- It applies to essential and important companies in critical sectors and also obliges non-EU companies operating within the EU
- The main goals are to increase cyber resilience, improve collaboration, and ensure uniform crisis responses
- Companies must develop risk management strategies, report incidents, and address cybersecurity risks in the supply chain
NIS2 Directive: A New Standard for Cybersecurity in the EU
In 2016, the EU introduced the Network and Information Security Directive (NIS) as the first EU-wide legislation to establish a consistent level of cybersecurity among member states. However, shortcomings associated with its inconsistent level of resilience across the member states and sectors, lack of common crisis response, and an inability to tackle the surging evolving threat landscape led the EU commission to replace NIS with NIS2.
Announced in December 2022, the NIS2 Directive is the successor to the NIS Directive. This regulatory framework upgrades the cybersecurity posture of networks and information systems across the EU. Among the major changes introduced, NIS2 has a broader scope, stricter requirements, and more stringent enforcement. Member states are required to incorporate the provisions of NIS2 into their local legislation by October 17, 2024.
Scope of the Directive
The NIS2 Directive applies to providers of critical/essential services that were a part of the EPCIP sectors valid since NIS1 (2016) and that have been added to EPCIP sectors since NIS2 (2022). EPCIP sectors refers to sectors under the European Programme for Critical Infrastructure Protection.
- Existing sectors since NIS1: energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, and digital providers.
- Additional sectors since NIS2: production & processing, providers of publicly available electronic communications services, ICT (information and communication technologies) service management, public administration, space, postal and courier services, waste and waste water management, and research.
If a provider belongs to any of the above sectors, some additional criteria for qualifying as a provider of critical or essential services include:
- Size: Team strength of 50 or more people.
- Revenue: Annual turnover greater than 10 million euros.
- Exclusivity: Sole provider of a critical service, regardless of size.
Essential entities are businesses and organisations whose disruption to operations can cause severe disturbance to the functioning of the economy and public well-being. These sectors include energy, transport, banking, health, digital infrastructure, space, drinking water supply and distribution, etc.
Important entities are the providers of important services, but their disruption cannot cause the same impact as that of essential services. These sectors include postal and courier services, manufacturers and distributors of food and chemicals, research organisations, etc.
The scope of the NIS2 Directive also applies to businesses that provide essential services to the European Union, regardless of their presence within the EU. It means that companies operating outside of the EU as well are subject to the Directive’s provisions, given their services qualify as any of those considered critical within the EU. Such entities are required to establish a representative in the member state(s) they provide services.
Structure of NIS2 and its main cybersecurity requirements
Preamble of the Directive set aside, its main part consists of 46 articles. These articles, divided across nine chapters, primarily cover the Directive’s scope, definitions, security requirements, cooperation, incident reporting, competent authorities, sanctions, and final provisions.
Out of nine chapters, surprisingly, only Chapter IV—titled “Cybersecurity risk-management measures and reporting obligations”—defines the security requirements that both essential and important entities must meet to comply with the directive.
Rest of chapters (I, II, III, V, VI, VII, VIII, & IX) specify the obligations of EU countries’ (Member States) and government agencies in relation to enforcing NIS 2. These chapters encompass the overarching structure, rules, and mechanisms to address the framework, governance, and enforcement of the directive at the EU level.
Main goals of the NIS2 Directive
Three main goals of the NIS2 include increasing cyber resilience levels, reducing resilience inconsistencies, and improving joint situational awareness. The Directive encompasses a set of measures that work in combination to achieve its goals, including:
- Risk assessment and management: Organisations are required to conduct risk assessment on a regular basis as a precautionary measure to identify risks before they turn into a major security threat. It aids in developing and implementing risk management strategies, including prioritised allocation of resources, to mitigate the effect of identified risks.
- Incident response preparedness and reporting: NIS2 mandates organisations to develop and maintain incident response plans in advance. It includes outlining step-by-step procedures to carry out in the event of a cyberattack. Furthermore, such incidents need to be reported to the competent authorities to help them better understand the emerging threat landscape.
- Enhanced cooperation and information sharing: A collaborative and information-sharing environment among organisations, government agencies, and law enforcement promoted by NIS2 helps in improving cyber resilience. The Directive achieves this objective through various mechanisms, including:
- development of information sharing agreements to govern secured and compliant exchange of sensitive cybersecurity information between organisations and government.
- interagency collaboration by bringing together government agencies, private entities, and cybersecurity experts to practise coordinated responses. Joint exercises include simulation of common cyber attacks to test an entity’s risk management and incident response plans against them and learn from experiences of each.
Compliance and enforcement
NIS2 imposes a tiered penalty system for non-compliance. For essential entities, failure to comply with the NIS2 requirements can result in 10 million euros, or 2% of global annual turnover, whichever is higher.
For important entities, non-compliance can attract fines of up to 7 million euros, or 1.4% of global annual turnover, whichever is higher. Authorities also have the power to impose sanctions like temporarily suspending services offered by organisations.
To achieve NIS2 compliance, organisations should adhere to the following framework.
- Find out which category of entities they belong to—essential or important.
- Conduct a gap analysis to detect areas where improvements are required.
- Develop risk management strategies, including implementation of necessary security policies, processes, and controls.
- Establish robust incident response to mitigate risk in the event of cyber attacks.
- Assess and manage cybersecurity risks with the supply chain.
- Be prepared for potential audits, inspections, and enforcement actions by authorities.
NIS2-compliant network security with Kertos
Although NIS2 introduces additional requirements specific to network and information security across critical sectors, many of its provisions align with the existing standards like ISO 27001. It means that compliance with ISO 27001 can ease compliance with NIS2 to a great extent.
At Kertos, we offer compliance with key data privacy regulations and internationally recognised information security standards. Our assistance with risk assessment and management, incident response preparedness, and threat intelligence and awareness you might not want to miss!
