NIS 2 Obligations: How To Comply? - Rules, Deadlines, Penalties

The EU-wide NIS 2 directive is impending and it brings new standards for cybersecurity. The updated NIS 2 Directive enhances the 2016 regulation, requiring sectors like energy, banking, and digital services to adopt stronger cybersecurity measures. Organizations must comply with EU-wide standards and report significant security incidents, with an emphasis on vulnerability management. For some companies, adopting all changes to comply with NIS 2 can take up to 12 months. Let’s navigate obligations, deadlines and potential penalties, this new European legislation brings to the table.

Which Organizations NIS 2 Applies To?

Who Does NIS2 Apply To?

NIS2 applies to public and private sector entities that meet the following criteria:

  • Provide certain critical services or critical infrastructure

  • Qualify as medium-sized or large-sized enterprises

  • Provide their services or conduct their activities within the EU

Some entities will be subject to the new rules regardless of their size, and Member States may bring other entities within the scope of NIS2.

Supply Chain Impact

A covered entity's supply chain may be indirectly affected by NIS2. One of the most important elements of the NIS2 Directive are policies, processes, and controls for assessing supply chain security, including third-party risk and fourth-party risk.

From NIS 1 to NIS 2: Major Changes 

NIS2 significantly broadens the reach of cybersecurity regulations compared to its predecessor. New sectors are included based on their digital dependence, interconnectedness, and importance to society and the economy. Importantly, all medium and large organizations in these sectors, including public ones, now fall under NIS2's purview.

While exemptions exist, companies should carefully assess their eligibility and any other relevant regulations. If your company has more than 50 employees or an annual turnover exceeding €10 million, it's highly likely you'll be impacted by NIS2.

It's anticipated that over 100,000 additional organizations across the EU will be affected by NIS2, as the scope has dramatically expanded from seven to eighteen sectors. 

Key Obligations under NIS 2

NIS2 places significant obligations on organizations, particularly concerning cybersecurity risk management and incident notification.

Cybersecurity Risk-Management Measures

  • Essential and important entities must implement appropriate technical, operational, and organizational measures to manage cybersecurity risks and minimize the impact of incidents.

  • Minimum measures outlined in NIS2 include policies on risk analysis, information system security, incident handling, business continuity, crisis management, and supply chain security.

  • Management bodies are responsible for approving and overseeing these measures and can be held accountable for any non-compliance.

Incident Notification

  • Essential and important entities must promptly notify the relevant authorities about any incident with a significant impact on service provision.

  • A phased reporting model is required, starting with an early warning within 24 hours, a full notification within 72 hours, and a final report within one month.

  • Communication about significant cyber threats or remedies is also mandatory to service recipients and, in some cases, the general public.

  • Potential overlap with other reporting obligations, such as GDPR, necessitates comprehensive incident notification policies.

Supervision and Enforcement under NIS2

NIS2 differentiates between essential and important entities in terms of supervision and enforcement, based on their criticality and impact on society. Essential entities belong to crucial sectors like energy and healthcare, while important entities include those in sectors like digital providers and manufacturing. Both must implement cybersecurity measures and report incidents, but essential entities face stricter supervision and enforcement, including proactive inspections and higher fines. This distinction highlights the varying levels of criticality and the need for proportionate oversight under NIS2.

Supervision

  • Essential entities face proactive supervision, including random on-site inspections, regular audits, and security scans.

  • Important entities are subject to reactive action when evidence of non-compliance arises.

Enforcement

  • Competent authorities can impose a range of sanctions, including warnings, instructions, orders, and administrative fines.

  • Maximum fines are significant:

    • Essential entities: €10 million or 2% of worldwide annual turnover.

    • Important entities: €7 million or 1.4% of worldwide annual turnover.

  • Additional enforcement measures for essential entities include the potential appointment of a monitoring officer.

Actions To Take Today 

To ensure readiness for the upcoming legislation implementing NIS2, organizations should proactively assess their potential inclusion under its scope. If it seems likely that they qualify as either an important or essential entity, it's crucial to initiate a comprehensive review of the specific obligations outlined in NIS2. Taking proactive steps towards compliance will be essential to mitigate risks and avoid penalties once the legislation takes effect.

  • Determine if NIS2 Applies to Your Organization: Assess your operations, identify exemptions, categorize your organization, and understand NIS2 obligations and their impact.

  • Identify Applicable Member State Laws: Analyze NIS2 jurisdiction rules, consider cyber decision-making location, and designate a 'Representative' if needed.

  • Evaluate Other EU Cybersecurity Laws: Integrate NIS2 into your overall strategy, understand its relationship with other laws, and take a holistic compliance approach

  • Review Incident Response Procedures: Regularly assess and update processes, verify communication channels, assign responsibilities, and conduct drills.

  • Review Cybersecurity Risk Management Procedures: Regularly assess and update processes, analyze weaknesses, implement strong measures, and foster a culture of awareness.

  • Review Third-Party Risk Management (TPRM) Processes: Evaluate vendor relationships, ensure robust risk mitigation, and regularly update TPRM practices.

  • Review Organizational Culture and Working Practices: Understand risks to NIS2 compliance arising from your culture, prioritize behavioral change, and address management's responsibilities.

NIS 2: Looking Ahead

With the NIS Directive's repeal and NIS2's enforcement date looming, organizations must act now to ensure compliance. The expanded scope and stricter requirements of NIS2 leave no room for complacency.

Remember, cybersecurity is an ongoing process, not a one-time event. By proactively addressing NIS2 obligations, you not only safeguard your operations but also demonstrate a commitment to protecting your stakeholders and the broader digital ecosystem.

The time to act is now. October 18th will be here before you know it.