The European Union (EU) is well-known as a region that takes cybersecurity and data privacy very seriously, thanks to the General Data Protection Regulation (GDPR). Five years after the GDPR came into force, the EU continues to lead the way with cybersecurity regulations, this time with the Network and Information Security 2 (NIS2) Directive.
The NIS was the first-ever EU-wide cybersecurity legislation. Its chief goal was to help EU Member States develop advanced standard cybersecurity capabilities that would enable them to withstand cyber threats, avoid cyberattacks, and secure their information systems.
The NIS2 expands the scope of the original NIS and obliges more entities and sectors in the EU to implement its required cybersecurity measures. It also addresses the security of supply chains, includes stricter enforcement requirements, and streamlines reporting obligations across the EU. Through these updates, the NIS2 aims to increase long-term cybersecurity in EU.
Over the past decade, cyberattacks have affected numerous European countries, businesses, and critical sectors. These issues prompted the EU to develop and implement an EU-wide cybersecurity ecosystem. The NIS legislation on cybersecurity represented one of the first steps toward creating this ecosystem. Adopted by Member States in 2016, the NIS aimed to ensure a high common level of cybersecurity across EU Member States. It included numerous legal measures to boost the EU’s overall cybersecurity posture.
All in all, the ideas proposed by the NIS were sound. However, its implementation proved very difficult, mainly because Member States implemented its requirements differently. These differences increased the compliance burden on companies operating in more than one Member State. Ineffective enforcement also limited the cyber-resilience achievable – and achieved – by Member States.
The NIS also failed to prepare the EU for the changing threat landscape or improve situational awareness at a bloc-wide level. Further, it couldn’t help Member States implement effective measures to minimize cyber threats, prepare for future cyber challenges, or improve their overall cyber resilience.
These challenges highlighted the need to enlarge the scope of NIS, clarify its applicability, and unify the rules on cybersecurity risk management and incident reporting. These needs, combined with an open public consultation (OPC) of the original NIS directive, resulted in the development of the NIS2 directive.
In a nutshell, the aim chief of the NIS2 directive is to increase the cybersecurity of critical infrastructure and digital services in the EU and ensure their resilience against known and emerging cyber threats.
The NIS2 strengthened the security requirements stated in the original NIS. It also tackled the NIS’ limitations that created the issues highlighted in the previous section. By expanding the scope of the NIS and by setting the below objectives for the EU, the NIS2 aims to strengthen the EU’s long-term cybersecurity capabilities:
Cooperation between Member States is a particularly important aim of the NIS2. Through such cooperation, the directive is expected to eliminate the problems related to inconsistent implementation that plagued the NIS. To ensure cooperation, the NIS2 proposes the establishment of EU-CyCLONe (EU-Cyber Crises Liaison Organisation Network) that would enable the coordinated management of EU-wide cybersecurity incidents. In addition, the directive will give more decision-making powers to the NIS Cooperation Group and help increase information exchange between EU Member States.
The NIS2 directive introduces new requirements and obligations for EU organizations to collectively help protect the EU’s critical infrastructure and bolster its cybersecurity strength and resilience. These requirements and obligations are clearly stated to eliminate differing interpretations (which is what led to implementation problems and increased cybersecurity risk under the NIS). They fall under four overarching areas:
The NIS2 requires EU entities to implement measures to minimize cyber risks and protect their assets, such as incident management processes, stronger network security controls, robust access controls, and data encryption.
Under the NIS2, corporate managers oversee and approve the entity’s cybersecurity measures. They must also be trained on effectively using these measures to minimize the organization’s cyber risks. If, despite these measures, the entity is still breached, management may be penalized. They may be held financially liable for the incident and temporarily banned from their role.
The NIS2 harmonizes the rules on cybersecurity incident reporting. It also aims to balance fast reporting (to avoid the spread of an incident) and in-depth reporting (to draw valuable lessons from the incident).
The directive adopts a multiple-stage reporting approach. Thus, entities that suffer an incident must submit an initial “early warning” report within 24 hours of becoming aware of that incident to a competent national authority or Computer Security Incident Response Teams (CSIRT). They must also submit an incident report within 72 hours of incident awareness and a final report within one month.
All organizations must have a plan to ensure business continuity in the event of a cyber incident or crisis. This plan should clearly state how the entity will manage the crisis, particularly regarding system and information recovery, systems access, data backup, emergency procedures, incident handling, and crisis response. It should also mention how the entity will manage its operations during and after the incident.
In addition to these four overarching areas, the NIS2 directive specifies certain baseline security measures that the EU’s essential entities must implement. These measures, meant to reduce risk and minimize the possibility of cyberattacks, include:
Applicability of NIS2
Generally, all entities (medium-sized and large) operating in the sectors covered by the NIS2 directive or providing services covered by the directive fall under its scope and will be affected by its rules and requirements. The directive introduces a “size-cap rule” to determine which entities will be affected by its requirements. The rule also determines which entities qualify as operators of “essential” services and which entities will be deemed “important.”
Essential sectors/entities |
Important sectors/entities |
Energy |
Postal and courier services |
Transportation |
Waste management |
Banking |
Chemicals |
Financial services and markets |
Food |
Healthcare |
Medical device manufacturers |
Drinking water and waste water |
Computers |
Digital infrastructure |
Electronics |
Public administration |
Machinery |
Space |
Vehicles |
Pharmaceuticals (including vaccines) |
Digital providers |
From the NIS2 perspective, all these entities fall under the jurisdiction of the Member State in which they are established, not of the Member State in which they provide their services. If an essential entity provides services in more than one Member State, it falls under the jurisdiction of each of these Member States.
The NIS2 directive also applies to public administration entities at the central and regional levels. In addition, it may also apply at a local level if Member States so choose.
Certain EU entities are excluded from the scope of the NIS2. These are:
As a political agreement, the NIS2 was adopted by the European Council and European Parliament in November 2022. Both legislators signed the text in December 2022, and came into force in January 2023. The 27 EU Member States have until October 17th, 2024, to transpose the directive into national law.
All EU entities with at least some digital operations and face some cybersecurity risk must be aware of this deadline and implement NIS2 directives before then, particularly if they are deemed essential or necessary per the NIS2’s definition. The compliance process takes around 12 months. As of May 2023, EU entities that will fall under the purview of NIS2 have 17 months to complete the process.
This process will require them to complete several activities related to:
The requirements of the NIS2 are legally binding on the entities that fall under its purview. Member States have the discretion to penalize non-compliant entities with dissuasive penalties as well as administrative fines. In general, essential entities that fail to comply with its directives may be fined up to €10 million or 2% of their total turnover worldwide – whichever is higher. Important entities that fail to comply with the NIS2 may be fined up to €7 million or 1.7% of global turnover. In addition, non-compliant companies may be forced to suspend their business activities until they meet the NIS2 requirements and achieve 100% compliance.
The directive places additional responsibility on enterprise management bodies to meet its requirements and comply with its obligations and provisions. Here, “bodies” means managers at all levels, including senior and C-Suite levels. Managers who fail to comply with the NIS2 may be fined and face criminal sanctions. If gross negligence is proven after a cyber incident, they may be held personally liable. In case of repeated violations at an essential entity, its managers may be temporarily banned from holding management positions.
Apart from administrative fines and non-monetary remedies, the NIS2 also allows criminal sanctions on non-compliant organizations and their management. In addition, national supervisory bodies are authorized to designate a monitoring officer. They may also order the entity’s managers to conduct security audits, send threat notifications to entities’ customers, and make compliance violations public (while also identifying the legal persons/managers responsible for the occurrence of the violation).
The goal of all these strict measures is twofold: i) to increase accountability for implementing the directive’s required cybersecurity measures at the organizational level and ii) to prevent gross negligence in enterprise cyber risk management.
Implementing the various requirements of the NIS2 and maintaining compliance with the directive can be time-consuming and even overwhelming. Working with an external cybersecurity team, compliance, and NIS2 experts like ForeNova can help reduce the overwhelm.
ForeNova’s NIS2 specialists can assist you with every aspect of NIS2 compliance, from determining if you fall under the directive’s scope to preparing a compliance plan, evaluating your security measures, and amending your security policies. We will also prepare your asset inventory, assess your network, and implement controls to reduce your attack surface and prevent data breaches. We can provide that if you require 24/7 threat detection and response.
We can review all regulations and map our capabilities and NIS2 requirements with you. With our experience in helping customers like hospitals to fulfill NIS2 we can offer a transparent process and the most efficient way on the road to NIS2 compliance.
Contact us at support@forenova.com to get started with NIS2 implementation – before it’s too late.