NIS2, or the updated Network and Information Security Directive, represents a big leap in the EU’s efforts to stay ahead in cybersecurity. This directive addresses the gaps left by its earlier version, adjusting to the constantly shifting cyber threat landscape. NIS2 doesn’t just expand its coverage to include more sectors; it also sets stricter cybersecurity standards and places responsibility on executives to ensure these measures are followed. The core goal of NIS2 is to strengthen Europe’s digital framework, equipping it to face new and evolving cyber risks with a stronger, more resilient approach.
The first directive aimed to improve cybersecurity for essential services across the EU, but inconsistent implementation and varied regulations across countries left significant gaps. In 2021, the European Commission introduced NIS2 to create a more cohesive strategy. Officially in effect as of January 2023, NIS2 broadens the original directive’s scope, covering more sectors that are considered critical to society and the economy. This update reflects the EU’s effort to tackle the rising cybersecurity threats with a stronger, unified approach.
How and where did NIS2 form?
NIS2 was introduced to address some of the gaps left by the original 2016 NIS Directive. The initial directive set out to boost cybersecurity for essential services across the EU, but differences in how countries implemented it led to uneven protections and left room for improvement.
The NIS2 Directive came about as a response to the shortcomings of the original NIS Directive from 2016. The first directive aimed to improve cybersecurity for essential services across the EU, but inconsistent implementation and varied regulations across countries left significant gaps. In 2021, the European Commission introduced NIS2 to create a more cohesive strategy. Officially in effect as of January 2023, NIS2 broadens the original directive’s scope, covering more sectors that are considered critical to society and the economy. This update reflects the EU’s effort to tackle the rising cybersecurity threats with a stronger, unified approach.
Which organizations should comply with NIS2?
The NIS2 directive is more than ticking regulatory boxes and is relevant for organizations that provide services crucial to the EU’s economy and overall societal functions. These organizations fall under two main groups
Essential Entities (EE) Coverage
Basically, EE are “essential entities” or large companies in critical sectors with over 250 employees, an annual turnover above €50 million, or a balance sheet of €43 million or more. Sectors include
– Energy
– Transport
– Finance
– Public Administration
– Health
– Space
– Water (both drinking water and wastewater)
– Digital Infrastructure (such as cloud service providers and ICT management)
Important Entities (IE)
Typically, these are medium-sized organizations—those with at least 50 employees, an annual turnover of €10 million or above, or a balance sheet of €10 million or more. Sectors covered include
– Postal Services
– Waste Management
– Chemicals
– Research
– Food
– Manufacturing (including medical devices and similar products)
– Digital Providers (e.g., social networks, search engines, and online marketplaces)
Let’s break it down a bit.
The ‘essential entities’ group is like the VIP section of NIS2. It covers a wide range of sectors that are essential to keeping things running smoothly. But here’s where it gets interesting – the size criteria for these essential entities are often the same as what you’d expect for ‘important entities’.
Understanding where you fit in the NIS2 puzzle isn’t just about ticking a box. It’s about knowing what’s expected of you. The obligations can vary quite a bit depending on your classification.
The ‘essential entities’ category under NIS2 covers all sectors classified as essential, but with size criteria typically used for ‘important entities’.
Even if an organization doesn’t meet the size requirements, it might still be included under NIS2 if it’s the only provider of an essential service in a particular Member State. This is especially relevant for companies that play a unique role in a country’s infrastructure or economy.
Any business or supplier providing essential services that affect Europe’s economy and society should take a close look at these classifications. Understanding where your organization fits within NIS2 can clarify your responsibilities and help ensure you meet compliance requirements.
Penalties associated with non- compliance with NIS2
NIS2 enforces strict penalties for organizations that don’t comply. Organizations designated as essential under NIS2 could be hit with fines reaching up to €10 million or 2% of their worldwide revenue, whichever is greater. For those classified as important entities, penalties can go up to €7 million or 1.4% of their turnover.
The directive also extends accountability to top management to ensure that cybersecurity is prioritized at all levels, especially among leadership. The EU’s focus on such high penalties shows its commitment to strengthening cybersecurity and safeguarding vital infrastructure across member states.
What are the new requirements for compliance with NIS2?
The NIS2 introduces a comprehensive set of new requirements for the essential and important entities to implement, aimed at enhancing cybersecurity across the European Union. To enhance cyber resilience, these requirements are designed to address the evolving threat landscape and strengthen the resilience of critical sectors.
Here’s a detailed explanation of the new requirements for compliance with NIS2
1. Risk Management Measures
a) Incident handling
To manage incidents effectively, organizations need clear procedures and steps e.g. quickly spot issues, respond appropriately, and limit damage can make a big difference. With these plans in place, companies are better equipped to manage incidents smoothly, keeping any disruptions or losses to a minimum.
b) Business continuity
Companies need to create and regularly update plans to keep their services running smoothly, even during a cyber incident. Having a solid continuity plan helps ensure that essential operations don’t come to a halt if something goes wrong, allowing the organization to keep serving its clients and partners without major interruptions.
c) Supply chain security
NIS2 places a strong focus on securing the supply chain, which further pushes organizations to look closely at cybersecurity risks tied to their suppliers and service providers. And as each partnership can introduce unique vulnerabilities, it becomes more important for companies to review these relationships and address any potential risks. By taking these precautions, organizations can better safeguard themselves against threats that might arise from outside connections.
d) Network and information systems security
Protecting network and information systems means putting solid defenses in place to prevent issues and limit their effects if they arise. By reinforcing these systems, organizations can better shield themselves from potential disruptions, ensuring a smoother, more resilient operation.
e) Policies and procedures
Organizations should have clear policies and procedures to assess the effectiveness of cybersecurity risk-management measures. It’s equally important to routinely review the effectiveness to spot any weak points, helping the organization stay one step ahead in managing potential risks.
2. Corporate Accountability
The NIS2 directive puts cybersecurity responsibility directly on executives, making it clear that accountability starts at the top. By fostering a security-first mindset that flows from leadership to every part of the organization, NIS2 encourages a culture where cybersecurity is woven into daily operations and decision-making at all levels.
a) Management Oversight
For organizations deemed essential or important, senior management is required to take an active role in cybersecurity by formally approving the strategies and measures put in place to manage cyber risks. By involving top leadership, NIS2 ensures that cybersecurity decisions are carefully reviewed and aligned with the organization’s overall goals and approach to risk.
b) Training
Top executives must learn the methods and processes and have an in-depth understanding of the NIS 2 Directive and how cyber risks could impact the company’s operations. Such training increases leaders’ awareness of potential threats, equipping them with the insights necessary to make decisions that enhance the organization’s security and resilience.
c) Personal Liability
The NIS2 Directive takes Board-level accountability and personal liability seriously and holds them accountable if the company falls short on security compliance. In severe situations, executives might even face temporary removal from leadership roles. These strict measures emphasize just how vital it is for leaders to meet their cybersecurity obligations, highlighting the crucial role executives play in protecting the organization.
3. Reporting Obligations
NIS2 significantly enhances the incident reporting requirements
a) Early warning
The NIS2 Directive sets strict guidelines for reporting security incidents. When a significant incident occurs, organizations are required to inform the relevant authorities or Computer Security Incident Response Teams (CSIRTs) within a 24-hour window. Promptly submitting these notifications enables response teams to quickly assess the situation and take necessary steps to contain the issue, minimizing potential damage and helping to secure broader systems
b) Incident notification
A more detailed incident notification must be submitted within 72 hours.
c) Final report
Organizations are required to submit a final report on the incident, including root cause analysis and measures taken, within one month of the initial notification.
d) Proactive reporting
Entities must inform recipients of their services about incidents that could adversely affect the provision of that service, as well as measures they can take to mitigate the risks.
4. Enhanced Scope and Sector Coverage
NIS2 expands its scope to cover more sectors and entities
a) New sectors
The NIS2 Directive has broadened its scope to include a wider range of industries. Sectors like waste management, food production and distribution, chemicals, manufacturing, postal and courier services, and public administration are now covered by the directive. By extending its reach, NIS2 ensures that critical industries across the board are held to high cybersecurity standards, recognizing the essential role each plays in maintaining the resilience and security of society’s foundational services.
b) Size-based criteria
Medium and large entities in the covered sectors are automatically included, while smaller entities may be designated as essential or important based on their criticality.
5. Harmonization Across EU Member States
NIS2 aims to reduce discrepancies in cybersecurity requirements and implementation across EU member states
a) Minimum list of security elements
The NIS2 Directive lays out essential security measures that organizations need to address or implement. The standardized risk analysis, incident handling, and business continuity planning requirements and measures are designed to create a consistent level of protection to handle cyber risks.
b) Standardized reporting
NIS2 introduces more standardized incident reporting requirements to facilitate better information sharing and analysis across borders.
6. Supply Chain Security
NIS2 places a strong emphasis on securing the entire supply chain
a) Risk assessment
Organizations must assess the cybersecurity risks of their key suppliers and service providers.
b) Contractual obligations
Entities are encouraged to include cybersecurity requirements in their contracts with suppliers.
c) Direct supplier responsibility
The directive extends certain obligations to direct suppliers and service providers of essential and important entities.
7. Encryption and Vulnerability Disclosure
NIS2 introduces new requirements related to encryption and vulnerability management
a) Encryption
The NIS2 directive requires organizations to put in place clear and robust encryption policies, with end-to-end encryption implemented wherever appropriate, to enhance data protection. By setting specific security standards for networks linked to critical and sensitive infrastructures, these encryption guidelines help keep data secure as it moves through different systems.
b) Coordinated vulnerability disclosure
The directive promotes the implementation of coordinated vulnerability disclosure policies.
8. Cybersecurity Certification
NIS2 places a strong emphasis on European cybersecurity certification programs, encouraging organizations to adopt certification as a means of demonstrating compliance with the directive’s standards.
a) Compliance Verification
By obtaining EU-recognized cybersecurity certifications, organizations can show that they meet specific NIS2 requirements, making it easier for regulatory bodies to verify their compliance.
b) Promotion of Certification
Member states are also responsible for actively promoting these EU cybersecurity certifications, aiming to standardize security practices and establish a common cybersecurity baseline across Europe.
9. Domain Name System (DNS) Security
The DNS providers play a critical role in maintaining the integrity of the internet, and the NIS2 introduces specific requirements for these providers to enhance security measures and resolving malicious DNS domains.
a) Data Accuracy
When it comes to maintaining accurate and reliable DNS data, DNS providers need to ensure that users receive correct and trusted information.
b) Access Control
Strict access control measures, in the form of rigorous identity verification and authentication, need to be implemented to protect DNS servers from unauthorized access.
c) Incident Detection
DNS providers must have the ability to detect and respond to DNS-related security incidents promptly, reducing the risk of disruptions or potential attacks on internet infrastructure.
10. Registration Data for Top-Level Domain Names
NIS2 sets clear requirements for registries and entities that manage top-level domain names, aiming to improve transparency and accountability in the domain registration process.
a) Data Collection
Entities responsible for domain registration must ensure they collect accurate and complete registration data, making it easier to track ownership and prevent misuse.
b) Access Provision
These entities are also required to provide timely and lawful access to domain name registration data to legitimate parties, supporting transparency and accountability in domain management.
11.Cybersecurity Information Sharing
NIS2 promotes increased information sharing on cybersecurity threats and incidents
a) Information exchange platforms
Member states are required to establish platforms for sharing cybersecurity information.
b) Voluntary information sharing
The directive encourages voluntary sharing of relevant cybersecurity information among essential and important entities.
12. Supervisory Regime and Enforcement
The NIS2 Directive sets out a structured approach to ensure that organizations meet EU-wide cybersecurity standards.
a) Proactive Supervision
Authorities will conduct regular checks to catch any potential issues early, helping organizations stay secure and avoid more serious problems down the line.
b) Reactive Supervision
If there’s any sign of non-compliance, authorities have the power to investigate and take appropriate actions to correct the situation.
c) Unified Penalties
NIS2 establishes consistent fines across EU member states. These significant penalties underline the importance of following cybersecurity rules and encourage organizations to take their responsibilities seriously.
13. Incident Response and Crisis Management
NIS2 enhances requirements for incident response and crisis management
a) National cybersecurity strategies
Member states must adopt national cybersecurity strategies that include policies on incident response and crisis management.
b) Large-scale incident coordination
The directive establishes a framework for coordinated response to large-scale cybersecurity incidents at the EU level.
The NIS2 directive marks a major shift in the EU’s approach to strengthening digital resilience. This sweeping directive highlights the EU’s understanding of today’s complex and highly connected digital environment. Yet, the real impact of NIS2 will rely heavily on how well it’s implemented and enforced across member states. Many organizations are facing notable challenges to meet the October 2024 compliance deadline, especially when it comes to areas like securing the supply chain, timely incident reporting, and ensuring accountability at the executive level. The EU’s substantial penalties for non-compliance make it clear that these cybersecurity obligations are being taken very seriously.