ENISA publishes technical guidance to strengthen NIS2 cybersecurity risk management


The European Union Agency for Cybersecurity (ENISA) announced Thursday that it is creating technical guidance to help EU Member States and entities implement the technical and methodological requirements of the NIS2 cybersecurity risk-management measures. The European Commission outlined these measures when it adopted the initial implementing rules on cybersecurity for critical entities and networks under the Directive for a high common level of cybersecurity across the Union last month.

ENISA develops this technical guidance to support relevant entities by implementing the new regulations’ technical and methodological requirements. The implementation guidance was developed by ENISA and the work stream on cybersecurity risk and vulnerability management of the NIS Cooperation Group (NIS CG), in collaboration with the NIS Cooperation Group work streams on digital service providers and digital infrastructures, as well as with the ENISA European Competent Authorities for Trust Services (ECATS) Expert Group and the European Competent Authorities for Secure Electronic Communications (ECASEC). It is the result of consultations from June to mid-October 2024. 

The NIS2 is new EU-wide cybersecurity legislation that EU Member States were required to transpose into their national legislations by 17 October 2024. The NIS2 aims to achieve a high level of cybersecurity in Europe and has a focus on increasing the resilience of the EU’s critical sectors. ENISA developed a NIS2 explanatory video and several infographics, with everything you want to know about the NIS2, the main concepts, and new mechanisms.   

Last month, the European Commission adopted the implementing rules under the NIS2 Directive, specifying the NIS2 Directive cybersecurity risk-management measures for certain entities from the digital infrastructure, digital providers, and ICT service management sectors. 

These implementing rules establish the technical and methodological requirements for the following NIS2 subsectors: DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network providers (CDNs), managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, online search engines, social networking service platforms, and trust service providers.

The ENISA document provides non-binding guidance for relevant entities to the regulation, on the technical and methodological requirements of the cybersecurity risk-management measures. Beyond the relevant entities to the regulation, the guidance may provide indications on the technical and methodological requirements of the cybersecurity risk-management measures of the NIS 2 Directive, which may be considered useful by other public or private actors in improving their cybersecurity.

Each technical and methodological requirement contains three elements – guidance, examples of evidence, and tips. With its recommendatory character, the guidance contains indicative and actionable advice on parameters to consider when implementing a technical and methodological requirement or further explanation of concepts found in the legal text. Examples of evidence are indicative types of evidence that a technical and methodological requirement is in place. In some technical and methodological requirements, extra general tips are also offered for additional consideration by the entity. 

The document also includes a mapping table that correlates each requirement with European and international standards or frameworks (ISO/IEC 27001:2022, ISO/IEC 27002:20224, NIST Cybersecurity Framework 2.0, ETSI EN 319 401 V2.2.1 (2018-04), CEN/TS 18026:2024), and with national frameworks.

The mapping should not be interpreted as a measure of equivalence among different standards or frameworks. It refers to relevant requirements in these standards or frameworks without assessing whether these fully cover the requirements of the regulation. Cybersecurity standards or frameworks often address the same cybersecurity concerns but use different language, structures, or levels of specificity or detail. Understanding these relationships may help relevant entities use and integrate multiple standards or frameworks to maintain compliance, reduce duplication, and streamline audits. Entities subject to the regulation can use national frameworks, guidance, or other mechanisms equivalent to the requirements of the regulation to demonstrate their compliance with national competent authorities.

Depending on the national framework, assessment by relevant accredited conformity assessment bodies or by independent auditors authorized by the national competent authorities, against the national frameworks, guidelines, or other mechanisms equivalent to technical and methodological requirements for cybersecurity risk management measures, could serve as a demonstration of compliance with the requirements set out by the implementing act. To keep the current guidance up to date, Member States can inform ENISA of those equivalent national frameworks, guidance, or other mechanisms, if available.

The ENISA guidance also identified that relevant entities shall establish and maintain an appropriate risk management framework to identify and address the risks posed to the security of networks and information systems. The relevant entities shall perform and document risk assessments and, based on the results, establish, implement, and monitor a risk treatment plan. Risk assessment results and residual risks shall be accepted by management bodies or, where applicable, by persons who are accountable and have the authority to manage risks, provided that the relevant entities ensure adequate reporting to the management bodies.

The document also detailed that relevant entities shall establish and implement an incident handling policy laying down the roles, responsibilities, and procedures for detecting, analyzing, containing or responding to, recovering from, documenting, and reporting incidents promptly. The relevant entities shall lay down procedures and use tools to monitor and log activities on their network and information systems to detect events that could be considered incidents and respond accordingly to mitigate the impact; and put in place a simple mechanism allowing their employees, suppliers, and customers to report suspicious events.

It added that relevant entities shall lay down and maintain a business continuity and disaster recovery plan to apply in the case of incidents; maintain backup copies of data and provide sufficient available resources, including facilities, network and information systems and staff, to ensure an appropriate level of redundancy, and put in place a process for crisis management.

Addressing supply chain security, the ENISA document identified that relevant entities shall establish, implement, and apply a supply chain security policy that governs the relations with their direct suppliers and service providers to mitigate the identified risks to the security of network and information systems. In the supply chain security policy, the relevant entities shall identify their role in the supply chain and communicate it to their direct suppliers and service providers.

Covering human resources security, the ENISA technical guidance said that relevant entities shall ensure that their employees and direct suppliers and service providers, wherever applicable, understand, demonstrate and commit to their security responsibilities, as appropriate for the offered services and the job and in line with the relevant entities’ policy on the security of network and information systems.

On access control, ENISA called upon relevant entities to establish, document, and implement logical and physical access control policies for the access to their network and information systems, based on business requirements as well as network and information system security requirements. The relevant entities shall review and, where appropriate, update the policies at planned intervals and when significant incidents or significant changes to operations or risks occur. 

Furthermore, the relevant entities shall implement secure authentication procedures and technologies based on access restrictions and the policy on access control.

Addressing asset management, ENISA said in its technical guidance that the relevant entities shall lay down classification levels of all assets, including information, in the scope of their network and information systems for the level of protection required. The relevant entities shall conduct periodic reviews of the classification levels of assets and update them, where appropriate; and establish, implement, and apply a policy for the proper handling of assets, including information, under their network and information security policy, and shall communicate the policy on proper handling of assets to anyone who uses or handles assets. 

ENISA called upon relevant entities to develop and maintain a complete, accurate, up-to-date, and consistent inventory of their assets. They shall record changes to the entries in the inventory in a traceable manner, regularly review and update the inventory and their assets, and document the history of changes. 

 

Comments