NIS2 and Earth stations - 10 statements
The national implementation of the Cyber Security Directive (Network and Information Systems Directive, NIS2 Directive) will enter into force in autumn 2024. The aim of the new Directive is to strengthen the EU's common and Member States' national level of cyber security in sectors and operators considered critical for the functioning of society. With regard to the NIS2 Directive, the authority supervising the space sector is the Finnish Transport and Communications Agency Traficom.
In this blog post we go through 10 statements about the NIS2 Directive from the perspective of space operators and find out whether they are true or myth. Make sure that you know the facts and avoid misunderstandings when new cyber security regulation becomes part of your everyday life.
All space operators fall within the scope of the NIS2 Directive.
The myth. Earth stations and their control and management centres fall within the scope of regulation and also the related terrestrial infrastructure. Space objects, such as satellites, and space activities are not included.
Earth stations are an essential part of modern telecommunications infrastructure, enabling communication with satellites, conveying information between the Earth and space. The Earth station mainframe is needed to enable data transfer between satellites and terrestrial networks and services. In other words, Earth stations support communications widely in various applications, such as satellite telecommunications, weather forecasts, television broadcasts and scientific research. Depending on the size or criticality of the operator, operators who have been granted a permit for Earth station operations may be subject to regulation, which means that operators in the sector must review their cyber security policy no later than now and examine the criteria for the objects of regulation laid down in the NIS2 Directive. Public operators who do not have a separate Earth station operating licence may also be subject to regulation. More detailed information on permits for Earth station operations and activities covered by regulation can be found on Traficom's website.
Earth stations may be critical for both national security and economic stability, which makes their cyber security particularly important. By complying with the new requirements and introducing the necessary measures, Earth stations can ensure that they are better protected against cyber threats. This will enable them to continue their significant role safely and reliably also in the future.
The NIS2 Directive enables national margin of manoeuvre in cyber security planning.
That's true. At the level of the European Union, the directive must be set at a minimum level, meaning that Member States can, for example, impose higher sanctions or stricter regulation on certain sectors or operators in their national implementation. However, operators subject to regulation and also operators not subject to regulation may, if they so wish, set higher requirements in their cyber security policy. Finland has, for its part, utilised the national margin of manoeuvre in the implementation of the Directive in the scope, extent and supervision of the obligations. The transition of domestic operators towards the requirements of the NIS2 Directive has been facilitated by cyber security requirements already included in the Earth stations Act and certain radars Act, which were laid down in advance of NIS2's regulatory requirements.
The NIS2 Directive as a whole is wider than its predecessor, the NIS1 Directive.
That's true. This new directive updates and extends the scope of the current NIS Directive, now covering a wider range of sectors and critical infrastructures, such as energy, healthcare, space and digital services. The supervisory authorities also monitor the risk management of some operators in advance and, for all operators, afterwards in the event of a cyber incident. The operators subject to regulation must also register in the list of operators maintained by the National Cyber Security Centre operating under Traficom. The reform will also involve, for example, separating operators from operators that are central and important for society.
The NIS2 Directive only applies to large companies in critical infrastructure.
The myth. The scope of application of the NIS2 Directive is broad, also covering small and medium-sized enterprises if they are critical for the economic activity or security of society. The previous Directive mainly covered large operators in critical sectors. The operators are divided into key and important operators in regulation, depending on their size, sector and criticality. The sectors and the impact of the operator's size on its regulation can be found in Traficom's National Cyber Security Centre table (in Finnish).
The NIS2 Directive does not bring any changes to the preceding Directive or the Earth station Act, but only extends the scope of application.
The myth. As a whole, the NIS2 Directive is more detailed than the Earth station Act. One of the key changes is that NIS2 sets partly stricter requirements for information security measures and reporting obligations. The new directive will introduce risk management and reporting obligations that strengthen cyber security in critical sectors. Further information on these obligations is available on the website of the National Cyber Security Centre.
For this purpose, Traficom has opened a notification system for operators, to which operators must register. Operators must ensure that the requirements for the implementation of the Directive are met.
Operators must submit a first notification of cyber incidents within one day, a second notification must be submitted within 72 hours, and the final report of the incidents must be submitted within one month. The reporting obligation applies to cyber incidents that endanger or cause a serious malfunction in the operator's services or to the operator's customers. The obligation to report incidents is mandatory, but voluntary reporting is also recommended for non-regulated operators or near misses.
Supervisory authorities may impose sanctions on those who fail to comply with the Directive.
That's true. If an operator fails to comply with the obligations or requirements of the NIS2 Directive, a sector-specific (in Finnish) supervisory authority, for example in the case of Earth station operations Traficom, may impose sanctions on the operator. The penalty may amount to up to eur 10 million or 2% of the company's total turnover. An administrative penalty payment is ordered to be paid to the State. In extreme situations, the services or functions offered by the operator may be suspended.
Earth station operators must prepare for the requirements only by investing in new technology.
The myth. It is true that preparing for new requirements may also involve investments in new technology, but also investments in personnel training and continuous monitoring of cyber security. Companies must primarily carry out a comprehensive assessment of their cyber security situation and ensure that they meet the current requirements. It is also important to monitor Traficom's communications in case of possible threats and to familiarise itself with the process and reporting system related to NIS2 information security incidents. Critical operators are not left alone when preparing for and adhering to regulation. Instead, the National Cyber Security Centre of the Finnish Transport and Communications Agency Traficom supports organisations in maintaining and developing their information security through various services, including situational picture products. As the permit authority for Earth station operations, Traficom advises the customers of the Earth station operations as a whole.
The National Cyber Security Centre acts as a CSIRT Unit in Finland.
That's true. The Unit for responding to and investigating information security violations (Computer Security Incident Response Team) operates at Traficom's National Cyber Security Centre. An Earth station operator sends information on a cyber threat or attack to Traficom, which monitors the operations in general, and relays the information to the CSIRT Unit. It provides the operator with immediate help and instructions, providing a significant incident in cases if the operator so requests. The National Cyber Security Centre also acts as a coordinator for Europe. It should also be noted that operators under and also outside regulation can voluntarily report “near miss” situations or other cyber threats. Read more about the reporting obligation on the website of the National Cyber Security Centre. The Earth station Act also imposes an obligation to report incidents from the provisions of the NIS2 Directive related to, for example, data disclosure or national security.
The supervisory authority will draw up an operating model for cyber security risk management for the operator.
The myth. In simplified terms, risk management can be summarised so that the operator must have a cyber security risk management operating model in place to protect communications networks and information systems and their physical environment. In risk management, the operator itself determines and implements the necessary measures, and the supervisory authority supervises this on a risk- and entity-based basis. Traficom as the supervisory authority also has the authority to issue regulations on more technical regulations on risk management in Earth station operations. The purpose of the regulations is to keep the operators' risk management issues up to date and to take into account the special characteristics of Earth station operations.
Regulation of the NIS2 Directive increases companies' costs but does not raise the level of cyber security.
The myth. The requirements of the NIS2 Directive may, of course, mean additional costs for companies in the initial phase when they have to update their cyber security measures to comply with the new rules. However, it is important to understand that these investments are necessary to ensure long-term safety and compliance. Ultimately, this is not just an extra cost but an investment in the future where companies can operate safer and more reliably.
NIS2 is an important step towards a higher level of cyber security in Europe. It will strengthen and lay the foundation for a more sustainable and secure critical infrastructure, the protection of which is of paramount importance from the security perspective. The Directive will improve the level of cooperation and exchange of information between organisations, which will enable a faster response to new threats. Preparedness is carried out through community work, and Traficom supports operators in this field. In the long term, these measures not only protect individual companies but also strengthen the economic and social stability of the entire EU in this unstable world.
The author Jaakko Laamanen has worked in Traficom's Digital connections in the planning of NIS2 and Earth stations in summer 2024. Artificial intelligence has been utilised in writing and illustrating.
More information:
Finnish Transport and Communications Agency Traficom, e-mail: [email protected]
Sources:
Directive (EU) 2022/2555 of the European Parliament and of the Council
Finnish Transport and Communications Agency: National Cyber Security Centre - NIS2
Government proposal HE 57/2024 vp (in Finnish)
Finnish Government: Government proposal for the implementation of the European Union Cybersecurity Directive (mostly in Finnish)
The images are made with artificial intelligence; upper image: Adobe Stock, lower image: ChatGPT
