Reinforcing Cybersecurity Across Europe

The European Union is advancing its cybersecurity efforts with the introduction of NIS2, a directive aimed at enhancing the resilience of critical sectors. This directive places new and updated obligations on entities to improve their cybersecurity risk management practices, incident reporting, and adherence to security audits. Organizations within essential sectors are required to implement robust cybersecurity measures, including those associated with vulnerability management and disclosure.

Supervisory Framework and Coordinated Policies

NIS2 introduces an enhanced supervisory framework for national authorities in each Member State and firm enforcement requirements. Furthermore, it establishes a framework for coordinated vulnerability disclosure (CVD). All EU Member States must set policies for managing vulnerabilities and designate a computer security incident response team (CSIRT) to act as a CVD coordinator.

Building on NIS 2016

NIS2 follows in the footsteps of the original NIS Directive from 2016, the first EU-wide cybersecurity legislation. This updated directive broadens the scope to encompass more entities deemed as 'essential' or 'important', introducing potential administrative fines for non-compliance.

Applicability and Compliance Requirements

NIS2 applies to both public and private entities operating within the EU, as defined in Annex I (Sectors of High Criticality) or Annex II (Other Critical Sectors) of the directive. Entities are classified based on their size and the nature of services they provide. Those identified as 'essential' entities are subject to proactive monitoring, while 'important' entities receive reactive supervision.

Entities must adhere to ten cybersecurity management measures, including vulnerability management, disclosure, and regular security testing. Breach of these measures could result in fines up to 10 million Euros or 2% of the company’s annual revenue, and introduce personal liabilities for corporate executives in case of non-compliance.

Preparing for Compliance

As the NIS2 deadline looms, organizations in scope must implement a vulnerability disclosure program (VDP). Actions include developing policies around vulnerability management and participating in vulnerability rewards programs, such as bug bounty programs. HackerOne has introduced a free, self-serve VDP tier to assist these entities in meeting NIS2 requirements.

European Vulnerability Database and CVD Coordination

Each Member State shall appoint a CSIRT to coordinate national CVD efforts, facilitating vulnerability identification and response across multiple entities. Concurrently, ENISA will oversee a comprehensive European vulnerability database, akin to the U.S. National Vulnerability Database, to ensure consistency and security.

Transposing NIS2

The European Commission is finalizing an Implementing Regulation for consistent EU-wide incident reporting and cybersecurity measures. Member States are currently transposing NIS2 into national laws, with a target completion date of October 17, 2024. While countries like Belgium have progressed, others, like the Netherlands, anticipate a slower process extending into 2025.

Conclusion

The implementation of NIS2 is set to have a significant impact on the cybersecurity landscape across Europe. Companies should immediately assess their compliance status and update their risk management practices accordingly. Services like those offered by HackerOne can assist in meeting the directive's requirements efficiently, thereby safeguarding essential services against threats.

For more details, visit the original article on HackerOne.