In NIS2, Third-Party Security Risk management is the focal point

The EU Network and Information Security (NIS) directive is the first EU-wide information security legislation. First released in 2016 as the NIS directive, it aims at enhancing cybersecurity in businesses across the European Union.

NIS2 is the new and improved version, building on the original NIS directive.  It was adopted by the European Council on November 28th 2022 and by October 24th, EU member states must have translated the directive into national legislation.   

These are the main novelties: 

More companies will be subject to cybersecurity regulation

Earlier this year, the European institutions reached a provisional agreement on the Digital Operational Resilience Act (DORA).  DORA is the older brother of NIS, and is targeted specifically to medium and large enterprises in the financial sector (including banks, investment firms, insurers, audit firms, trading venues) but also their critical ICT providers. 

NIS targets a broader range of industries than DORA and NIS2 has, compared to NIS1, expanded the sectors for which it applies, such as companies providing digital infrastructure (eg. infrastructure hosting). The affected sectors will have to comply with the baseline requirements set by NIS2.  In these sectors, also smaller companies (with over 10 € million turnover or 50 employees) will now have to comply.    The number of companies that will have to follow the new cyber security risk management standards is around 110.000, versus 15.500 for NIS1.  This is the number of companies directly impacted.  As described here below, NIS2 requires these companies to manage third-party cybersecurity risks so the number of companies indirectly affected by NIS2 is likely to exceed 1.000.000.

For large enterprises in the financial industry, DORA will prevail.  For the following industries, NIS 2 will apply: 

• Healthcare
• Transport
• Finance( some medium-sized financial businesses, which do not fall under DORA) 
• Water supply
• Waste management
• Energy
• Digital infrastructure and service providers
• Providers of public electronic communication services
• Manufacturing of medical devices and chemicals
• Food
• Aerospace
• Postal administration
• Public administrations

Cybersecurity incident reporting will be aligned across Member States. 

The NIS 2 Directive outlines what type of incidents should be reported, such as unauthorised access to digital services, data breaches, and denial-of-service attacks. Companies are expected to provide details of the incident such as the date and time it occurred, the number of users affected, any action taken in response to the incident and any measures taken to prevent similar incidents from occurring in the future.

The directive also outlines what should be included in reports submitted to authorities, such as an overview of the incident, its impact and severity, a description of any technical or procedural measures taken to address it, and any proposed improvements that can help to reduce security risk. Companies are expected to report incidents to the relevant authorities within 72 hours of the incident occurring. In addition, companies must provide regular updates on their progress in resolving the incident and implementing any proposed improvements.

Third, and most impactful on the security posture of companies is the focus on the security of supply chains and supplier relationships. 

Third-party management and third-party security risk management are increasingly recognised across industries and sectors as key to cyber resilience. Its paramount importance is because it is a risk area that has gained importance significantly over the last decade. 

Remote work, globalization of economic activities and cost reduction have driven rapid digitization, digital interconnectedness, and the adoption of Software-as-a-Service and Infrastructure-as-a-Service business models.  This means that more and more companies are reliant on an IT supply chain to deliver their services. Also, non-IT suppliers of companies have followed similar paths towards more digitalization.  

This has led to the exponential expansion of the digital attack surface of companies, in turn, has led to the need for third-party security risk management. 

Some figures to illustrate the importance of proper Third Party Security Risk management '

• Gartner predicts that 'by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.'
• Forrester estimated that in 2022, 60% of cyber attacks found their origin in interconnected third parties.

NIS-2 emphasizes that organisations should proactively manage risks introduced by third parties. This includes all suppliers and service providers and should be considered from a multidisciplinary risk perspective. The Directive states that organisations at least should:

• Evaluate the quality of the services and the cybersecurity practices of their suppliers, including the security of development processes (art. 43)
• Be cautious in the selection of security service provider (art. 44)
• Be aware of the security risks that come from interactions with other companies in a broader ecosystem, especially when it comes to the relation with research institutions or data analytics and data transformation services delivered by third-party providers (art. 45)
• Take part in sectorial supply chain risk assessments organized by relevant authorities.  The goal of these coordinated assessments is to identify which ICT services, systems, or products are critical for the sector concerned, as well as relevant threats and vulnerabilities. (art. 46)
• Setup and maintain a tenable supply chain risk assessment and management process, considering both technical and non-technical aspects taking into account the relative importance of the supplier and the criticality of the service delivered by the supplier (art. 47)
• Implement appropriate measures to guarantee the security of electronic communication with suppliers (art. 49, 50 & 51).
• When facing an important threat, notify their clients and the competent authorities of this cyberthreat and the relevant remediation strategies (art. 52 & 53)

The Directive also calls upon organisations to put in place processes and procedures to detect and mitigate supply chain risks, including those related to cybersecurity. The procedures should include the following steps:

• Identifying and assessing threats posed by third-party products and services
• Developing policies, plans, and solutions to address identified threats
• Implementing measures to ensure the secure procurement of third-party products and services

Organisations should also ensure that they are continuously monitoring, evaluating, and taking appropriate measures to address any security issues with third parties. This could include conducting regular independent assessments or audits of third parties, updating supplier agreements, and conducting regular reviews of their security practices.

Organisations should also be prepared to take appropriate corrective measures if issues are identified with third parties, such as temporarily suspending interaction or terminating the contract altogether. In addition, organisations should have a process in place to ensure that they can effectively and timely respond to incidents involving third parties.

Other interesting NIS2 novelties

NIS2 will introduce stricter supervision and enforcement requirements, targeting the EU-wide harmonization of sanctions on lack of compliance.   Penalties can amount to up to 2% of a company's total annual turnover, and executives can be held personally liable if their company fails to comply with NIS2 requirements.

In the field of IT security operations, NIS 2 puts forward an EU-wide framework for responsible disclosure of discovered vulnerabilities. This would take the form of a registry under the management of the EU agency for cybersecurity (ENISA).  Who knows, someday the EU may have its own Vulnerability Database, similar to the NVD managed by the US Department of Commerce….

In summary, demand for third-party security risk solutions in Europe will surge

NIS2 first needs to be translated into local EU country legislation to take effect. This is expected to be throughout 2024, and the beginning of 2025,  the same timelines as DORA.  With the introduction of NIS2, a lot more businesses are now required to take an active role in managing their security risks. As a result, demand for third-party security risk management solutions is set to surge over the coming three years. 

Ceeyu is a  SaaS platform that can help companies assess their own security and the security of their vendors or other third parties using automated and questionnaire-based assessments.