By Intigriti
February 9, 2023
The NIS2 Directive is due to be implemented across the EU by September next year. Find out how the legislation will impact the region’s bug bounty and cybersecurity industry.
In 2022, the bug bounty and crowdsourced security industry experienced a surge in its validation and growth across the globe due to supportive legislation. This trend is set to continue through 2023, and one of the key drivers in Europe will be the NIS2 Directive.
By September 2024, all EU nation states must have transposed NIS2 as national law. Once on the statute books, NIS2 will start enforcing mandatory improvements in IT security, as well as imposing hefty fines for those who do not comply. Organizations need to be aware of these upcoming changes in order to avoid falling foul of them.
In this blog post, we explore what the European NIS2 Directive entails and how businesses across the continent can prepare themselves for a friction-free implementation.
NIS2 stands for ‘Network and Information Security Directive 2’. It’s the second such directive from the European Union (EU), hence the “2”. The previous directive had been fully transposed into EU law by 2020.
In a nutshell, NIS2 is a directive for EU-wide legislation that will require organizations to meet cybersecurity risk management and incident reporting standards. It was approved by the EU in November last year, and, as mentioned above, by September 2024 all nation states must start enforcement of NIS2’s directives.
NIS2 establishes three general objectives in addition to the first NIS Directive:
Increase the level of cyber-resilience of a comprehensive set of businesses operating in the European Union across all relevant sectors.
Reduce inconsistencies in resilience across the internal market in the sectors already covered by the directive.
Improve the level of joint situational awareness and the collective capability to prepare and respond.
As organizations across Europe are required to raise the bar in regards to IT cybersecurity standards, it follows that bug bounty programs will become an increasingly important part of compliance with the directive.
The directive applies to a bewilderingly wide range of industry sectors, as well as many public bodies. Unfortunately, this means that trying to understand if your organization will need to comply can be a challenge.
RELATED How policymakers are helping expand the adoption of bug bounty programs
While the directive applies to all organizations deemed medium or large by the EU (50+ employees and/or with an annual turnover of more than €10 million), also included under the directive’s requirements are other organization classifications, such as those considered to provide critical infrastructure, those providing public services, as well as organizations whose services, if disrupted, could cause severe disruption to public safety, health or security. These latter critical entities are listed as: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and spa.
The Directive Briefing (PDF download) provides much of what you’ll need to know to understand if your organization will be affected. If in doubt, you should speak to a lawyer and aim for compliance with NIS2 in the meantime. Even if your organization slips through the definitions net today, there’s a good chance that an NIS3 will arrive sooner or later, and will require you to bring your organization into the fold.
Complying with NIS2 will potentially require changes in your security posture, as it requires high levels of cybersecurity risk management and comprehensive incident reporting.
Requirements according to the Directive
While the Directive Briefing provides a lot of detail, one key passage provides a good starting point:
The proposal includes a list of seven key elements that all companies must address or implement as part of the measures they take, including incident response, supply chain security, encryption and vulnerability disclosure.
In short, you will need to show that you have taken adequate measures to secure your supply chain against cybersecurity threats and, if significantly breached, national computer security incident response teams (CSIRTs) or regulators must be notified.
What constitutes a significant cybersecurity breach?
Incidents that require reporting to regulators by organizations in affected sectors are defined as:
[having] caused or are capable of causing severe operational disruption of the services or financial loss for the entity concerned; or it has affected or are capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Should we risk non-compliance with NIS2?
By September 2024, NIS2 will be the law in all EU member states. Not complying will mean your organization will be breaking the law. Moreover, the Directive stipulates that management bodies must take adequate cybersecurity measures or responsible individuals within an organization (C-Level employees) can be held personally liable.
What are the penalties for non-compliance?
Organizations that breach the rules regarding cybersecurity risk management or their reporting obligations laid down in the NIS Directive will be penalized as follows:
[…] sanctions include binding instructions, an order to implement the recommendations of a security audit, an order to bring security measures into line with NIS requirements, and administrative fines (up to €10 million or 2 % of the entities’ total turnover worldwide, whichever is higher).
Given the substantial risk involved in non-compliance (on every level), if your business falls under the purview of NIS2, you should start getting your cybersecurity program in shape well before the 2014 deadline.
As NIS2 stipulates a risk-based approach to cybersecurity (as opposed to a compliance-based approach), one highly effective way to showcase that your organization has taken proper security measures will be to deploy a bug bounty program. By proactively inviting ethical security experts to identify vulnerabilities in your security measures, your organization will benefit from improved risk-based compliance with NIS2 and higher cybersecurity simultaneously.
We asked Guus van Delft, Intigriti Account Executive in the Netherlands, for an insider’s take on the likely impact of NIS2 across the EU. Here’s what he had to say:
NIS2 is huge. Now EU Nation states have accepted NIS2, it needs to be fully implemented within two years. The required accountability on cybersecurity risk management measures will mean security officers can’t look away anymore. They will be personally accountable for taking proper security measures. Senior management can now also be held liable, and organizations risk up to 2% fines of global yearly revenue. NIS2 also focuses on a risk-based approach. This a big shift coming from the existing compliance-based requirements. Organizations will have to show they have provided adequate risk management. One great way to achieve this will be through a bug bounty platform like Intigriti.
As the NIS2 Directive is transposed into law in the coming 21 months, many existing cybersecurity measures currently deployed by entities within EU Member States will need revision. Risk management and security policies will have to meet the stringent new requirements of the law, and crowdsourced security services – with their unique ability to identify cybersecurity vulnerabilities – are set to play a major role in many layered security approaches.