As of October 17, the Network and Information Security 2 Directive will be enforced. This implies that pertinent entities operating in sectors such as energy, transport, water, healthcare, and digital infrastructure within the E.U. must adhere to the applicable regulations.
The European Parliament approved NIS 2 in November 2022 with the objective of establishing a uniform, minimum cybersecurity foundation across all E.U. member states by enforcing mandatory security measures and reporting protocols.
Entities subject to the NIS 2 Directive are required to implement “strategies to manage the risks presented to the security of network and information systems” utilized to deliver their services. They must also “prevent or reduce the consequences of incidents on recipients of their services and on other services.”
However, a survey conducted by Veeam, a data protection software provider, reveals that 66% of companies operating within the E.U. will not meet the compliance deadline. Furthermore, 90% experienced security incidents in the past year that compliance with the directive would have averted.
In response to this, TechRepublic has crafted a comprehensive guide outlining what accountable entities must comprehend about conforming with NIS 2.
Overview of the NIS 2 Directive
The NIS 2 Directive is a legislative decree applicable to medium to large-scale entities providing services or infrastructure considered “vital for the economy and society” within the E.U. Its purpose is to establish a high, unified level of cybersecurity throughout the union.
NIS 2 builds upon NIS 1, which was enacted in the E.U. in 2016. NIS 1 pertains to “operators of essential services” identified by each member state, along with major “digital service providers” such as online marketplaces, search engines, and cloud service providers. Member states have the freedom to set their penalties for non-compliance.
NIS 1 mandates that qualifying organizations:
- Enhance their network and information systems with appropriate security measures based on their risk profiles.
- Ensure service continuity by implementing measures to prevent and mitigate the impact of security incidents.
- Inform the regulator of any “significant” or “substantial” incident within 72 hours of noticing it.
Compliance of operators of essential services with NIS 1 is overseen through audits conducted by authorities, whereas digital service providers are not audited but could be examined post-incident if non-compliance is suspected.
Distinguishing Features of NIS 2 compared to NIS 1
Expanding the reach of the original directive, NIS 2 encompasses critical sectors such as energy, healthcare, transport, and digital infrastructure, imposing stricter cybersecurity requisites. It also includes organizations with a minimum of 50 employees, meaning many who were exempt under NIS 1 must now adhere to NIS 2.
Moreover, NIS 2 diverges from NIS 1 in several aspects:
- Assessment of supply chain risks must be integrated into risk evaluations, given the surge in attacks exploiting them.
- Compulsory root-cause analysis post-incidents, rather than solely reactive measures.
- Emphasis is placed on business continuity and disaster recovery plans that decrease disruptions.
- Regular security audits, encompassing pen-testing and vulnerability assessments, must be carried out to ensure systems align with updated security standards.
- Regulators have enhanced enforcement capabilities, including random audits and on-site inspections.
Designated “management bodies” within “essential” and “important” entities must authorize and supervise the cybersecurity risk-management strategies their firms implemented, and they may be held personally accountable for violations. According to Article 20, they are also required to undergo routine cybersecurity training.
NIS 2 also introduces revised incident reporting regulations. Incidents that have or could have a “substantial impact” on a business’s services — like causing severe operational disruption, financial loss, or substantial harm to individuals or legal entities — must be reported to the computer security incident response team or other sector-specific regulators. This covers a broader range of incident types than NIS 1.
Initial alerts regarding incidents must be communicated to regulators within 24 hours, followed by detailed reports within 72 hours, and both intermediate and final reports within a month. Service beneficiaries must also be informed of any service disruptions and assisted in mitigating them.
Required Minimum Risk Management Measures in NIS 2
The specific NIS 2 regulations that a company must adhere to depend on factors such as their scale, risk exposure, severity of potential incidents, and the expense of implementing security technologies.
Nonetheless, the legislation suggests the following ten risk-management measures as a minimum:
- Establish policies for risk analysis and information system security.
- Create incident response plans.
- Develop business continuity strategies including backup management and disaster recovery.
- Enhance supply chain security.
- Implement security in network and information systems acquisition, development, and maintenance, including managing vulnerabilities.
- Establish protocols and procedures to evaluate the efficacy of cybersecurity risk-management approaches.
- Adopt fundamental cyber hygiene practices and security training.
- Formulate policies governing cryptography and encryption usage.
- Incorporate human resources security, access control policies, and asset management.
- Deploy multi-factor authentication or continuous authentication solutions.
Entities Obliged to Comply with NIS 2
NIS 2 applies to entities classified as either “essential” or “important” businesses operating within the E.U. — they are not required to be headquartered within the bloc. Essential businesses face more stringent criteria compared to important businesses.
Essential businesses are large institutions within the following sectors:
- Energy.
- Transport.
- Banking.
- Financial market infrastructure.
- Healthcare.
- Drinking and waste water.
- Digital infrastructure.
- Managers of IT services.
- Aerospace.
- Government services.
Digital infrastructure includes certain digital service providers subject to lighter-touch regulations under NIS 1, such as cloud service providers and data center service providers.
Important businesses are medium-sized entities in the previously mentioned sectors, as well as medium or large entities in the subsequent sectors:
- Digital providers.
- Postal and courier services.
- Waste management.
- Food.
- Chemicals.
- Research.
- Manufacturing.
Digital providers include online-basedGatekeepers under the Digital Markets Act, could include search engines, e-commerce platforms, and social media platforms, which might fall under the category of “digital service providers” in NIS 1.
For large corporations, the criteria are either a workforce of a minimum of 250 employees or an annual revenue of at least €50 million, with a balance sheet total of at least €43 million. Medium-sized organizations should have a workforce of at least 50 employees or an annual revenue and balance sheet total exceeding €10 million.
By April 17, 2025, each member state in the EU must compile a roster of essential and significant entities within their jurisdiction that must adhere to NIS 2.
Essential entities will undergo scrutiny both pre and post an incident, while significant entities will only face examination post-incident.
What are the penalties for noncompliance with NIS 2?
Organizations eligible under NIS 2 that fail to comply post the deadline might face the following penalties:
- Essential entities: Could be fined up to €10 million or 2% of their global annual turnover, whichever is greater
- Important entities: Might incur fines up to €7 million or 1.4% of their global annual turnover, whichever is higher.
An entity will not be penalized under both NIS 2 and GDPR if a security incident due to non-compliance leads to a personal data breach.
How can a business ensure compliance with NIS 2?
The primary task for executives operating within the EU is to ascertain if their business qualifies as either essential or significant under NIS 2, as not all member states have published a list of applicable entities within their jurisdiction. Essential and significant entities must register with the EU Agency for Cybersecurity.
Irrespective of being subject to the directive, conducting a risk assessment is a pivotal step. NIS 2 mandates that companies adopt a risk-oriented approach to managing cybersecurity defenses. Given the rise in cyber attacks, these assessments become a crucial aspect even for non-applicable entities.
SEE: Security Risk Assessment Checklist
In addition to internal vulnerabilities, companies should also evaluate those within their supply chains during the risk assessment. Third-party providers are enticing targets due to the multiple entry points they offer to threat actors in a single attack. Article 21 mandates that companies ensure the quality of products and cybersecurity practices of their suppliers and service providers.
Entities obligated to comply with NIS 2 must create and implement comprehensive cybersecurity policies covering incident detection, response, recovery, as well as conducting routine security audits to ensure adherence to Article 21. The directive specifies a range of specific measures that can be adopted, such as multi-factor authentication, cybersecurity training, and access controls for sensitive data.
Processes to meet the stringent 24-hour reporting demands for significant incidents must be put in place, and management bodies overseeing compliance must be designated. Executives bear specific legal liability under NIS 2 in case of non-compliance.
Moreover, member states can introduce their cybersecurity and reporting prerequisites beyond NIS 2; hence, thorough research is essential. Countries like Lithuania, Belgium, Croatia, Greece, Hungary, and Latvia have already published additional requirements.
Companies can seek assistance from external cybersecurity firms or utilize specialized compliance tools to navigate the intricacies of NIS 2 compliance provided by companies like PwC, WithSecure, Advisera, Wavestone, and Bureau Veritas.
What are the viewpoints of policy experts on NIS 2?
Although NIS 2 aims to enhance the cybersecurity of EU businesses to prevent and mitigate cyber attack impacts, not all policy experts are convinced of the rollout strategy.
Inadequate compliance timeframe for businesses
Chris Gow, Cisco’s Head of EU Public Policy, believes that businesses had insufficient time to comply with NIS 2 since its inception in 2020. “For the incident reporting and security measures in NIS 2 to be practical and effective, there should be a more realistic timeframe,” he communicated in an email to TechRepublic.
“Entities covered by NIS 2 should be given until 18th April 2027 to implement the Cybersecurity Measures. During this period, the authorities would not enforce these measures immediately but could engage with organizations to understand their roadmap for meeting the controls.”
Tim Wright, a technology lawyer and partner at Fladgate, highlighted the disparity in implementation status among different member states across the bloc, despite the looming deadline.
A Veeam study identified several reasons hindering full NIS 2 compliance at this stage. Nearly one-fourth of IT managers face constraints due to technical debt, while 23% cite a lack of leadership comprehension, and 21% attribute insufficient budgeting as a limiting factor. In fact, 40% reported reduced IT budgets following the effective proclamation of NIS 2 in January 2023.
Respondents rank NIS 2 compliance as a lower priority compared to ten other concerns, including skill shortages, profitability, and digital transformation.
Wright commented in an email to TechRepublic: “While countries like Belgium, Croatia, Hungary, and Latvia have already adopted NIS2-compliant laws, others such as Bulgaria, Estonia, and Portugal seem to be lagging in the transposition process.”
He emphasized that uniform delivery of the Directive across all member states is critical for its effectiveness. Wright pointed out: “The success of NIS2 hinges on consistent implementation throughout all Member States. While NIS2 should enhance the EU’s overall cyber resilience, constant vigilance against threats is vital. The Directive’s effectiveness will depend on the clarity of its implementation and whether it fosters a genuine cybersecurity ethos, not just mere compliance.”
Potential issue of over-reporting due to low incident alert thresholds
Gow also raised concerns about overly low thresholds for reporting cyber incidents, citing instances like the obligation to disclose disruptions in cloud services lasting just over 10 minutes. He cautioned, “Incorrectly set thresholds may result in companies over-reporting minor incidents, draining resources away from actual incident responses and inundating regulators with non-essential reports.”
Non-alignment of NIS 2 with other global security standards
The EU policy expert also noted that NIS 2’s lack of alignment with other international security standards could pose a challenge, particularly for multinational corporations. Gow highlighted, “For enterprises like Cisco, juggling multiple standards is a demanding task in terms of resources and complexity. However, for smaller entities, compliance might be excessively burdensome, potentially stifling innovation and competitiveness.
“Divergent standards or national schemes can restrict cross-border operations within the EU, creating obstructions that impede growth prospects.”
About Author
