NIS 2
Security measures and supervision under NIS2
The NIS2 Directive regulates the cybersecurity of essential and important entities by defining the responsibilities of management bodies, mandatory security measures and ex ante and ex post supervision regimes, depending on the type of the entity.
The responsibility of management bodies
Article 20 of the NIS2 Directive establishes that management bodies are responsible for security measures within the entity. Management bodies ‘approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.’ In order to be able to approve these measures, management bodies must undergo regular training to be able to ‘assess cybersecurity risk-management practices and their impact on the services provided.’Security measures
The NIS2 Directive sets out security measures to be taken by essential and important entities. Article 21(1) of the NIS2 Directive provides that “essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”
The measures shall include at least – Art 21(2):
- policies on risk analysis and information systems security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
Supervision
The NIS2 Directive differentiates between essential and important entities.
In principle, important entities must adopt the same security requirements specified in the NIS2 Directive as essential entities. The main difference between these two categories of entities lies in the level of supervision by the competent authority.
Essential entities will be subject to a regime of ex ante, and ex post supervision, which corresponds to ‘complete’ supervision. Important entities will only be subject to an ex post supervision regime. Important entities will therefore be exempted from the regular provision of certain deliverables (e.g. risk analysis, description of security measures in place) that essential entities will have to provide. In the event of an incident, it may also be necessary for important entities to provide additional information on the security measures implemented at the request of the Institute.
Supervision mechanisms
| Mechanism | To be sent to ILR | Essential entity | Important entity |
|---|---|---|---|
| Ex-ante | Security measures | ✓ | ✗ |
| Ex-post | Incident notification | ✓ | ✓ |
| Ex-post | After incident & upon request | ✓ | ✓ |