The NIS 2 Directive is now enforceable: What are the implications for vulnerability management?

October 17, 2024

EU flag on parliament building with text on left side of image: "NIS 2 Enters into force"

The NIS 2 Directive is now enforceable across the EU amid uncertainty about its implementation with most member states missing the deadline for transposing the regulation into national law.

Today was the deadline for member states to implement the wide-ranging cybersecurity legislation into national law. The EU’s two biggest economies, France and Germany, are among the countries to have missed this cut-off date. According to a transposition tracker from the DNS Research Federation, Estonia and Portugal have yet to start the process for Article 28 ('Database of domain name registration data').

Confusion persists about the obligations entailed for in-scope entities. Some 38% of qualifying Irish businesses have yet to update their cybersecurity polices, for instance, and 67% cited complexity as the primary concern about implementation, according to a survey by Mason Hayes & Curran.

With NIS 2 violations punishable by fines of up to €10 million or 2% of an entity’s total annual turnover, and senior management potentially held liable, the stakes for getting NIS 2 compliance right are high.

This NIS 2 explainer summarises the state of play, why NIS 2 has global implications, and outlines notable changes versus NIS 1, in particular ramifications for our area of expertise: security testing and vulnerability management.

NIS 2 Directive summary: changes versus NIS 1

Like its 2016 predecessor, the second iteration of the NIS (Network and Information Security) Directive is intended to achieve “a high common level of security of network and information systems across the Union”.

For member states, this means adopting national cybersecurity strategies, designating competent authorities and computer security incident response teams (CSIRTs), and providing tools and support to qualifying entities. Regulated organisations meanwhile must implement a raft of cybersecurity risk-management measures.

The headline changes versus NIS 1 include a wider range of in-scope sectors and their division into “essential” and “important” categories. Regulated sectors include banking, energy, transport and digital service providers such as online marketplaces, search engines and social networks. It has been estimated that around 300,000 institutions will be within scope, compared to just 20,000 under NIS 1.

Other notable changes include a 24-hour incident reporting deadline and stronger information-sharing measures.

There is also an emphasis, almost entirely absent from NIS 1, on securing supply chains and facilitating coordinated vulnerability disclosure (CVD). This reflects a changed threat environment amid the seemingly inexorable surge in new vulnerabilities since NIS 1 (see chart below). Among other measures, NIS 2 prescribes the creation of a European vulnerability database, while entities are instructed to undertake risk-management measures related to “vulnerability handling and disclosure”.

NIS 2 has a bigger focus on vulnerability management following a surge in vulnerabilities since 2016, as this chart demonstrates

Meet ‘all hazards’ NIS 2 compliance requirements with CVD policies and attack surface management

The NIS Cooperation Group has issued guidelines on implementing CVD policies (PDF) that advise competent authorities to urge organisations to adopt their own CVD policy, while public authorities should demand the same from their suppliers and include CVD provisions in public procurement contracts. Launching a Vulnerability Disclosure Policy (VDP) is increasingly necessary, not just a ‘nice to have’.

The NIS guidelines also endorse Bug Bounty (or vulnerability reward) Programs as a vehicle for implementing CVD that produces strong results for “most organisations”.

The NIS 2 Directive prescribes an “all-hazards” approach to risk-management. Any strategy that duly aims to build resilience against all realistic threats must surely reckon with the proverbial ‘known unknowns’ and ‘unknown unknowns’.

And if security teams are to uncover hidden risks, and indeed comply with NIS 2 requirements on asset management and exposure to third-party risks, then continuously mapping and monitoring your attack surface is a must. Unsurprising then, the definitive methodology for achieving this, continuous threat exposure management (CTEM), is a top security tech trend for 2024 according to no less an authority than Gartner. Marry a CTEM-based approach with security testing from multiple sources and you’re particularly well positioned to mitigate known and unknown risks.

NIS 2 applicability: A patchy process

Enforcement is likely to be patchy and inconsistent at first. Only six member states – Belgium, Croatia, Greece, Hungary, Latvia and Lithuania – have seemingly adopted NIS 2 legislation ahead of the deadline. Many of the rest are expected to implement the regulation in the first half of 2025.

Since NIS 2 prescribes minimum requirements, there is room for flexibility in how laws are transposed. For instance, the Belgian transposition adds a CVD policy requirement to their new risk-management obligations, while “Germany is seeking to narrow the scope of national NIS2 regulation compared to the EU directive” in terms of which entities qualify, according to Daniel Widmann of Pinsent Masons.

So while the NIS 2 Directive is intended to create uniformity across the EU’s regulatory landscape, there remain meaningful differences from state to state. In terms of deadlines for self-assessment/registration, NIS 2 compliance particulars and enforcement regimes, compliance teams must research the specifics of the jurisdictions they operate in.

Relevant details can be found on the websites of competent authorities (often the national cybersecurity agency or similar) along with various tools. For example, member states have provided (or are planning to provide) self-assessment tools for determining whether your organisation is within scope (among others, existing tools are available in France, Germany, Ireland, and the Netherlands).

Also guiding strategies for compliance are the sector an organisation operates in, its level of security maturity and compliance with various standards and frameworks. For instance, compliance with ISO 27001 (which YesWeHack has) gives you a great springboard for NIS 2 compliance.

NIS 2 Directive: A De facto global standard?

NIS 2 has extra-territorial applicability, insofar as non-EU organisations must comply if they operate in the relevant sectors within the EU, and could be indirectly affected if they have partners or third-party suppliers in the trading bloc.

Clearly, market access to the world’s largest trading bloc is heavily contingent on compliance.

Moreover, perhaps NIS 2 compliance will become a sort of de facto global standard/aspiration given how GDPR inspired copycat data privacy regulations elsewhere. Indeed, Geert van der Linden, executive VP of global cybersecurity services at Capgemini, has told CNBC that “NIS 2 will be seen as a global standard by judges”.

NIS 2 is just one of several far-reaching cybersecurity laws in force across the EU or in the pipeline. This includes the Cybersecurity Act 2019 (introduced a common certification framework for ICT products), Digital Operational Resilience Act 2023 (ICT security rules for financial services firms) and Cyber Resilience Act 2024 (smart devices, with the UK having an equivalent in the PTSI Act).

The regulatory landscape is not so different elsewhere, with significant legislation in the pipeline in Australia for instance. Across the Atlantic, President Biden's 2021 Executive Order set in motion numerous initiatives and regulations. Significant new cyber rules from the US SEC also reflect a trajectory towards more prescriptive and punitive cybersecurity legislation amid growing economic and national security threats posed by state-backed malicious actors in particular.

Read our more in-depth look at NIS 2 and its implications for your SecOps strategy.

To find out how YesWeHack can help you comply with NIS 2 and other cybersecurity regulations, contact our sales team or book a demo of our Bug Bounty and vulnerability management platform. For instance: