As the digital landscape evolves, so does the need for robust cybersecurity measures to safeguard against rising threats. In response, the European Union (EU) is introducing regulations to enhance the cybersecurity and resilience of member states. The Network and Information Security (NIS)2 Directive is a key legislative initiative expected to affect the broadband industry significantly. Maarten Bodlaender, Chief Information Security Officer at Genexis, describes NIS2, how to prepare toward compliance, and how Genexis is supporting its customers with their NIS2 preparations.
Expanded European Cybersecurity Legislation
The EU is developing several new regulations on cybersecurity, such as the Cybersecurity Act and the upcoming Cyber Resilience Act. NIS2 will come into effect by October 17, 2024, as EU members transpose the directive into national legislation. NIS2 sets security requirements on industry segments that are considered critical infrastructure. The scope of NIS2 now includes industries such as manufacturing, wastewater and waste management, food, public electronic communication services, digital services, space, postal services and public administration. This underscores the growing importance of digital infrastructure and is expected to profoundly impact the broadband industry, service providers, suppliers and customers.
Requirements for EU Member States
NIS2 is designed to raise the overall level of cybersecurity within the EU. It establishes regulatory measures to ensure Member States’ preparedness. This includes Computer Security Incident Response Teams (CSIRTs) that coordinate responses to cybersecurity incidents and the establishment of a competent authority responsible for enforcing compliance with the directive. Cooperation among states and exchanging information are also crucial to learn best practices and prevent transnational security breaches. Developing a cross-culture of security across critical sectors such as energy, transport, water, banking, healthcare, and digital infrastructure is essential to keep our society and economy functioning.
Where do service providers, suppliers, and customers fit into NIS2?
Annex I of NIS2 considers Digital Infrastructure a “Sector of High Criticality.” Consequently, providers of public electronic communications networks, are classified as “essential entities” under NIS2. Simultaneously, computer, electronic, and optical product vendors, including broadband infrastructure, are classified as “important entities.” These classifications subject broadband industry participants to strict new cybersecurity risk-management measures and reporting obligations backed by government oversight, as specified by NIS2.
Preventing and managing security breaches
Essential and important entities must adopt proportionate technical, operational, and organizational measures to manage cybersecurity risks. These measures encompass a comprehensive all-hazards approach, covering risk analysis, incident handling, business continuity, supply chain security, and more. The directive emphasizes basic cyber hygiene practices, cybersecurity training, and advanced security measures like multi-factor authentication and encryption.
Reporting and compliance
Member states can enforce NIS2 obligations through different measures, including onsite inspections, offsite supervision, and random checks.Essential entities may be subjected to regular and targeted security audits, ad-hoc audits, and security scans based on risk assessment criteria.Non-compliance can lead to binding instructions, orders to cease conduct, fines of up to 10 million euros or 2% of global turnover, and even personal liability for CEOs. Member states are tasked with ensuring that the management bodies of essential and important entities approve cybersecurity risk-management measures and oversee their implementation. The management can be liable for infringements, and employees must undergo training to identify risks and assess cybersecurity practices regularly.
Security requirements beyond NIS2
While NIS2 provides a big step up in cybersecurity legislation for the broadband industry, it should really be considered in conjunction with the upcoming Cyber Resilience Act (CRA). In December 2023, the EU reached an agreement on the CRA. Approximately three years from now, it will be reinforced.
The CRA will establish mandatory requirements on the security of digital products, services, and processes over their entire lifecycle. Since lifecycles in the broadband industry are typically longer than three years, the broadband industry should combine its preparations for NIS2 requirements with preparations for the upcoming CRA.
NIS2 mandates security requirements along the entire supply chain, placing responsibility on broadband industry participants, from chip SDK vendors to device manufacturers and operators, to collaborate and coordinate efforts to adapt to these challenging new regulations.
The Genexis approach to NIS2 compliance and customer support
At Genexis, we’re strategically aligning our Information Security Management System policies with both the NIS2 and CRA directives, showcasing our commitment to cybersecurity. And we are not just preparing ourselves for this enhanced cybersecurity legislation; we’re setting a path for our customers.
Genexis commits to delivering timely security patches over our products and services’ entire lifecycle and providing security advisories to help customers deal with major vulnerabilities. We provide a platform for coordinated vulnerability disclosure and make supplier cybersecurity compliance reports and further security documentation of products and services available on request. Finally, by aligning practices, we support our customers’ risk management and incident response processes. By sharing our insights and experiences, we aim to assist our customers in adapting to these new legislations.
Overall, as the directive takes effect, collaboration and proactive measures will be essential to ensure a secure and resilient broadband industry in Europe. Genexis is committed to supporting customers with its cybersecurity roadmap.