What is NIS2 and what does it mean for my organization?

The digital world is facing a more complex threat environment, with cyber-attacks becoming more frequent and sophisticated. Recognizing the need for a stronger and more unified approach to cybersecurity, the European Union (EU) has introduced the Network and Information Security 2 (NIS2) Directive. This directive aims to strengthen the cybersecurity posture of essential and important organizations across EU member states, ultimately contributing to a more secure digital landscape for both businesses and consumers.

What is the NIS2 directive?

The NIS2 Directive is a legislative framework enacted by the EU to improve cybersecurity resilience across all member states. It builds upon the original NIS Directive, introduced in 2016, and includes key changes and updates to reflect the evolving cyber threat landscape.

At its core, the NIS2 directive aims to protect critical organizations and infrastructure within the EU from cyber threats, achieving a high level of common security across the bloc. It sets out comprehensive rules and guidelines for how organizations should manage and reduce cybersecurity risks related to their networks and information systems. This includes, for example, reporting incidents, protecting data, and managing cybersecurity risks. To learn more about how to develop a solid cybersecurity plan for your business, read our blog post on cybersecurity best practices.

Does NIS2 affect my organization?

The scope of the NIS2 Directive is broader than its predecessor, and it now applies to a wider range of organizations than the original NIS Directive. While the original directive mainly focused on operators of essential services such as energy, transport, and banking, NIS2 now extends its reach to include important entities from a greater range of sectors. Examples include healthcare, wastewater management, digital service providers, and specific online marketplaces.

To determine if NIS2 applies to your organization, you need to consider two main factors: the sector your organization operates in and its size. If you need help determining whether your organization falls under the scope of NIS2, consider hiring a specialized NIS2 consultant.

18 sectors in NIS2

The NIS2 Directive covers 18 sectors, categorized as 'highly critical' and 'other critical'. Note that organizations in both categories have to meet the same security requirements. The difference lies in how important and essential organizations will be supervised and penalized for noncompliance. Here's a breakdown:

Highly critical sectors

• Energy
• Transport
• Banking
• Financial Market Infrastructure
• Health
• Drinking Water
• Waste Water
• Digital Infrastructure
• ICT Service Management
• Public Administration
• Space

Other critical sectors

• Postal and Courier Services
• Waste Management
• Manufacture, Production, and Distribution of Chemicals
• Production, Processing, and Distribution of Food
• Manufacturing
• Digital Providers
• Research

Essential vs. important entities

Within these sectors, NIS2 further distinguishes two categories of entities: 'essential' and 'important' entities.

Essential entities

Essential entities generally include larger organizations (over 250 employees or with over €50 million in annual turnover) operating in sectors deemed highly critical.

Important entities

Important entities typically encompass medium-sized organizations (over 50 employees or with over €10 million in annual turnover) within the 'other critical' sectors.

Small enterprises with fewer than 50 employees and a turnover below €10 million aren't automatically excluded. Member states have the leeway to categorize them as either 'critical' or 'important' if their services have a significant impact on society, public health, or safety. Essential entities are supervised proactively to ensure they meet NIS2's requirements, while important entities are investigated only upon receiving a complaint.

What if my organization is outside the EU?

Even if your organization is not located within the EU, it still needs to comply with the NIS2 Directive if it provides services within the EU and falls under its scope based on the sectors and size limitations mentioned above.

Non-EU entities providing services in the EU must designate a representative within an EU member state where their services are offered. This representative will be responsible for managing the organization's NIS2 compliance, such as reporting security incidents.

What if NIS2 doesn't apply to my organization?

If your organization isn't within the scope of NIS2, you might not face immediate penalties or compliance steps. However, aligning your security measures with the directive is still a good practice. Here's why:

• NIS2 promotes a high level of cybersecurity even for organizations outside its scope by encouraging countries to implement similar risk management measures.
• The directive's wide scope requires organizations to ensure their suppliers are also secure, meaning many companies will indirectly comply with NIS2 due to their relationships with compliant organizations.

Essentially, the risk management and cybersecurity measures outlined in NIS2 are likely to become the standard. By proactively adapting your security to meet the directive's minimum security measures, you make it easier to work with other companies and signal to your customers that your practices are trustworthy. For more information on how to manage vendors effectively, read our blog post on vendor management.

NIS2 requirements

The NIS2 Directive sets clear requirements for minimum security measures, incident reporting timelines, and penalties for noncompliance. It has three general objectives:

1. Increased cyber resilience across providers of essential services
2. More streamlined cyber resilience via stricter security requirements and penalties for violations
3. Improved preparedness for the EU in dealing with cyber-attacks.

To achieve these objectives, NIS2 provides new guidelines related to security, corporate accountability, reporting, and business continuity.

One of the key elements of NIS2 is the requirement for organizations to implement appropriate and proportional risk management actions to prevent security incidents and minimize their impact. The directive recommends an 'all-hazards approach' to address risks stemming from human error, system failures, malicious actors, natural disasters, and the physical and environmental security of systems. You can find skilled risk managers and risk officers through Right People Group.

For organizations new to a formal cybersecurity program, experts recommend starting with risk assessment. This allows you to develop a plan for identifying your organization's risk landscape, likelihood of specific events occurring, impact if an event occurs, and currently existing controls. Once you have an understanding of your risk landscape, you can begin to prioritize efforts and allocate resources effectively.

In addition to the overall focus on a risk-based approach, the directive also outlines ten specific areas (also referred to as "baseline measures") that organizations must address. These include:

10 minimum security measures

1. Policies on risk analysis and information system security
2. Incident handling
3. Business continuity, including backup management, disaster recovery, and crisis management
4. Supply chain security, including security-related matters concerning the relationships between entities and their direct suppliers or service providers
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
7. Good cyber hygiene practices and cybersecurity training
8. Policies and procedures regarding the use of cryptography and encryption when appropriate
9. Human resources security, access control policies, and asset management
10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity - where appropriate

New reporting requirements

In case of a security incident, organizations must follow strict reporting procedures. NIS2 outlines clear guidelines for incident reporting:

• Within 24 hours of becoming aware: Submit an early warning to the Computer Security Incident Response Team (CSIRT) or the national authority. This notification should indicate whether the incident is believed to be caused by malicious or unlawful conduct and if it will likely have cross-border consequences.
• Within 72 hours of becoming aware: Submit an incident notification, providing an update to the early warning with an initial assessment of the incident's severity, impact, and indicators of compromise.
• Within one month of becoming aware: Submit a final report providing a detailed description of the incident, its severity, impact, cause, applied and ongoing mitigation measures, and the cross-border impact.

Higher sanctions for NIS2 violations and increased supervision

The NIS2 Directive emphasizes enforcing these requirements by establishing minimum financial penalties for organizations that fail to meet the security risk management or reporting requirements. The directive distinguishes between essential and important entities when applying penalties.

Essential entities can face fines of at least €10 million or 2% of their total global revenue for the preceding financial year, whichever is higher. This penalty aligns with the fines imposed for less severe violations under the General Data Protection Regulation (GDPR). You can find skilled data privacy officers through Right People Group.

Important entities can face fines of at least €7 million or 1.4% of their total global revenue for the previous financial year, whichever is higher.

Supervisory measures under NIS2 can include audits, on-site inspections, and requests for NIS2 compliance information and documentation. If a breach is identified, organizations might face fines, non-monetary penalties such as compliance orders, or even actions taken against management.

Enforcement will mainly be handled by the country where the organization is established, with some exceptions for those within the digital infrastructure sector.

How to prepare for the NIS2 directive

Organizations within the scope of the NIS2 Directive need to fully comply with the new security measures by October 18, 2024. The European Commission will issue further guidance and technical requirements for some sectors by October 17, 2024. If NIS2 applies to your organization, now is the time to start preparations! Even if you aren't directly affected by NIS2, it's still a good idea to consider its requirements, especially if you partner with companies needing to demonstrate compliance.

A good first step towards compliance is conducting a risk assessment, as discussed above. You can then use the resulting understanding of your own risk landscape to develop or update your security policies and begin putting security measures in place. Make sure your new or enhanced policies address all ten of the baseline security requirements outlined in the NIS2 Directive. Make sure to also understand your supply chain and any dependencies on third-party suppliers. As the final stage of your preparation process, remember to include regular evaluation of your security measures and overall security awareness program to ensure that they remain effective as new threats emerge. For more information on how to maintain IT security when working with remote consultants, read our blog post on IT security for remote teams.

Conclusion

The NIS2 Directive marks a significant step in the ongoing efforts to establish a more secure digital landscape for businesses and consumers within the EU. While compliance is mandatory for organizations within its scope, embracing its principles and security measures broadly across all sectors can contribute to a more resilient and secure digital economy. If you're looking for skilled IT security consultants to help you prepare for NIS2, contact Right People Group today.