The Network Information Systems Directive (NIS2) and its predecessor NIS focus on risk management for organizations. The EU states that the NIS is the first piece of EU-wide legislation on cybersecurity with the goal of achieving a high common level of cybersecurity across the member states. The NIS2 will be quite impactful, especially as it expands on the NIS and includes more industries, new reporting requirements, and greater penalties.
NIS2 will especially shift how organizations approach and manage supply chain security, as part of a holistic approach to cybersecurity across EU member states (and beyond). By securing every part of the supply chain, the directive will foster a robust, unified cybersecurity front across the EU.
Current State of Supply Chain Security
Ransomware will cost victims about $42 billion USD in 2024, which has more than doubled from $20 billion USD in 2021, with threat actors conducting an attack every two seconds (according to Cybersecurity Ventures).
Specifically, data extortion ransomware attacks increased at an annualized rate of more than 112% in 2023. In our research, we observed that threat actors attacked the manufacturing, information technology, and professional services industries the most in 2023.
All sectors, including critical ones such as energy, finance, health, and transportation, are further integrating and becoming dependent on digital infrastructure. This is incredibly effective in modernization, but also exposes weaknesses to ever-evolving threats. The coronavirus pandemic also exacerbated this issue as organizations rushed to offer digital services.
Over the past few years, threat actors are becoming more sophisticated in conducting cybercrime. They are improving their cyberattacks to gain efficiency by shifting to a model similar to legitimate modern supply chains with niche specialization. This “as a Service” (aaS) business model allows easier and convenient access to advanced tools without each threat actor having to be proficient in every aspect of carrying out attacks.
As threat actors establish their own supply chain of attacks, organizations must improve their security posture to holistically fortify the legitimate supply chain.
NIS vs NIS2: What are the Differences?
The NIS2 seeks to expand the scope of NIS. So what exactly are the differences between the two regulations?
The EU published the compliance law NIS in 2016, and it went into effect in 2018. This mandated covered entities establish basic cybersecurity hygiene processes and practices. NIS categorized organizations as:
- “Digital services providers”
- or “Not covered”
and assigned requirements accordingly.
Member states also had to ensure that entities covered by NIS would proactively report incidents to their respective countries’ computer security incident response team (CSIRT) to receive guidance based on the incident impact and severity.
However this NIS left room for interpretation, which then led to different implementation outcomes across member states.
The EU published the successor to NIS, NIS2, in 2022, and the deadline for member states to incorporate NIS2 into their national law is 2024.
Generally, the requirements in NIS2 are more specific than in NIS, and there is a greater scope.
What NIS2 Expands
Industries Covered by NIS2
NIS2 increases the industries of “Important Entities,” with these newly included sectors:
- Waste management
- IT & Security Services Providers
- Postal & Courier Services
- Chemicals Companies
- Food Processing
- Research Organizations
- Social Networks and Digital Providers
NIS had limited enforcement and fines, while NIS2 sets several measures for enforcement including fines, liability to management, and inspections & supervision.
The fines can be up to 10 million euros or 2% of the total global annual turnover for essential entities, and up to 7 million euros or 1.4% of the total annual turnover for important entities.
Consistency and Cooperation
The NIS2 sets a baseline for cybersecurity measures to ensure holistic consistency across member states’ cybersecurity postures. This includes risk management and reporting measures.
In addition, there are greater collaborations set in place such as the EU CyCLONe (European cyber liaison organization network), cyber policy peer review, and vulnerability disclosure.
What NIS2 Does for Supply Chain Security
With the NIS2, there is a greater focus on different aspects of cybersecurity, such as business continuity management, incident response, and supply chain security.
NIS2 broadly requires strengthening supply chain security. It mandates organizations to:
- Assess and understand relevant risks
- Establish relationships with high-risk third-party service partners/providers/vendors and make them aware of risks
- Update security measures continuously
Article(2)(d) of the NIS2 outlines organizations’ responsibilities in ensuring supply chain security. There are three general areas that contribute to improving supply chain security:
- EU-level risk assessment: Assess the level of risk of a specific supply chain at the EU level.
- National risk assessment: Member states can expand the scope of the directive to include entities originally outside of it.
- Internal risk assessment: Covered entities must consider vulnerabilities and cybersecurity practices for each third-party service provider/supplier/vendor.
These areas work together to create a comprehensive protection plan, and have some differing implications on supply chain security.
EU-Level Risk Assessment and Supply Chain Security
Organizations have to continuously monitor their efforts and corresponding results to stay in compliance, and effectively contribute to international supply chain security.
It’s important to note that NIS2 takes into account not only the requirements of Article 21 (which lists details of coordinated risk assessment), but also the results. This means that even if an organization follows the requirements, if the results do not also align with the NIS2, the organization can be considered non-compliant, and face financial penalties.
In addition, even if a given organization follows the NIS2, if there is a high-risk third-party in the supply chain, that can jeopardize the NIS2 assessment of the given organization. Therefore, it is the responsibility of covered entities to ensure the third-party organizations in their supply chain, even if that itself is not a covered entity, improves their cybersecurity posture.
National Risk Assessment and Supply Chain Security
There are various powers of member states that allow them to expand the scope of the NIS2 within their laws, and applies the directive to:
- Entities that are the sole provider in a member state of an essential service, defined as required for maintenance of critical economic/social activities
- Entities that are the service provider for something that if disrupted can significantly harm public health, safety, or security
- Entities that are the service provider for something that if disrupted could lead to major system risk, especially in sectors which have cross-border involvement
- Entities that are critical because of its importance at the national/regional level for a certain sector/service (or for interdependent sectors within the nation)
Though the NIS2 expands its scope in covered entities, there are some organizations that are not included. However, the powers of these member states defined above could loop in a previously un-covered entity if any of the conditions above apply to it.
Internal Risk Assessment and Supply Chain Security
Covered entities should follow member states’ national cybersecurity strategy, also taking into account the powers of the CSIRT to inform their internal practices.
Covered entities must stringently vet third-party partners/suppliers/vendors, and encourage those that they work with to mitigate their risks to boost the entire supply chain’s security.
Please note that this blog is not intended to educate on basic requirements in NIS2 and is not a substitute for legal advice. If you are concerned with NIS2 or believe that it might apply to your organization we encourage you to contact a qualified attorney.
Supply Chain Security and Flare
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically and constantly scans the clear & dark web and illicit Telegram channels to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security across your supply chain.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools.
Learn more by signing up for our free trial.