With the ever-increasing digitalisation of personal and work life, it has become increasingly evident that cyber threats, be they from criminals or nation-state actors, pose an evolving risk to the everyday working of society, writes Mick Begley, Chief Information Officer of .IE.
The Network and Information Security Directive (NIS 1) set the precedent for EU legislation when it came to cybersecurity. Its goal was to achieve a high common level of cybersecurity across EU member states. It resulted in member states designating key “entities” as “operators of essential services” (OES) and led to regulations being put in place in national law around the area of cybersecurity, including incident notification by such entities.
Since the NIS 1 Directive was adopted, the threat landscape has moved on. As a result, the European Commission (EC) proposed a revised directive, NIS 2, which would widen the scope of the application to more entities in the sectors of the economy already within scope, as well as adding new sectors. The EC, when framing the proposed directive, also had the objective to create a high level of harmonisation with regard to security requirements and reporting obligations across the Union.
The new directive does away with the NIS 1 terms of OES and digital service provider (DSP) and instead replaces them with “important entities” and “essential entities”. The classification of organisations is determined by Annex I and II of the directive. By default, all entities belonging to a sector are automatically allocated to that category.
Sectors that are deemed “essential entities” include:
• energy (electricity, energy storage, district heating, oil, gas, and hydrogen);
• transport (air, rail, water, and road);
• banking and financial market infrastructures;
• health (including research and manufacturing of pharmaceuticals and medical devices, EU reference labs);
• drinking water and wastewater;
• digital infrastructure (IXP, DNS, top level domain (TLD) registries, cloud, data centre service providers, CDN, trust service providers, and electronic communications)
• public administrations; and
Sectors under “important entities” include digital providers such as online marketplaces, search engines, and social networks.
There is a size-cap provision in place which should exclude certain SMEs (under 50 employees, turnover ceilings) from the scope of the directive. However, some small organisations may not qualify for this size exception if the entity comes within the scope of Article 2 of the revised directive.
Article 18 provides that the entities covered by the Directive will need to carry out “an all-hazards approach when it comes to protecting network and information systems and their physical environment from incidents and shall include at least the following”:
a) risk analysis and information system security policies;
b) incident handling;
c) business continuity, such as backup management and disaster recovery, and crisis management;
d) supply chain security;
e) security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure; and
f) policies and procedures; to assess the effectiveness of cybersecurity risk management measures; regarding the use of cryptography and the use of multi-factor authentication.
Also new within NIS 2 regulatory regime are rules with regard to the accountability and responsibilities of management bodies when it comes to compliance with security requirements. In event of a security incident where an entity is found to be in breach of its NIS 2 obligation, management bodies may be subjected to the following:
• the issuing of fines;
• being held liable for breach of their duties laid down in the directive;
• the levying of a professional ban on members of the management team by the relevant regulatory authority; and
• the imposition of a Monitoring Officer for a set period of time to ensure that the organisation meets its compliance requirements.
The revised directive sets out strict rules with regard to the reporting of security incidents. Entities are obligated to issue an initial early warning within 24 hours and a full incident notification within 72 hours to the relevant regulatory organisation. A final report on the incident will have to be submitted within a two-month period.
The Commission’s proposal went to both the European Parliament and the Council of Ministers for review. Each body issued a draft with their proposed revisions to the original directive text. This went through a process of inter-institutional negotiations (“trilogue”) from which a political agreement was reached on the final text of the NIS 2 Directive in May 2022. This text will next be read into the next plenary of the European Parliament in the autumn, after which it will formally become law. EU member states will have 21 months to transpose the requirements of the Directive into national law.
As a country code top level domain (ccTLD) registry we are designated as an “essential entity” under the new NIS 2 Directive. Accordingly, it is essential that we continue to provide a trusted pathway to the internet for Irish people, communities, and businesses. As part of maintaining that trust we have recently completed a programme of work to achieve ISO 27001 security certification.
ISO 27001 is the only certifiable international standard that ensures an organisation manages and mitigates its cybersecurity risks in an effective manner. It mandates a systematic approach to cyber security risk management including processes, technology and people that helps us protect and manage all our data. By seeking and achieving ISO certification .IE has shown its commitment to taking cyber security seriously and to ensuring we fully meet our obligations, including those within the NIS 2 Directive. ISO 27001 is rapidly becoming the de facto best practice certification for national ccTLDs, as a way to demonstrate its cyber security credentials to national policymakers and legislators.
Collectively and individually, the challenge for business, government and citizens is to continue to improve cybersecurity practices and processes.