NIS2 Directive: Understanding The EU Cybersecurity Legislation

Kimberly Yánez April 25, 2024
- 10 min read

If you're here, it's likely because you're an IT professional who wants to stay up-to-date on cybersecurity regulations and directives, especially if your organization operates within the European Union (EU). One important regulation to be aware of is the NIS2 Directive aka the second take of the Network and Information Security (NIS).

Understanding the implications of NIS2 compliance is the first step in the right direction, and that's why we have gathered all the relevant information to assist you in adapting to the cybersecurity framework outlined in this directive. 

Stay informed and prepared as we explore the details of NIS2 and its deadline, because yes, it’s mandatory.

Table of contents

What is the NIS2 directive?

The NIS2 Directive is a legislative framework adopted by the European Union to bolster cybersecurity resilience within the region. It entered into force on January 16th, 2023 after being proposed in 2020. 

Building upon its predecessor, NIS, which was enacted in 2016, this updated version reflects the evolving landscape of the digital era. The previous directive’s implementation varied significantly among member states and this lack of consistency created a disjointed system where some companies and organizations were classified as essential in certain countries but not in others.

To address this challenge, the European Commission undertook a revision of the NIS Directive to clearly delineate the organizations covered and their specific obligations.

NIS2 takes a stronger stance by not only focusing on critical sectors like energy, transport, banking, and healthcare but also aims to ensure a high common level of network and information security across the EU.

NIS vs. NIS2

So, in essence NIS2 is an updated version of NIS. Both approaches work in concordance with EU regulations on cybersecurity, but the most notable difference between them is their scope.

While NIS primarily targeted operators of essential services and digital service providers, NIS2 expands its scope to cover additional sectors and entities, including online marketplaces and search engines.

NIS2 is also more proactive than its predecessor when it comes to incident reporting, Risk Management and its link to supervisory authorities. For instance, it has stricter incident reporting requirements and extends the list of security incidents that must be reported to authorities. NIS2 enhances the role of national competent authorities in overseeing compliance with the directive and coordinating cybersecurity efforts at the EU level.

Why is the NIS2 framework important – and who needs it?

To make it short, it’s the law. No one can skip it; and for a good reason:

The NIS2 directive is important as it sets out requirements and obligations for organizations operating in the EU to prevent and respond to cybersecurity incidents effectively. 

So, if this is your case, it’s important that you know how it applies to your company since it’s pretty much in every sector, including energy, transport, banking, healthcare, and digital services. 

These sectors are considered critical to the functioning of society and the economy, making them prime targets for cyber attacks. So in return, organizations in these industries can strengthen their cybersecurity measures, reduce the risk of cyber incidents, and protect sensitive data and infrastructure.

Additionally, NIS2 expands its scope to cover a broader range of entities, including online marketplaces and search engines. This means that companies that provide digital services or operate online platforms are also affected by the directive.

NIS2 compliance: scope and applicability

Let’s talk about the scope of NIS2 compliance, which extends to various entities and sectors within the European Union to ensure a high common level of network and information security. 

The EU sets the criteria and guidelines for organizations, including Operators of Essential Services (OES) and Digital Service Providers (DSPs), to comply with the requirements outlined in NIS2 to enhance their security posture and mitigate the risk of cyber incidents.

Let’s see which organizations fall under these categories.

Essential entities covered by NIS2

  • Operators of Essential Services (OES): These are companies operating in critical sectors such as energy, transport, banking, and healthcare that fall under the scope of NIS2 compliance.

  • Digital Service Providers (DSPs): Online platforms, search engines, and other digital service providers are also included in the scope of NIS2 compliance. These entities must adhere to the directive's requirements to safeguard their networks and information systems from cyber risks.

Now, the NIS2 directive also recognizes the interconnected nature of OES and DSPs and emphasizes the dependencies and interdependencies between these entities in maintaining cybersecurity resilience. 

Dependencies between OES and DSPs

  • Operational dependencies: OES and DSPs often rely on each other's services and infrastructure to operate effectively. For example, a transportation company (OES) may depend on a cloud service provider (DSP) for data storage and processing.

  • Supply chain dependencies: OES and DSPs are interconnected through complex supply chains, where disruptions in one entity can have cascading effects on others. A cyber incident affecting a DSP could impact the services provided to OES, leading to operational disruptions.

Interdependencies among OES and DSPs

  • Data sharing and integration: OES and DSPs may share data and integrate systems to enhance service delivery and efficiency. This interdependence requires robust cybersecurity measures to protect shared data and prevent cyber threats from compromising the interconnected systems. For instance, a hospital and a cloud-based health record provider share patient data securely.

  • Cyber incident response: In the event of a cyber incident, OES and DSPs may need to collaborate and coordinate their response efforts to mitigate the impact and restore services promptly. Interdependencies in incident response mechanisms are essential for effective cybersecurity resilience. We could see this happening if an airline collaborates to respond to a ransomware attack. 

NIS2 requirements: How to prepare for the NIS2 directive

The NIS 2 Directive's requirements cover various areas that impact the overall security posture of entities falling within its scope:

Risk Management

Organizations must implement measures to reduce cyber risks as mandated by the new Directive. These measures encompass Incident Management, bolstered supply chain security, improved network security, enhanced access control, and encryption.

Corporate accountability

Under NIS2, Corporate Management is tasked with overseeing, approving, and receiving training on the entity’s cybersecurity measures to address cyber risks. Breaches could lead to penalties for management, including liability and potential temporary bans from management roles.

Reporting obligations

Essential and significant entities must establish processes for promptly reporting security incidents with a notable impact on their service provision or recipients, adhering to specific notification deadlines like the 24-hour “early warning” stipulated by NIS2.

Business continuity

Organizations are required to develop plans to ensure business continuity in the event of major cyber incidents, encompassing considerations such as system recovery, emergency procedures, and the formation of a crisis response team.

Security measurements

NIS2 mandates that essential entities implement ten minimum security measures to address specific cyberthreats. These measures include:

  1. Conducting risk assessments and establishing security policies for information systems.
  2. Implementing procedures to evaluate the effectiveness of security measures.
  3. Defining policies for the use of cryptography and encryption where necessary.
  4. Developing incident handling plans.
  5. Ensuring security in system procurement and development.
  6. Providing cybersecurity training and promoting basic computer hygiene practices.
  7. Establishing security procedures for employees with access to sensitive data.
  8. Creating business continuity plans for managing operations during and after security incidents.
  9. Utilizing multi-factor authentication and encryption solutions.
  10. Implementing security measures for supply chain relationships.

NIS2 deadlines

The deadline for the NIS2 Directive is October 17, 2024. By this date, each EU member state must have implemented the requirements of NIS2 into their national legislation.

Violation penalties for non-compliance with the NIS2 Directive can result in penalties such as non-monetary remedies, administrative fines, and criminal sanctions for essential and important entities. These penalties may vary by member state but include a minimum list of administrative sanctions for cybersecurity breaches.

However, national supervisory authorities under NIS2 have the power to enforce non-monetary remedies like compliance orders, binding instructions, security audit implementation orders, and threat notification orders to entities' customers.

These actions aim to ensure that top-level executives are held responsible and to mitigate the risk of severe negligence in managing cybersecurity threats.

So, until NIS2 becomes a national law in the EU country where your company operates, make sure to assess whether your organization falls within the scope of NIS2 and determine which units will be affected.

If the answer is yes, review your current security measures, updating security policies, and creating a strategy for NIS2 compliance. Then, introduce new security protocols and incident reporting requirements mentioned above into your supply chain early on to prevent any potential delays.

Final thoughts

An ordinary NIS2 compliance procedure involves security evaluations, audits, consultations, and the deployment of tools. NIS2 imposes more severe penalties for non-compliance, such as fines of up to 10% of an entity's yearly revenue and reputation damages.

To prepare for NIS2 compliance, organizations should plan early by creating a roadmap, identifying critical processes, implementing robust security measures, addressing supply chain vulnerabilities, fostering a cyber-oriented culture, and seeking expert guidance to navigate the compliance journey effectively.

Quick wins, such as establishing incident escalation and reporting processes, can be set up in advance to streamline compliance efforts.

Good luck!

Read other articles like this : Cybersecurity

Evaluate InvGate as Your ITSM Solution

30-day free trial - No credit card needed