ONLINE NIS 2 Guide

You are probably asking yourself several questions regarding NIS 2:

• Am I affected by this regulation?
• What will my obligations be?
• How has NIS 2 been transposed in my country?
• How can I become NIS 2 compliant? Who can support me in implementing this regulation?

This SPAC Alliance guide is designed to help you understand the challenges related to NIS 2 and to clarify the path to compliance, from audit to certification.

From NIS 1 to hybrid threats

Nearly 9% of data breaches originate from a physical security failure. Since the first cybersecurity-dedicated texts, including NIS 1, threats have continued to diversify. Today, it is the weakest link in the security chain that is targeted, regardless of its nature. Hybrid threats require a global and unified view of protection.

NIS 2 was born from a dual observation:

• It is necessary to protect more entities
• They must be better protected, without distinction between physical and cybersecurity

The growing impact of attacks

Data theft or intrusions now have impacts that must be considered on multiple levels, beyond purely financial aspects:

• Cost of a potential ransom (which is strongly recommended never to be paid)
• Cost of a business interruption over a period depending on the severity of the attack
• Costs related to potential legal proceedings if liability is established (data theft due to insufficient protection)
• Increase in insurance premiums following a cyber incident
• Direct and long-term impact on your image (loss of reputation and credibility) within your ecosystem: users, business partners, banks and investors, as well as employees
• Impact of losing competitive advantage: theft of research results or unpatented technologies, disclosure of strategic plans, product copying
• Possible infection of all information systems connected to yours, including those of your suppliers and customers

In a hyperconnected economy with an omnipresent cyber threat, all the conditions are in place for entire sectors to be threatened by a devastating domino effect, not just isolated actors. This mission, which must be acknowledged, is more collaborative than ever.

Towards end-to-end security

Below is a reminder of Article 21 of NIS 2, which requires an “all-hazards approach aimed at protecting network and information systems as well as their physical environment and including at least“:

• Risk analysis
• Incident handling
• Business continuity (including backups) and crisis management
• Supply chain security
• Network and information system security, including vulnerability handling and disclosure
• Assessment of risk management measures
• Training
• Use of cryptography and encryption
• Access control policies and asset management
• Use of multi-factor authentication or continuous authentication

Articles 24 and 25 encourage Member States to prescribe and promote the use of certified products and services under a European cybersecurity certification scheme, to rely on qualified trust services, and to use European and international standards and technical specifications.

A complementary text, the CER Directive, applies to the most critical entities in Europe and adds further physical security aspects (terrorist threats, climate-related hazards), as well as stricter supervision and oversight obligations to preserve the most critical services. These critical entities will have to comply with obligations that are additional to those of NIS 2.

NIS 2 and the CER Directive share the dual ambition of raising and harmonizing the security level of European entities through proportionate obligations that will evolve according to threats.

27 countries, 27 transpositions

The NIS 2 Directive is currently being transposed by each Member State. This will result in as many national laws and implementing decrees. In addition, national security frameworks define the objectives to be achieved by entities based on their level of criticality, as well as their human and financial resources.

Naturally, some differences in interpretation or obligations between entities are to be expected. Fortunately, a committee bringing together national authorities is tasked with smoothing these differences over time, leading to greater harmonization.

To support this effort, it is relevant to rely on standards related to certification schemes (EN 17640 – FITCEM) as well as other regulatory texts (such as the Cyber Resilience Act).

In the absence of a national regulatory framework, international references such as ISO/IEC 27001:2022 and the NIST Cybersecurity Framework 2.0 cover most of the issues and already allow organizations to move closer to, or even achieve, the expected security levels.

The SPAC Alliance Shop brings together the products and services required to target compliance and achieve a level of security aligned with your needs:

• Audits, security testing, and mapping
• Training
• Support for CSPN and ISO 27001 certification

These services are exclusively provided by SPAC Alliance members!

You can submit your application to become a SPAC Alliance Member, contribute with us to building European sovereignty, and defend the interests of our market.

The text of the NIS 2 Directive applies to a large number of entities that require appropriate support to implement it effectively. Reviewing it in detail can be relevant in order to identify aspects specific to your situation or to better understand the rationale behind this directive.

For example, the annexes provide a high level of detail on the entities concerned by sector and subsector (Essential Entities and Important Entities), based on the criticality of the sector to which they belong.

The text of the Directive on the Resilience of Critical Entities (CER) applies to entities whose services are vital or strategic to the functioning of society.

The critical entities defined under this directive must meet broader physical security objectives, as well as comply with obligations related to periodic external audits and supervision by national authorities.