It's no secret that critical infrastructure assets are increasingly under threat. Lawmakers are pulling policy levers to ensure organizations in their jurisdictions are doing their best to protect the assets that citizens depend on most.
The European Union, one such jurisdiction, has been at the forefront of critical infrastructure regulation.
Here’s what they’ve been doing.
Indeed, the EU’s response to the critical infrastructure threat has been longstanding and multifaceted, befitting an economic zone experiencing a disproportionate number of attacks on its critical sectors. Passed into law in 2016, the NIS1 (Network and Information Security) Directive was one of the first major actions the EU took to enhance cybersecurity cooperation among its Member States.
What that Directive sought to do was attempt to mitigate the threats to network and information systems used to provide essential services in key sectors across the EU.
However, implementation of NIS1 was left up to the individual Member States. And as it came to pass, many obligations were implemented unevenly, leaving in place internal-market fragmentation precisely at the moment that cyber vulnerabilities were increasing.
As a result, the EU went back to the drawing board, developing a second set of network and information security directives that would be more stringent.
Thus was promulgated NIS2, which passed into law in November 2022 and came into force the year after, with compliance deadlines set for last fall. So, to whom does NIS2 apply?
Well, NIS2 establishes a uniform criterion for determining qualifying entities via the application of a size-cap rule. According to the Directive, all medium-sized enterprises or larger (whether essential or important) operating within the following sectors are subject:
Per EU guidance, these entities must take appropriate, proportionate, risk-based technical, operational, and organizational measures to manage the risks posed to the security of their network and information systems, covering hardware, firmware, and software.
These measures must also be based on an all-hazard approach, meaning they should address the physical and environmental security of network and information systems from failure, human error, malicious acts, or natural phenomena.
To comply, entities must protect both their network and information systems and the physical environment of those systems from any event, e.g., sabotage, theft, fire, flood, telecommunication or power failures, and/or unauthorized physical access capable of compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the services offered by, or accessible via, network and information systems.
Required measures will encompass the following:
Finally, NIS2 is in the news again, because Member States are rolling out national legislation to comply with the Directive. However, NIS2 isn’t the only Directive effecting the sector.
The Directive on the Resilience of Critical Entities also aims to strengthen the resilience of critical entities in the EU against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.
What should critical infrastructure organizations in the EU know about that Directive? We cover it all in our breakdown, How Critical Entities in the European Union Can Prepare for the Directive on the Resilience of Critical Entities.