We may earn affiliate commissions for the recommended products. Learn more.

What is NIS2 and why should CEOs and CTOs care?


The NIS2 Directive aims to promote improved cybersecurity across critical sectors in European Union (EU) member states. Although it may seem like a burden to prepare for, the NIS2 regulation strengthens cybersecurity across critical sectors in the EU.

The EU NIS2 Directive is a response to growing cybercrime rates in Europe and worldwide. By following NIS2 guidelines and reinforcing your organization’s cybersecurity infrastructure, you can solidify business continuity and growth while avoiding the financial consequences of non-compliance and cybercrime.

Beginning October 17, 2024, EU countries must implement the NIS2 Directive into national legislation. This means organizations are required to comply starting the next day. Failing to meet NIS2 requirements can result in penalties of up to €10,000,000. Additionally, senior management will now be held accountable for non-compliance.

Is it still possible to prepare for the NIS2 Directive in time, with little to no impact on your operations? Fortunately, the answer is yes. Read on to find out what the NIS2 directive is, why it’s beneficial for your company, and how you can easily meet its requirements.

NIS2 Directive Overview

The NIS2 Directive (officially the Directive (EU) 2022/2555) revises and replaces 2016’s Networks and Information Systems (NIS) Directive. NIS was the first piece of cybersecurity legislation the EU passed, and it introduced legal measures to boost the union’s cybersecurity. It also established key cybersecurity organizations, like the NIIS Cooperation Group and Computer Security Incident Response Teams (CSIRTs).

The NIS2 Directive aims to address evolving cyber threats. This NIS2 regulation aims to improve on its predecessor and strengthen cybersecurity for critical infrastructure, providers of digital services, and other crucial sectors.

Compared to NIS1, the NIS2 Directive has enhanced requirements for organizations in terms of security and reporting. For instance, under NIS2, organizations must have a comprehensive incident response plan and report security incidents to relevant authorities and stakeholders.

Compliance with the NIS2 Directive is essential for avoiding penalties for non-compliance, ensuring operational longevity, and gaining customer trust. In the next section, we discuss the benefits of NIS2 compliance in further detail.

Cybernews pro tip

Getting NIS2 compliant takes a lot of time and effort across your whole organization. Use CyberUpgrade to get NIS2 compliance in 2 months. You'll get a powerful compliance platform + a dedicated team of experienced CISOs.

Why NIS2 compliance is important

The NIS2 Directive promotes best practices in cyber hygiene and data handling. As such, compliance with its requirements can be beneficial for organizations.

Below are just a few of the advantages of complying with the NIS2 Directive:

🧑‍💻 Strengthened cybersecurity and data protection
Under the NIS2 Directive, companies must implement risk management measures, conduct regular employee training, and adhere to the stringent standards outlined in the directive.

Despite its cost, compliance with EU NIS2 ensures that your organization meets the latest cybersecurity standards. Adopting these measures allows companies to mitigate cyber risks, identify weak spots in security systems, and better protect sensitive data. Most importantly, achieving NIS2 compliance avoids penalties while strengthening your organization's cybersecurity posture.
⚔️ Improved transparency and resilience in managing cyber risks
The directive enhances transparency in managing cyber risks since NIS2 imposes stricter reporting obligations and promotes information sharing among member states. Additionally, NIS2 encourages collaboration between public and private sectors, which can lead to improved situational awareness across industries.

In addition to risk detection and management, improved cybersecurity under NIS2 will improve service and operations reliability. More specifically, organizations can better avoid the threat of ransomware and other cybercrimes, avoiding profit interruptions.
🧑‍⚖️ Fulfilled legal obligations
Given the directive’s integration into member states’ national laws, organizations can only avoid legal repercussions by complying with the directive’s requirements.
💰 Prevention of financial and reputational risks of non-compliance
Non-compliance results in penalties of up to €10,000,000 or 2% of your global annual revenue, whichever is higher. National supervisory authorities can also issue threat notifications to your customers, eroding consumer trust.

You should ensure that you meet the requirements of NIS2 to avoid financial consequences and maintain customer trust.

Key updates from NIS to NIS 2

The NIS2 Directive differs from the original NIS (or NIS1) in several key respects.

Broader Scope of Covered Entities

NIS2 applies to more sectors than its earlier iteration. For the full list of NIS2 Directive applicable sectors, see the table below:

NIS 1 DirectiveNIS 2 Directive
EnergyEnergy
Drinking water supply and distributionDrinking water, Wastewater
Digital infrastructureDigital infrastructure
Health sectorHealth
Banking, financial market infrastructuresBanking, Financial market infrastructures
TransportTransport, Space (partial), Postal and courier services
Production, processing, and distribution of food
Waste management
ICT service management (B2B)
Public administration
Manufacture, production, and distribution of chemicals
Manufacturing
Digital providers
Research

Does your organization need to comply with NIS2? It does if it meets the following criteria:

  1. Location – If you provide services or carry out activities in any EU member country
  2. Size – If your organization has at least 50 employees and earns at least 10 million euros in annual revenue
  3. Industry – If you operate in any of the sections listed above

Additionally, sectors are classified as “essential” or “important” entities, with differing penalties for each category.

Essential services are classified as such because the disruption of their operations would significantly impact the economy. NIS2 defines the category as follows:

  • Large enterprises that are part of the list of sectors covered by NIS2
  • Trust service providers
  • DNS service providers
  • Public electronic communication networks
  • Public administration entities
  • Entities covered in the Critical Entities Resilience Directive (EU) 2022/2557
  • Entities specified by member states

While not as critical as essential services, important services still have a significant role in society. Your organization may be an “important” entity if it doesn’t fall under the “essential” category but still meets all three criteria mentioned above.

Enhanced Cybersecurity Standards

Organizations must meet these enhanced NIS2 requirements to mitigate cyber threats:

  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity, such as backup management, disaster recovery, and crisis management
  • Supply chain security
  • Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Basic cyber hygiene practices and cybersecurity training
  • Policies and procedures regarding the use of cryptography and encryption
  • Human resource security, access control policies, and asset management
  • Use of multi-factor authentication or continuous authentication solutions; secured voice, video, and text communications; and secured emergency communication systems

In addition to these measures, organizations must consider the vulnerabilities specific to their direct suppliers and service providers. They must also submit the following reports of security incidents:

Type of reportDeadline
Incident notificationWithin 24 hours of becoming aware of a significant security incident
Assessment reportWithin 72 hours of becoming aware of a significant security incident
Status updatesUpon request of a CSIRT or national authority
Final reportNo later than one month after submission of the incident notification

Increased Accountability and Penalties

NIS2 outlines non-compliance penalties for essential and important entities. Fines will vary depending on the Member State, though NIS2 specifies a minimum list of administrative sanctions.

Non-monetary penalties

Under NIS2, national supervisory authorities have the right to enforce these penalties:

  • Compliance orders
  • Binding instructions
  • Security audit implementation orders
  • Threat notification orders to customers

Monetary penalties

Administrative fines differ based on category. Penalties may vary based on Member States, but the maximum fine levels are listed below.

CategoryMaximum Fine Level
Essential entities€10,000,000 or 2% of the global annual revenue, whichever is higher
Important entities€7,000,000 or 1.4% of the global annual revenue, whichever is higher

Cybersecurity compliance effect

Meeting the NIS2 requirements can severely impact how your organization operates. An impact proposal prepared by the European Commission estimates that companies will need an increase in budget of up to 22% to account for NIS2’s requirements. Of course, the cost of non-compliance is even higher.

However, reducing cybersecurity incidents may offset the costs of preparing for NIS2. ENISA’s 2020 NIS investments report purports that the EU's essential services and digital service providers spent 41% less on cybersecurity than their US counterparts.

Another change that businesses must accommodate is the increase in cybersecurity training for management and employees. These training sessions should cover topics like password management, phishing, and ransomware.

Additionally, the organization must observe common cyber hygiene practices at all levels. For instance, NIS2 requires strict policies regulating access to data. Organizations need to employ role-based access and conduct regular reviews of access permissions.

Communication methods also need to be encrypted to prevent interception. These include text, voice, and video communication.

Vendor relationships may also change under NIS2 implementation, as organizations must assess their vendors’ security practices and develop solutions to address vulnerabilities.

Lastly, organizations must observe regular evaluations of security measures to reduce cybersecurity risks further. This includes vulnerability assessments, penetration testing, and more.

Steps to prepare for NIS2 compliance

How can you prepare your company for NIS2 compliance? Review the steps below.

1. Assess applicability of NIS2 requirements

Determine whether your organization falls under the NIS2 Directive by evaluating your sector and the nature of your services.

2. Understand jurisdiction

Familiarize yourself with the regulatory framework in your country. Different EU member states may have varying implementations of the directive, so understanding local laws is crucial.

3. Implement cybersecurity risk management

Establish a comprehensive risk management framework that identifies, assesses, and mitigates cyber risks. This involves conducting regular risk assessments and updating security measures accordingly.

4. Strengthen supply chain security

Review the cybersecurity practices of your suppliers and partners. Under NIS2, organizations are also responsible for identifying and responding to vulnerabilities in vendor security.

5. Develop an incident response plan

Create a clear, actionable incident response plan that outlines procedures for identifying, responding to, and recovering from a cyber security incident.

6. Engage senior management

Enlist leadership in fostering a culture of cybersecurity and creating strategic decisions, from resource allocation to overall cybersecurity governance. Ensure that management is involved in cybersecurity training and that they know NIS2 requires accountability in case of significant cybersecurity issues.

Preparing for NIS2 can add costs and negatively impact your operations. How can you mitigate the consequences of NIS2 while still complying with the directive?

CyberUgrade solutions to help organizations achieve NIS2 compliance

CyberUpgrade can accelerate your NIS2 compliance preparation by providing proactive cybersecurity and compliance support. Utilizing the technology of CISO Copilot, the CyberUpgrade guided ICT compliance software, and the CoreGuardian monitoring dashboard, this service substantially covers the NIS2 Directive’s requirements for organizations:

  • Cybersecurity assessment
  • Policy and procedure documentation
  • Cybersecurity training for all personnel
  • Installation of necessary cybersecurity measures
  • Incident plan development

Led by a team of CISOs and compliance professionals, CyberUpgrade is an expert in ISO 27001, the Digital Operational Resilience Act (DORA), and NIS2 compliance. Jumpstart your cybersecurity readiness and guarantee your long-term business sustainability with CyberUpgrade.

FAQ

Leave a Reply

Your email address will not be published. Required fields are markedmarked