The duty of care under NIS2
Created: 2023-03-14 09:52:33
We have previously discussed the “duty of care”, but what exactly does this entail? Under the former Network and Information Security Directive, a dual duty applies to providers of essential services and digital service providers: a duty to report and a duty of care. In this blog, we will explain the latter. Under the former directive, the duty of care applies to both essential service providers and digital service providers. It involves taking appropriate and proportionate technical and organisational measures to manage the risks to the security of network and information systems.
The new NIS2 Directive establishes a different distinction: essential and important entities, reflecting the extent to which they are critical as regards their sector or the type of service they provide, as well as their size. Both types of entities will be required to comply with the duty of care. It is up to the Member States to establish a list of essential and important entities based on the most appropriate national mechanisms, allowing entities to register themselves. Entities become subject to cybersecurity risk management measures when registered under one of the two categories. These should be proportionate to the degree of the essential or important entity’s exposure to risks and to the societal and economic impact that an incident would have. Due account of the entity’s criticality, size, and likelihood of occurrence of incidents should also be taken.
In this context, security refers to the ability of network and information systems to withstand actions that compromise availability, authenticity, integrity, and confidentiality. The Commission Implementing Regulation (Regulation (EU) 2018/151) further specifies the security elements to be observed: security of systems and facilities, incident handling, business continuity management, monitoring, control and testing, and international standards.
Minimum measures
The NIS2 Directive lists a minimum set of measures, including conducting risk analysis and instituting policies on information systems security, incident enforcement, business continuity and crisis management, supply chain security, and security in the procurement, development, and maintenance of network and information systems. Also included are policies and procedures to assess the effectiveness of risk management measures and the use of cryptography and encryption.
Essential and important entities should also adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness; organise training for their staff; and raise awareness concerning cyber threats, phishing, or social engineering techniques. Furthermore, those entities should re-evaluate their cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity-enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.
In addition, to demonstrate compliance with these measures, Member States may require essential and important entities to use specific ICT products, services, or processes that will be certified under the European cybersecurity certification schemes adopted under the Cybersecurity Act (Regulation (EU) 2019/881).
Moreover, the European Commission is empowered to adopt implementing and delegated acts to specify risk management measures further. Thus, obligations can become more defined, taking into account new cyber threats, technological developments, or sector-specific features.
Monitoring and enforcement
Member States must ensure that they carry out effective supervision to ensure compliance with the Directive’s requirements. Regarding essential entities, this implies proactive supervision. In contrast, it implies reactive supervision for important entities, which may be triggered by evidence, indication, or information that the entity allegedly does not comply with the Directive. Indeed, in the latter case, action should only be taken when, for a Member State, it appears that an important entity does not comply with the obligations laid down in the Directive. To this end, supervisory authorities have a comprehensive set of supervisory powers and enforcement tools at their disposal. The NIS2 Directive also extends liability to natural persons who can be held responsible for breaching the duty of care. Thus, in addition to the legal person, an organization’s director can also be held liable.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.
Join ESET at Facebook