What the NIS2 Directive Means for SBOMs

Written By Mike McDonel

Your Guide to NIS2: Learn how this EU regulation enhances the security of digital products and services while elevating the importance of SBOMs to secure software supply chains.

In an era marked by escalating digital threats, cybersecurity regulations are evolving at a rapid pace. The European Union (EU) has been leading the charge, surfacing new legislative frameworks that will have a significant impact on the cybersecurity landscape.

One of the most notable has been the introduction of the NIS2 Directive. In this post, we’ll take a closer look at this policy and explore what the implications will be for Software Bills of Materials (SBOMs), a critical tool for digital security.

What is the NIS2 Directive?

The Network and Information Security (NIS) Directive, which was introduced in 2016, was the first piece of EU-wide legislation on cybersecurity. In 2023, the EU made significant updates to this framework with the hopes of implementing a more uniform, cohesive approach to cybersecurity across all Member States. Here are some of the most notable changes in the NIS2 Directive — and what the implications of these updates are for SBOMs

1. More organizations may need to produce SBOMs

The original NIS Directive only focused on a few sectors that were held to certain cybersecurity standards. It also allowed Member States considerable leeway in defining what constituted an Operator of Essential Services (OES), which was a qualification that subjected companies to additional cybersecurity regulations.

The new NIS2 Directive attempts to create a more cohesive, streamlined set of measures: 

“In order to eliminate the wide divergences among Member States in that regard and ensure legal certainty as regards the cybersecurity risk-management measures and reporting obligations for all relevant entities, a uniform criterion should be established that determines the entities falling within the scope of this Directive.” 

Part of this effort includes specifying and broadening the categories of sectors to include those like digital infrastructure, manufacturing, and certain aspects of public administration. 

The NIS2 Directive also introduces a size-cap rule, which means that:

“...all entities which qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation 2003/361/EC (5), or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which operate within the sectors and provide the types of service or carry out the activities covered by this Directive fall within its scope (7).

Implications for SBOMs: With NIS2 covering more sectors and emphasizing stricter cybersecurity measures, the transparency provided by SBOMs becomes increasingly vital. Entities — especially those that are newly subject to additional cybersecurity measures — will need to thoroughly understand the components and vulnerabilities within their software to meet these higher standards, which may lead to more organizations using SBOMs as a tool to comply with these enhanced cybersecurity requirements.

2. Stronger compliance rules

The original directive mandated that certain entities take appropriate measures to report incidents, but there were very few guidelines on what those measures should look like. Similarly, entities were encouraged to adopt risk management practices, but there was little information on how to do so.

In the new directive, there are detailed requirements for incident reporting and risk management. For example: 

“Where essential or important entities become aware of a significant incident, they should be required to submit an early warning without undue delay and in any event within 24 hours. That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident, with the aim, in particular, of updating information submitted through the early warning and indicating an initial assessment of the significant incident, including its severity and impact, as well as indicators of compromise, where available. A final report should be submitted not later than one month after the incident notification (102).”

Implications for SBOMs: The updated compliance and incident reporting requirements underscore the importance of SBOMs in enhancing cybersecurity practices. SBOMs can help  organizations more quickly identify and respond to incidents — not to mention that the use of SBOMs aligns with the directive's emphasis on standardized practices, making them a valuable tool in an organization's cybersecurity strategy to meet NIS2 requirements.

3. Potential consequences for non-compliance

In the original directive, there was a framework for national authorities to supervise and enforce the directive's requirements, with significant variation in how sanctions were applied across different Member States.

The new NIS2 Directive introduces a more standardized set of sanctions, including fines, to be applied uniformly across the EU for non-compliance. This standardization addresses the inconsistency in enforcement seen previously and aims to deter non-compliance through the possibility of significant penalties.

“In order to make enforcement effective, a minimum list of enforcement powers that can be exercised for breach of the cybersecurity risk-management measures and reporting obligations provided for in this Directive should be laid down, setting up a clear and consistent framework for such enforcement across the Union…The enforcement measures, including administrative fines, should be proportionate and their imposition should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union (the ‘Charter’), including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defence (127).”

Implications for SBOMs: Having a program that maintains detailed and accurate SBOMs as part of an organization’s standard cybersecurity practices, especially in tandem with a management platform, can help entities prepare for or directly provide the artifacts they need to demonstrate compliance. This can then reduce their chances of being hit with a fine or penalty for not meeting cybersecurity requirements. 

4. Enhanced measures for supply chain cooperation

The original NIS Directive included provisions for cooperation among Member States, but it didn’t specifically address supply chain security risks or provide strong mechanisms for coordinated responses to cross-border cybersecurity incidents.

The new NIS2 Directive places a greater emphasis on securing the supply chain and managing risks from third-party service providers, recognizing the interconnected nature of today's digital services. It also strengthens the mechanisms for cooperation among Member States, including more robust support for coordinated responses to cybersecurity threats and incidents.

“The increasing frequency and severity of ransomware attacks can be driven by several factors, such as different attack patterns, criminal business models around ‘ransomware as a service’ and cryptocurrencies, ransom demands, and the rise of supply chain attacks. Member States should develop a policy addressing the rise of ransomware attacks as part of their national cybersecurity strategy (54).” 

“Member States should, through their national cybersecurity strategies, help small and medium-sized enterprises to address the challenges faced in their supply chains. Member States should have a point of contact for small and medium-sized enterprises at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity related issues. Member States are also encouraged to offer services such as website configuration and logging enabling to microenterprises and small enterprises that lack those capabilities (56).” 

“The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, taking into account technical and, where relevant, non-technical risk factors (Article 22).”


Implications for SBOMs: The directive acknowledges the complexity of supply chains, urging entities to ensure security across all stages. Since SBOMs offer critical visibility into software components, they can provide the needed transparency to secure software supply chains effectively. Their use also aligns with best practices in supply chain security and helps entities respond effectively to third-party risks. 

As the EU continues to streamline and strengthen its cybersecurity measures across Member States, it’s clear that SBOMs may play an increasingly pivotal role for organizations across all sizes and sectors. 

Mike McDonel
Previous

SBOMs Take Center Stage in the EU’s Cyber Resilience Act
Next

Getting Started with SBOMs: The Basics