Network and Information Security Directive (NIS2)

5 March 2024

AFAICS, NIS2 does not apply to crypto-assets providers (beware that DORA is, which is similar to NIS2 contentwise), but you can expect regulators under MiCA to require similar cybersecurity measures as required under NIS2. Inspired by international cybersecurity frameworks such as the ISO 27000 standard, the required security measures are a de facto minimum nowadays, and should be common sense practices by now.

Besides the Digital Operational Resilience Act (DORA), which is aimed exclusively at the European financial sector, the NIS2 directive is probably the most encompassing security regulation in Europe. NIS2 is a revision of the 2016 NIS directive and the most significant change is that it expands its scope to more sectors.

In order to help organizations comply with NIS2, the European Union Agency for Cybersecurity (ENISA) compiled a list of minimum requirements, e.g. Minimum Security Measures for Operators of Essentials Services. You can filter on sector (e.g. financial sector, digital infrastructure, ...) as well as on country. The latter lists additional "national controls" stemming from country specific, local legislation (currently only Cyprus, France, Germany and Sweden have listed such national controls).

ENISA luckily did not reinvent the wheel, its minimum security measures are based on existing international standards, such as

ISO 27001
NIST Cybersecurity Framework (please note NIST recently released an updated version: NIST CSF 2.0)
ISA/IEC 62443

For the financial sector specifically, and a bit arbitrarily because some of these come from US regulation(?!), ENISA additionally mapped security measures from the following regulations and/or standards:

Sarbanes-Oxley Act (SOX)
ISO Standard 13569 - Financial services -- Information security guidelines
GLBA (Gramm-Leach-Bliley Act)
Payment Card Industry Data Security Standard (PCI-DSS)
(Revised) Payment Services Directive (PSD2)

In Belgium, the NIS2 compentent authority, Center for Cybersecurity Belgium, (CCB) compiled this guidance into the CyberFundamentals Framework (CyFun.be) (that bad pun was most certainly intended...)

Overview

I. Defence

Computer Security Incident Management
- Communication with competent authorities
  Communication with competent authorities and CSIRTs
- Incident Reporting
- Information system security incident response
Detection
- Detection
- Logging
- Logs correlation and analysis

II. Governance and Ecosystem

Ecosystem Management
- Ecosystem mapping
- Ecosystem relations
Information System Security Governance & Risk Management
- Human resource security
- Information system security accreditation
- Information system security audit
- Information system security indicators
- Information system security policy
- Information system security risk analysis

III. Protection

Identity and access management
- Access rights
- Authentication and identification
IT Security Administration
- Administration accounts
- Administration information systems
IT Security Architecture
- Cryptography
- System segregation
- Systems configuration
- Traffic filtering
IT Security Maintenance
- Industrial control systems
- IT security maintenance procedure
Physical and environmental security
- Physical and environmental security

IV. Resilience

Continuity of operations
- Business continuity management
- Disaster recovery management
Crisis management
- Crisis management organisation
- Crisis management organization
- Crisis management process