Skip to main content
purple hex pattern

What is NIS2?

 

NIS2 is the second iteration of the Network and Information Systems Directive. This landmark cybersecurity legislation aims to establish a higher level of cyber resilience within organizations throughout the European Union (EU), particularly the operators of critical infrastructure and essential services.

Notably, “NIS2” is the legislation’s correct name. However, you may see references to “NIS2 compliance” or the “NIS2 Directive” in official documents. Both are acceptable, but the former option is what’s published in the Official Journal of the European Union.

As an EU-wide regulation, each Member State must transpose the NIS Directive into its respective national legislature by October 17, 2024 — at which point, all covered entities will be legally obligated to comply with its security requirements. More simply, that means all EU nations will need to make the regulation legally binding in their own countries so that they may enforce it.

At a national level, NIS2 aims to boost overall cybersecurity by:

  1. Requiring each EU member state to be prepared for an eventual cyber threat with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems authority.
  2. Increasing collaboration among member states by creating a Cooperation Group to exchange information. 
  3. Fostering a cybersecurity culture across critical infrastructure sectors that rely heavily on information and communication technology (ICT).

In short, NIS2 is designed to ensure relevant entities throughout the EU are prepared to mitigate threats with the appropriate security measures, threat intelligence, and best practices.

Compliance Solutions for NIS2

Learn about the EU legislation affecting critical infrastructure and services and how Entrust can help.

Why is NIS2 important? 

 

NIS2 represents a marked improvement on the original NIS Directive. Historically speaking, NIS 1 was Europe’s first cybersecurity legislation and also aimed to enhance cyber resilience across the region. 

Although it successfully triggered a change in mindset and improved data protection, it nevertheless faced challenges. Soon after implementation, there were varying levels of adoption throughout the European Union. Some companies were considered essential in certain countries, but not in others. These inconsistencies resulted in a confusing and fragmented compliance landscape. 

Simultaneously, the risk environment has evolved by leaps and bounds since 2016. Globally, cybercrime is growing so quickly that if it were measured as a country it’d have the world’s third-largest economy. New and increasingly sophisticated attack vectors are challenging organizations in ways previously unseen — including the use of artificial intelligence (AI). 

AI-powered phishing scams, for example, are learning how to deceive unsuspecting users and steal their login credentials with ease. And, with the advent of quantum computing, it’s only a matter of time before hackers can decrypt many of the cryptographic algorithms in use today. 

Of course, geopolitics only adds to the complexity. Russia’s war in Ukraine has given rise to politically motivated and state-sponsored cyber attacks. According to the European Union Agency for Cybersecurity (ENISA), in 2022, the vast majority of those attacks targeted public administration and governments, digital service providers, and critical infrastructure. 

Given these problems, the European Commission decided to revise the NIS Directive. The second iteration not only addresses unified implementation, but also raises the bar for cyber resilience in lockstep with the changing cyber threat landscape.

Key changes: NIS2 vs. the original NIS Directive

 

The updated NIS Directive rectifies the deficiencies of its predecessor and significantly increases the size and scale of its reach. Specifically, compared to NIS 1, it:

  • Expands the scope to include more sectors
  • Imposes harsher sanctions for noncompliance
  • Mandates more stringent cybersecurity requirements

Let’s take a closer look at the key differences between the first and second NIS Directive.

Expanded scope

The original NIS Directive applied to “operators of essential services” (OES) and “digital service providers” (DSP). Now, this distinction is no more. 

Instead, relevant entities are classified by size and type. Generally, NIS2 impacts all organizations that provide “essential or important services” to the European Union. This increases the number of covered sectors from seven to 15, thereby protecting more vital aspects of EU society.

An essential entity is classified as a large company that operates in a critical sector, such as those seen below. In this case, a large entity is defined as one with at least 250 employees, an annual turnover of at least €50 million, or an annual balance sheet of at least €43 million. Per NIS2, essential services include:

  • Energy
  • Transportation
  • Finance
  • Public administration
  • Health
  • Space
  • Water supply (drinking and wastewater)
  • Digital infrastructure

By contrast, an important entity is a medium-sized enterprise operating in sectors of high criticality that don’t fall under the category of essential services. These organizations typically have at least 50 employees, an annual turnover of at least €10 million, or a €10 million balance sheet. Under NIS2, important entities include:

  • Postal services
  • Waste management
  • Chemicals
  • Research
  • Foods
  • Manufacturing
  • Digital providers

Some of the above sectors may seem to overlap, such as digital infrastructure and digital providers. The former refers to cloud services, telecommunications operators, data centers, trust services, and so on. In short, it encompasses any entity that provides a digital service key to the backbone of society.

Digital providers include more specific services, such as search engines, online markets, and social networks. They’re integral to the way people communicate and transact, but may not have drastic implications if a cyber incident renders them inoperable.

But what about operators based outside the EU? Under Article 26 of NIS2, essential and important entities are deemed under the jurisdiction of the EU Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under the jurisdiction of each one respectively.

Stronger noncompliance

NIS2 establishes much harsher penalties for noncompliance, including:

1. Non-monetary penalties

NIS2 gives national supervisory authorities the power to levy:

  • Compliance orders
  • Binding instructions
  • Security audits
  • Threat notification orders

2. Administrative fines

Exact fines can vary depending on the Member State, but the NIS Directive establishes a minimum list of sanctions. 

  • For essential entities, the Member State must provide a maximum fine of at least €10,000,000 or 2% of global annual revenue, whichever is higher.
  • If an important entity violates the Directive, the Member State must fine a maximum of at least €7,000,000 or 1.4% of global annual revenue, whichever is higher.

3. Criminal sanctions on management bodies

Rather than put all the pressure of NIS2 compliance on IT departments, the Directive includes new sanctions to hold top management bodies personally liable for gross negligence in the event of a cybersecurity incident. For example, a competent authority can temporarily ban executives from holding management positions. It can also order organizations to disclose compliance violations and make a public statement identifying the person(s) responsible for the incident.

Stricter requirements

Lastly, NIS2 dramatically increases its cybersecurity requirements for relevant entities. Broadly, it mandates early incident reporting, widened risk management, and a series of minimum security measures.

What does all that mean? Let’s dive deeper into NIS2’s exact requirements.

NIS2 security requirements

 

The new Directive bolsters cyber resilience by introducing obligations across four areas:

Risk management

Organizations must adopt cybersecurity risk management measures to minimize the likelihood and impact of various cyber threat vectors. More specifically, they must implement technical, operational, and organizational precautions to mitigate risks affecting their network and information systems, thereby enhancing data protection. These may include incident management procedures, stronger supply chain security, access control systems, and encryption.

Corporate governance

Management bodies are responsible for overseeing and approving their respective organizations' cybersecurity risk management protocols and must ensure they are implemented effectively.

According to Article 20, Member States should “ensure that the members of the management bodies of essential and important entities are required to follow training,” and should encourage them to offer similar training programs to their employees consistently. The aim is to enable everyone in a given organization to identify risks and minimize exposure to the best of their ability.

Incident reporting

Critical entities must establish procedures to promptly report security incidents that significantly affect their service delivery and/or users. NIS2 classifies a “significant” security incident as one that:

  • Has caused or can lead to serious operational disruption to a critical sector
  • Has affected or can affect other natural or legal persons by causing considerable damage

Entities must notify their Member State’s competent authority (including the CSIRT) with an early warning no later than 24 hours after learning of the cyber incident. They must also complete a full report no later than 72 hours after and a final report one month after submitting the initial document.

Business continuity

The revised NIS2 aims to guarantee business continuity after an attack. Entities are required to create a credible strategy detailing their response to and recovery from such incidents, aiming to minimize disruptions swiftly. Consequently, NIS2 emphasizes the adoption of cloud backup solutions.

10 baseline cybersecurity measures

Article 21 identifies 10 baseline security measures that organizations should implement to support the four overarching areas. They’re based on an “all-hazards approach” that aims to mitigate the most likely threat vectors. These measures include:

  1. Policies on risk analysis and information system security
  2. Incident response plans for handling active threats
  3. Business continuity plans, such as backup, disaster recovery, and crisis management procedures
  4. Supply chain security, including measures that address the relationship between companies and their direct suppliers or service providers
  5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to evaluate the effectiveness of cybersecurity risk management measures
  7. Training for cybersecurity awareness, hygiene, and best practices
  8. Policies on the use of cryptography and encryption
  9. Access control procedures, especially for employees with access to sensitive data
  10. Multi-factor authentication, continuous monitoring, and secure communication systems

NIS2 vs. other cybersecurity regulations

 

Alongside NIS2, EU operators will have to contend with numerous other regulations, including:

  • The Digital Operational Resilience Act (DORA)
  • The Critical Entities Resilience (CER) Directive
  • The Cyber Resilience Act (CRA)

How do these legislations overlap? Let’s break down the details:

NIS2 vs DORA

Both NIS2 and DORA are cybersecurity regulations, but their purposes are slightly different. DORA is specifically focused on the financial sector, whereas NIS2 covers a broader range of organizations.

According to Article 4(1) and (2) of the NIS Directive, DORA’s provisions related to ICT risk management and reporting, digital operational resilience testing, information sharing, and third-party risk shall apply instead of those outlined in NIS2. In other words, financial entities should refer to DORA for these areas and NIS2 for all other requirements.

Bottom line: DORA supersedes NIS2 for financial entities when it comes to the above security measures.

NIS2 vs. the CER Directive

The CER Directive applies to critical entities, such as energy and transport providers, guiding their defenses against non-cyber-related risks. While NIS2 focuses on cybersecurity, there may be overlaps in terms of the entities covered. In such cases, organizations will need to ensure compliance with both directives, addressing both cyber and physical resilience.

Critical entities should comply with NIS2 when it comes to cybersecurity and the CER Directive for non-cyber incidents.

NIS2 vs. CRA

The Cyber Resilience Act is a proposed piece of legislation that focuses on the cybersecurity of hardware and software products with digital elements, such as Internet-of-Things (IoT) devices. Where NIS2 focuses on enhancing the security posture of companies themselves, the CRA requires companies to prioritize the security of the products they manufacture or sell. 

Generally, the CRA complements NIS2, but doesn’t necessarily overlap or supersede it. Therefore, entities may be subject to both regulations.

Ready to get started? Contact our team today.