompass “security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure”.
National cybersecurity strategies, meanwhile, should generate a policy on “managing vulnerabilities, encompassing the promotion and facilitation of coordinated vulnerability disclosure”.
To this end, a network of national CSIRTs will mediate coordinated vulnerability disclosure where necessary; track and disseminate information and best practices around cyber threats, vulnerabilities and incidents; help NIS 2 sectors monitor their networks and information systems; and hunt for vulnerabilities through non-intrusive scanning of essential and important entities’ online assets.
In consultation with the Cooperation Group, ENISA (European Union Agency for Cybersecurity) is tasked with building and maintaining a European vulnerability database, and to this end has just become a CVE Numbering Authority. Entities, whether subject to NIS 2 or not, will be able to voluntarily disclose vulnerabilities in ICT products or services. ENISA’s chief cybersecurity and operational officer has sought to allay fears that such a database would itself present an intolerable security risk.
Incidentally, YesWeHack already provides a secure, straightforward and legally protective mechanism for reporting vulnerabilities in the form of ZeroDisclo.com. Another pair of YesWeHack products, Firebounty (website) and VDP-Finder (free web browser plugin), should be consulted first in case the vendor has a dedicated Vulnerability Disclosure Programme (VDP).
Penalties for non-compliance
Violations of NIS 2 could lead to fines of up to €7 million or 1.4% of total annual turnover for important entities, or up to €10 million euros or 2% of total annual turnover for essential entities (whichever is higher). Senior management can also be held liable for violations.
Belgium’s transposition doubles fines for repeat offenders (where the second offence occurs within three years of the first).
Costs of NIS 2 compliance
Organisations already compliant with ISO 27001 – which includes YesWeHack – have a head start in the journey to compliance. While ISO 27001 compliance is not a prerequisite for NIS 2 compliance, the overlap between the two makes this ISO standard an excellent springboard.
An EU impact assessment on the first NIS (PDF) estimated that compliance with a successor directive would typically require qualifying entities to increase cybersecurity spending by up to 22%. However, it also suggested that increased costs could be offset by costs averted through a reduction in security breaches.
Organisations keen to comply in a way that cost-effectively hardens their digital assets might be interested to hear a couple of relevant insights.
First, that continuous threat exposure management (CTEM) – a best-practice methodology for continuously monitoring and hardening your attack surface – could result in a two-thirds reduction in breaches, according to market research firm Gartner. And second, that one Bug Bounty customer estimates that Bug Bounty is typically 90% cheaper than traditional pentesting.
For even greater effectiveness, the YesWeHack platform combines the best of both worlds by integrating attack surface management with vulnerabilities generated by Bug Bounty Programs, automated scanning, traditional pentesting and Vulnerability Disclosure Policies (VDPs).
NIS 2 transposition: state of play
Croatia has partially transposed NIS 2, as of February 2024, with additional regulations still required.
Belgium’s full transposition was ratified by its parliament on 18 April.
France is likely to be the next to transpose NIS 2, potentially within a matter of days or weeks. ANSSI, the country’s cybersecurity agency, is developing tools to help organisations assess whether they are among an estimated 1,700 French entities that need to comply, for implementing risk-management measures, and for tracking compliance.
Transposition is otherwise most imminent in Austria, Germany, Latvia, Hungary and the Czech Republic. The UK transposed NIS before Brexit and has announced plans to upgrade the regulation.
Belgium sets template with VDP requirement
The Belgian transposition goes beyond NIS 2’s minimum requirements by giving entities a new risk-management obligation: implementing a coordinated vulnerability disclosure (CVD) policy.
Belgium’s transposition outlines the process through which a vulnerability can legally (and anonymously if preferred) be reported to the national CSIRT. This includes time limits (including 24 hours for a “simplified notification”) and, where the organisation lacks a CVD mechanism, having evidence that they sought “to contact the organization using ordinary means (e-mail to info@ or contact@ or dpo@)”.
However, Belgium’s prescription for a CVD policy should serve as a wakeup call for any important/essential organisations that blithely assumed the CSIRT mechanism meant they could forgo a VDP.
Many other member states could arguably emulate Belgium given CVD policies are recommended by NIST, ENISA and CISA, and prescribed by ISO 29147 and ISO 30111.
More importantly still, the NIS Cooperation Group’s guidelines on implementing CVD policies (PDF) advise competent authorities to urge organisations to adopt their own CVD policy in line with best practices. Public authorities, the document also instructs, should adopt their own CVD as standard, demand the same from their suppliers and include CVD provisions in public procurement contracts.
YesWeHack can help you create a branded VDP conformant with these guidelines and your specific requirements and integrate it into your website. Other product features:
- Unified interface for receiving reports and managing vulnerabilities
- Receive only valid, actionable reports thanks to our in-house triage service
- Triage team can evaluate bug severity and liaise with security researchers
- End-to-end encryption ensures confidential communication
Bug Bounty model endorsed by NIS authority
VDPs are not the only form of CVD policy. The NIS Cooperation Group guidelines also endorse Bug Bounty (or vulnerability reward) Programs as a beneficial form of CVD for “most organisations”, citing multiple benefits:
- Financial ‘bounties’ incentivise security researchers to generate “more results for the organisation”
- A Bug Bounty platform “will coordinate the technical and administrative aspects of its reward programme with the organisation”
- “A coordinator or a bug bounty platform can help to establish and maintain a constructive relationship between the parties, or possibly guarantee the anonymity of reporters”
- “Promotion of financial reward programmes or bug bounty programmes can help raise awareness on vulnerability research”
Launch a Bug Bounty Program with YesWeHack to benefit from:
- Agile security testing adapted to your development model
- Results-based pricing – paying only for valid, actionable reports
- In-house triage to ensure triage quality, consistency and confidentiality
- Vulnerability reports seamlessly integrated with your tools and workflows
- Increased security literacy among your devs to reduce the creation of vulnerabilities early in project lifecycles
Risk-based solutions for a risk-based regime
However, Bug Bounty Programs and other forms of security testing only mitigate risks posed by vulnerabilities in known online assets. Unknown internet-facing assets can be continuously discovered by continuous threat exposure management (CTEM), which features among Gartner’s top cybersecurity trends for 2024.
Therefore a CTEM-based approach combining security testing with attack surface management should form an invaluable plank of the “appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems” prescribed by NIS 2.
NIS 2 also mandates all-hazards measures on asset management and supply chain security. Clearly, understanding your attack surface is integral to managing your organisation’s digital assets and its exposure to vulnerabilities in third-party components.
YesWeHack’s Attack Surface Management (ASM) product enables a unified, comprehensive and risk-based approach to security testing that aligns with the risk-based NIS 2 regime and most other modern cybersecurity legislation.
In accordance with Gartner’s Continuous Threat Exposure Management (CTEM) model, our ASM offers:
- Continuous visibility of your true digital footprint and exposure to known vulnerabilities
- Automated prioritisation of vulnerabilities based on an easy-to-understand algorithm
- Strategised security testing and remediation to tackle the most critical vulnerabilities at scale
NIS 2 and the wider legal context
NIS 2 complements a raft of recently enacted EU laws. These include the Cybersecurity Act 2019 (introduced a common certification framework for ICT products), Digital Operational Resilience Act 2023 (ICT security rules for financial services firms) and Cyber Resilience Act 2024 (smart devices).
Regulations elsewhere, such as the US SEC Cyber rules or the UK’s recent PTSI Act, are similarly orientated.
These regulations are collectively building a legal environment that promotes (alongside defensive measures) the proactive, continuous discovery of vulnerabilities, a risk-based approach to their remediation, and a culture of information-sharing around threats, vulnerabilities and best practices.
To find out more about how YesWeHack can help you comply with NIS 2 and other regulations, contact our sales team or book a demo of our Bug Bounty and vulnerability management platform.