The NIS2 Directive - A primer
If you haven't heard about it by now, there is no doubt you will soon.
Over the next few weeks, we will unpick and share what NIS2 is, who it applies to and how it might affect you.
In this first post, we will cover what NIS2 is.
So, let's begin!
In 2020, the European Union adopted a “Cybersecurity Strategy for the Digital Decade”. As the EU Commission pointed out;
"Cybersecurity is an integral part of Europeans’ security. Whether it is connected devices, electricity grids, or banks, aircraft, public administrations or hospitals they use or frequent, people deserve to do so within the assurance that they will be shielded from cyber threats. The EU’s economy, democracy and society depend more than ever on secure and reliable digital tools and connectivity. Cybersecurity is therefore essential for building a resilient, green and digital Europe."
NIS2 - what is it?
The NIS2 Directive is an update to the cybersecurity rules introduced in 2016. The NIS2 includes new sectors and entities (compared to NIS). The NIS2 was adopted by the EU Commission in January 2023.
EU Member States have to transpose the Directive into national law and directly applicable measures by 18 October 2024 and to be in operation January 2025.
NIS2 is the first EU-wide law on cybersecurity.
Key elements of the NIS2 Directive
- The NIS2 is part of the EU Cybersecurity Strategy
- NIS2 increases the number of sectors and entities that fall under the law (compared to NIS1). These are referred to as “Operators of Essential Services” (OES) and “Digital Service Providers” (DSP).
- Adding fees for breaches.
- Strengthening security requirements with a list of focused measures including incident handling and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, the effective use of cryptography, and human resource security, access control policies and asset management.
- Strengthened the cybersecurity supply chain for key information and communication technologies.
- Accountability of the company management for compliance with cybersecurity risk-management measures.
- Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline. (1)
- Increased funding for EU organisations connected to cybersecurity.
- Must be transposed to member states national law by October 2024
Why is EU regulating Cybersecurity
- Personal data must be protected (GDPR)
- The dependencies of entities and sectors (examples) (2):
- Banking
- Internet actors/Domain Names (3)
- Traffic
- Energy
- Electronic communication (telecom)
- Cloud computing
- Web search
- Online marketplaces
- Some manufacturing
- Research
- Create a national framework (for the EU Member states)
- The need for Cybersecurity Risk Management measures (4)
DNS Abuse mitigation
In our understanding, the key objective of the NIS2 is to increase the cybersecurity in general among the European member states.
In this context, the requirement to collect and store on the Registry level, accurate registration data is an important instrument to identify entities connected to abuse on the domain name level. As stated in the NIS2 Directive Article 28: For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.
The majority of ccTLDs within Europe have a strict registration policy where a domain name registrant MUST be identified and verified by the Registrar. Article 28 is not only related to Registry Operators, but also includes entities providing domain name registration services. This includes Registrars and the registrars resellers.
Strict registration policies in identifying the registrant is effective in preventing malicious registrations but it does NOT prevent compromised domain names.
The present practice for the European ccTLDs in DNS Abuse monitoring and mitigation makes it challenging to create standardised policies and mitigation paths.
And at this point, we will stop and let you digest this substantial bit of information.
Next week we will cover which domain name entities will be included in NIS, independent of size, as well as some potential challenges of implementing the directive.
SOURCES:
- Article 23. Report to (national) CSIRT entity.
- Article 3.
- There are dependencies on scale of entity but the domain name industry is included independent of the scale. This relates to a small/micro sized registrar having the same obligations as a Registry Operator.
- Article 21.