What is NIS2 and why should CEOs and CTOs care?
Our skilled writers & in-house research team are behind the biggest cybersecurity stories, like The Mother Of All Breaches & WhatsApp Data Leak.
We closely analyze the services, check their features & openly share our testing methods with everyone.
Learn moreThe NIS2 Directive aims to promote improved cybersecurity across critical sectors in European Union (EU) member states. Although it may seem like a burden to prepare for, the NIS2 regulation strengthens cybersecurity across critical sectors in the EU.
The EU NIS2 Directive is a response to growing cybercrime rates in Europe and worldwide. By following NIS2 guidelines and reinforcing your organization’s cybersecurity infrastructure, you can solidify business continuity and growth while avoiding the financial consequences of non-compliance and cybercrime.
Beginning October 17, 2024, EU countries must implement the NIS2 Directive into national legislation. This means organizations are required to comply starting the next day. Failing to meet NIS2 requirements can result in penalties of up to €10,000,000. Additionally, senior management will now be held accountable for non-compliance.
Is it still possible to prepare for the NIS2 Directive in time, with little to no impact on your operations? Fortunately, the answer is yes. Read on to find out what the NIS2 directive is, why it’s beneficial for your company, and how you can easily meet its requirements.
NIS2 Directive Overview
The NIS2 Directive (officially the Directive (EU) 2022/2555) revises and replaces 2016’s Networks and Information Systems (NIS) Directive. NIS was the first piece of cybersecurity legislation the EU passed, and it introduced legal measures to boost the union’s cybersecurity. It also established key cybersecurity organizations, like the NIIS Cooperation Group and Computer Security Incident Response Teams (CSIRTs).
The NIS2 Directive aims to address evolving cyber threats. This NIS2 regulation aims to improve on its predecessor and strengthen cybersecurity for critical infrastructure, providers of digital services, and other crucial sectors.
Compared to NIS1, the NIS2 Directive has enhanced requirements for organizations in terms of security and reporting. For instance, under NIS2, organizations must have a comprehensive incident response plan and report security incidents to relevant authorities and stakeholders.
Compliance with the NIS2 Directive is essential for avoiding penalties for non-compliance, ensuring operational longevity, and gaining customer trust. In the next section, we discuss the benefits of NIS2 compliance in further detail.
Getting NIS2 compliant takes a lot of time and effort across your whole organization. Use CyberUpgrade to get NIS2 compliance in 2 months. You'll get a powerful compliance platform + a dedicated team of experienced CISOs.
Why NIS2 compliance is important
The NIS2 Directive promotes best practices in cyber hygiene and data handling. As such, compliance with its requirements can be beneficial for organizations.
Below are just a few of the advantages of complying with the NIS2 Directive:
🧑💻 Strengthened cybersecurity and data protection |
Under the NIS2 Directive, companies must implement risk management measures, conduct regular employee training, and adhere to the stringent standards outlined in the directive. Despite its cost, compliance with EU NIS2 ensures that your organization meets the latest cybersecurity standards. Adopting these measures allows companies to mitigate cyber risks, identify weak spots in security systems, and better protect sensitive data. Most importantly, achieving NIS2 compliance avoids penalties while strengthening your organization's cybersecurity posture. |
⚔️ Improved transparency and resilience in managing cyber risks |
The directive enhances transparency in managing cyber risks since NIS2 imposes stricter reporting obligations and promotes information sharing among member states. Additionally, NIS2 encourages collaboration between public and private sectors, which can lead to improved situational awareness across industries. In addition to risk detection and management, improved cybersecurity under NIS2 will improve service and operations reliability. More specifically, organizations can better avoid the threat of ransomware and other cybercrimes, avoiding profit interruptions. |
🧑⚖️ Fulfilled legal obligations |
Given the directive’s integration into member states’ national laws, organizations can only avoid legal repercussions by complying with the directive’s requirements. |
💰 Prevention of financial and reputational risks of non-compliance |
Non-compliance results in penalties of up to €10,000,000 or 2% of your global annual revenue, whichever is higher. National supervisory authorities can also issue threat notifications to your customers, eroding consumer trust. You should ensure that you meet the requirements of NIS2 to avoid financial consequences and maintain customer trust. |
Key updates from NIS to NIS 2
The NIS2 Directive differs from the original NIS (or NIS1) in several key respects.
Broader Scope of Covered Entities
NIS2 applies to more sectors than its earlier iteration. For the full list of NIS2 Directive applicable sectors, see the table below:
NIS 1 Directive | NIS 2 Directive |
Energy | Energy |
Drinking water supply and distribution | Drinking water, Wastewater |
Digital infrastructure | Digital infrastructure |
Health sector | Health |
Banking, financial market infrastructures | Banking, Financial market infrastructures |
Transport | Transport, Space (partial), Postal and courier services |
Production, processing, and distribution of food | |
Waste management | |
ICT service management (B2B) | |
Public administration | |
Manufacture, production, and distribution of chemicals | |
Manufacturing | |
Digital providers | |
Research |
Does your organization need to comply with NIS2? It does if it meets the following criteria:
- Location – If you provide services or carry out activities in any EU member country
- Size – If your organization has at least 50 employees and earns at least 10 million euros in annual revenue
- Industry – If you operate in any of the sections listed above
Additionally, sectors are classified as “essential” or “important” entities, with differing penalties for each category.
Essential services are classified as such because the disruption of their operations would significantly impact the economy. NIS2 defines the category as follows:
- Large enterprises that are part of the list of sectors covered by NIS2
- Trust service providers
- DNS service providers
- Public electronic communication networks
- Public administration entities
- Entities covered in the Critical Entities Resilience Directive (EU) 2022/2557
- Entities specified by member states
While not as critical as essential services, important services still have a significant role in society. Your organization may be an “important” entity if it doesn’t fall under the “essential” category but still meets all three criteria mentioned above.
Enhanced Cybersecurity Standards
Organizations must meet these enhanced NIS2 requirements to mitigate cyber threats:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, such as backup management, disaster recovery, and crisis management
- Supply chain security
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and encryption
- Human resource security, access control policies, and asset management
- Use of multi-factor authentication or continuous authentication solutions; secured voice, video, and text communications; and secured emergency communication systems
In addition to these measures, organizations must consider the vulnerabilities specific to their direct suppliers and service providers. They must also submit the following reports of security incidents:
Type of report | Deadline |
Incident notification | Within 24 hours of becoming aware of a significant security incident |
Assessment report | Within 72 hours of becoming aware of a significant security incident |
Status updates | Upon request of a CSIRT or national authority |
Final report | No later than one month after submission of the incident notification |
Increased Accountability and Penalties
NIS2 outlines non-compliance penalties for essential and important entities. Fines will vary depending on the Member State, though NIS2 specifies a minimum list of administrative sanctions.
Non-monetary penalties
Under NIS2, national supervisory authorities have the right to enforce these penalties:
- Compliance orders
- Binding instructions
- Security audit implementation orders
- Threat notification orders to customers
Monetary penalties
Administrative fines differ based on category. Penalties may vary based on Member States, but the maximum fine levels are listed below.
Category | Maximum Fine Level |
Essential entities | €10,000,000 or 2% of the global annual revenue, whichever is higher |
Important entities | €7,000,000 or 1.4% of the global annual revenue, whichever is higher |
Cybersecurity compliance effect
Meeting the NIS2 requirements can severely impact how your organization operates. An impact proposal prepared by the European Commission estimates that companies will need an increase in budget of up to 22% to account for NIS2’s requirements. Of course, the cost of non-compliance is even higher.
However, reducing cybersecurity incidents may offset the costs of preparing for NIS2. ENISA’s 2020 NIS investments report purports that the EU's essential services and digital service providers spent 41% less on cybersecurity than their US counterparts.
Another change that businesses must accommodate is the increase in cybersecurity training for management and employees. These training sessions should cover topics like password management, phishing, and ransomware.
Additionally, the organization must observe common cyber hygiene practices at all levels. For instance, NIS2 requires strict policies regulating access to data. Organizations need to employ role-based access and conduct regular reviews of access permissions.
Communication methods also need to be encrypted to prevent interception. These include text, voice, and video communication.
Vendor relationships may also change under NIS2 implementation, as organizations must assess their vendors’ security practices and develop solutions to address vulnerabilities.
Lastly, organizations must observe regular evaluations of security measures to reduce cybersecurity risks further. This includes vulnerability assessments, penetration testing, and more.
Steps to prepare for NIS2 compliance
How can you prepare your company for NIS2 compliance? Review the steps below.
1. Assess applicability of NIS2 requirements
Determine whether your organization falls under the NIS2 Directive by evaluating your sector and the nature of your services.
2. Understand jurisdiction
Familiarize yourself with the regulatory framework in your country. Different EU member states may have varying implementations of the directive, so understanding local laws is crucial.
3. Implement cybersecurity risk management
Establish a comprehensive risk management framework that identifies, assesses, and mitigates cyber risks. This involves conducting regular risk assessments and updating security measures accordingly.
4. Strengthen supply chain security
Review the cybersecurity practices of your suppliers and partners. Under NIS2, organizations are also responsible for identifying and responding to vulnerabilities in vendor security.
5. Develop an incident response plan
Create a clear, actionable incident response plan that outlines procedures for identifying, responding to, and recovering from a cyber security incident.
6. Engage senior management
Enlist leadership in fostering a culture of cybersecurity and creating strategic decisions, from resource allocation to overall cybersecurity governance. Ensure that management is involved in cybersecurity training and that they know NIS2 requires accountability in case of significant cybersecurity issues.
Preparing for NIS2 can add costs and negatively impact your operations. How can you mitigate the consequences of NIS2 while still complying with the directive?
CyberUgrade solutions to help organizations achieve NIS2 compliance
CyberUpgrade can accelerate your NIS2 compliance preparation by providing proactive cybersecurity and compliance support. Utilizing the technology of CISO Copilot, the CyberUpgrade guided ICT compliance software, and the CoreGuardian monitoring dashboard, this service substantially covers the NIS2 Directive’s requirements for organizations:
- Cybersecurity assessment
- Policy and procedure documentation
- Cybersecurity training for all personnel
- Installation of necessary cybersecurity measures
- Incident plan development
Led by a team of CISOs and compliance professionals, CyberUpgrade is an expert in ISO 27001, the Digital Operational Resilience Act (DORA), and NIS2 compliance. Jumpstart your cybersecurity readiness and guarantee your long-term business sustainability with CyberUpgrade.
FAQ
What are the requirements of NIS2?
NIS2 requires organizations to provide risk management measures, incident reporting, supply chain security, and security audits.
What businesses does NIS2 apply to?
NIS2 applies to essential and important sectors, including energy, transport, health, digital services, and public administration.
How to comply with NIS2?
Organizations must assess their cybersecurity infrastructure, implement security measures, prepare for supply chain vulnerabilities, develop incident report plans, and engage senior management in the company’s cybersecurity.
What are the penalties for noncompliance with NIS2?
Non-compliance with NIS2 can result in fines of up to €10,000,000 or 2% of the global annual revenue, whichever is higher (for essential entities) or up to €7,000,000 or 1.4% of the global annual revenue, whichever is higher (for important entities).
What are the requirements for incident response in NIS2?
Under NIS2, organizations must submit an incident report within 24 hours of awareness of the event, an assessment report within 72 hours of the first report, and a final report within one month of the first.
Your email address will not be published. Required fields are markedmarked