NIS2: from compliance to resilience

The NIS2 Directive (Directive of the European Parliament and the EU Council of December 14, 2022 on measures for a high common level of cyber security) is a new version of the NIS Directive. It aims to increase the level of cyber security in the European Union – especially among companies that were not covered by the first version of the directive. NIS2 introduces new tasks for member states and expands the scope of entities covered by obligations to effectively secure data and information.

In Poland, it will be implemented through an amendment to the law on the National Cyber Security System (KSC), which is currently pending (legislative work is underway). The aim of the regulation is not only to protect IT/OT networks and systems, but to increase the overall resilience of an organization – understood as business continuity and the ability to deliver goods and services uninterruptedly throughout the supply chain, including in crisis situations such as a natural disaster, a targeted attack on IT systems or sabotage

In addition to typical technological risks, NIS2 also refers to environmental risks, supply chain disruptions or random events that can bring a company’s operations to a halt.

Obligations under NIS2 will apply to two groups of entities: key and important.

Key entities are those whose any activity (not just the main one), would be considered crucial to the state’s operations, including those in the energy industry, transportation, banking, health care, drinking water providers, digital service providers, public entities, among others.

Important players included companies in important sectors, such as those performing postal services, waste management, manufacturers and distributors, chemicals, food and industrial production (e.g., automotive).

Manufacturing companies must be covered by these requirements, because it is their operations that are crucial to the functioning of the state, both economically and in terms of their ability to produce certain vehicles, equipment or components.

Despite the distinction between key and important players, the scope of requirements and tasks for both groups will be essentially very similar (the minor simplifications for important players relate to proportionality issues or a lower version of security features).

The basic requirements are:

• Implementation of Information Security Management System – Which will cover all key aspects of security, such as:
  • Inventory of resources (including in production environments),
  • Analyze risks and decide how to deal with them,
  • Ensure IT security (e.g., appointing cyber security officers, hardening infrastructure, threat detection, change control, vulnerability management, describing emergency and backup procedures),
  • Provide a training and awareness program for employees,
  • Analysis and implementation of physical security (e.g., access control, door reinforcement, turnstiles, entry and exit control, area fencing, etc.);
• Implementation of Business Continuity Management System – which will complement information security with operational business continuity aspects (e.g., transfer to an alternative location, detailed operating instructions for all company departments, testing of action plans and response training of personnel);
• Designation of contact persons within the national cyber security system;
• Training of top management at least once a year;
• Regular internal and external audits;
• Incident reporting to state authorities.

In practice, an organization should implement a well-functioning set of both organizational (policies, procedures, instructions), technical (cybersecurity, IT/OT threat detection and business continuity solutions) and competency (e.g., training) solutions.

Although the effective date of the Law on the National Cyber Security System is not yet confirmed, a calendar of activities for companies covered by the new regulations emerges from the draft amendment. Once the law is published, companies will have:

• 3 months to conduct a self-assessment for meeting the KSC criteria and report to the register of key or important entities,
• 6 months (after reporting to the registry) to comply with the requirements, which is primarily the implementation of an information security management system (ISMS) with elements of business continuity,
• 2 years for an independent audit to confirm the effectiveness of the security measures in place and compliance with NIS2 regulations.

It is known that NIS2 will cover large or medium-sized companies. In such companies, in order to check whether the company will be covered by the obligation to implement the requirements of the regulation, an analysis should be carried out to meet certain criteria.

Subsequently, other areas of the company’s business should be reviewed, because even if only one of them (a less important, side aspect) will fall under NIS2, the whole enterprise may be considered crucial or important. For example, if a company is engaged in manufacturing, but on top of that it also provides transportation services, this area of business should be analyzed.

If the analysis shows that the company falls within the scope of NIS obligations, registration with the National Register of Key and Important Entities should be made.

It is worth noting that in the event of a change or expansion of the scope of the company’s activities, the analysis must be repeated and – if necessary – reported to the register. For failure to do so and failure to comply with the requirements of NIS2, the legislature has provided for severe financial penalties.

Neither ISO27001 (ISMS) certification, ISO 22301 (business continuity) nor any industry certification (e.g., TISAX, TPN) exempts you from implementing KSC (NIS2) requirements. The good news, however, is that companies with ISO 27001 certification already have much of the task behind them.

Concern for information security, physical security and ensuring business continuity is a joint effort of the entire organization. However, the most tasks and the greatest responsibility lie with management, the IT department, the quality department and the production area, where OT security is important in addition to IT systems.

We present these four perspectives of NIS2 in an organization.

According to the bill, top management (the head of the entity) is personally responsible for ensuring cyber security. This means the obligation to actively engage in the security management process, participate in the analysis of risks and make decisions on the implementation of safeguards.

A minimum of once a year, a unit manager will be required to receive training on NIS2 requirements, and his or her involvement will become one of the elements of the audit. Importantly, it is the management’s collaboration with the IT and quality teams that can facilitate justification of security budgets and investment decisions.

Building management awareness of the risks associated with business continuity, the consequences of its disruption for the company’s key processes and resources is an essential element of an effective and invested security system.

An organization’s cyber security is influenced by all departments and employees, but it is the IT department that plays a key role in ensuring the highest possible standards and operating practices.

The IT department will be responsible for implementing technical requirements, including:

• Implementation and maintenance of an information security management system,
• Incident management and reporting to the relevant authorities,
• Providing continuous monitoring of systems security (so-called. SOC – Security Operations Center).

For IT, implementing the solutions required by NIS2 can be an opportunity to get documentation and processes in order, and to get formal management support in areas that have so far sometimes been put off – such as documenting procedures, inventorying resources or analyzing risks. It’s also a good opportunity to make the business aware of IT’s capabilities (e.g., the time it takes to restore a system) and, conversely, IT learns about the needs of the business (how much data can be lost and the cost involved).

At the same time, it is important to keep in mind that new responsibilities related to information security (such as, for example, monitoring of systems, reviews, the need to provide documented procedures and instructions) will require a certain amount of work, which may mean the need for adequate resources (personnel or equipment).

The Information Security Management System naturally combines with the quality approach – the PDCA (plan-do-check-act) cycle. Therefore, it is worthwhile for the quality department to be actively involved in building the System. In large, mature organizations, people in the quality department often have competencies that can make it easier to demonstrate accountability, such as knowledge of auditing principles, process modeling, employee awareness management, knowledge of the Deming cycle.

Integrating systemic cybersecurity management with existing quality management systems can greatly simplify the management of documentation, audits and improvement processes.

In industrial environments, security doesn’t stop with IT. Automation systems (OT) are increasingly becoming the target of cyber attacks, and their downtime can paralyze an entire plant.
The basis for preparing for the implementation of NIS2 requirements is the inventory of production assets and risk analysis of the OT environment, as well as the development of business continuity plans and incident response scenarios.

It is worth remembering that production disruption can occur for many reasons, not just cyber security. Physical security issues, including access control, employee training, securing the work area, are also addressed in the KSC.

Building an NIS2-compliant cybersecurity management system involves four main steps:

• Identification of resources and processes – mapping information and technology assets.
• Risk analysis – identifying threats, vulnerabilities and impacts of potential incidents.
• Implement security measures – technical, organizational and procedural.
• Verification and improvement – regular audits, tests and updates to procedures.