What Is the NIS2 Directive? - A New EU-Wide Cybersecurity Standards For Organizations

Following up on its predecessor, NIS, EU introduces a new legal framework to reinforce new cybersecurity standards. NIS 2 is a new EU law designed to significantly improve cybersecurity across Europe. It requires essential organizations to take strong measures to protect their systems and data, ensuring they can prevent and handle cyberattacks effectively. What is this new directive, how it differs from its predecessor and what obligations it bestows upon businesses? Let’s find out. 

NIS 2 Deadlines - How Much Time We Have To Comply?

Key dates and milestones for NIS 2 adoption:

17 July 2024 and every 18 months thereafter: 

  • EU-CyCLONe (short for European cyber crisis liaison organisation network) submits a report assessing its work to the European Parliament and the Council.

17 October 2024:

  • Member States must adopt and publish measures to comply with the NIS 2 Directive.

  • The Commission adopts implementing acts detailing technical and methodological requirements for various service providers.

18 October 2024:

  • Measures complying with the NIS 2 Directive take effect.

  • The NIS Directive is repealed.

17 January 2025:

  • The Cooperation Group establishes the methodology and organizational aspects of peer reviews.

17 April 2025:

  • Member States establish a list of essential and important entities, including those providing domain name registration services.

  • Competent authorities notify the Commission and the Cooperation Group of the number of essential and important entities per sector.

17 April 2025 and every two years thereafter: Member States review and update their list of essential and important entities.

17 October 2027 and every 36 months thereafter: The Commission reviews the functioning of the NIS 2 Directive and reports to the European Parliament and the Council.

As a company, you need to be fully compliant with NIS 2 by October 18, 2024. This is when the new rules will start being enforced, meaning any organization falling under the scope of NIS 2 must have all necessary cybersecurity measures in place by this date.   

What Is NIS 2? A New Era For Cybersecurity In EU 

The NIS 2 Directive, a successor to the original Network and Information Security (NIS) Directive, marks a significant evolution in the European Union's approach to cybersecurity. This new directive builds upon the foundation laid by its predecessor, setting the stage for a more secure and resilient digital landscape across member states.

Driving Forces Behind the NIS 2 Directive

The NIS 2 Directive serves as a powerful tool in fortifying the EU's cybersecurity infrastructure. Its core objectives include:

  • Elevating Security Measures: Reinforcing the cybersecurity defenses of essential entities in vital sectors like energy, transport, banking, and healthcare.

  • Streamlining Reporting Obligations: Standardizing incident reporting procedures to improve transparency and enable a swift and coordinated response to cyber threats.

  • Expanding Regulatory Scope: Encompassing a broader range of sectors and digital service providers to address the ever-evolving nature of cyber risks.

  • Enhancing National and Cross-Border Cooperation: Bolstering national supervisory measures and fostering collaboration across the EU to effectively combat cyber incidents.

NIS 2 vs. Original NIS: Spotting the Key Differences

The most striking contrast between NIS1 and NIS2 lies in their scope. NIS1 had a narrower focus, primarily targeting operators of essential services in sectors like energy, transport, healthcare, and finance.

NIS2, on the other hand, casts a wider net, encompassing additional industries and digital service providers. This expansion brings entities in sectors such as water supply and distribution, food supply, and digital infrastructure under the directive's purview. Additionally, digital service providers offering online marketplaces, search engines, and cloud computing services now fall within its scope.  

This broader reach of NIS2 underscores the increasing significance of digital infrastructure and the pressing need to enhance the resilience of network and information systems across a wider spectrum of sectors.   

In essence, the NIS 2 Directive introduces several crucial enhancements compared to the original NIS Directive:

  • Broadened Scope: Expands beyond essential services to include sectors like postal and courier services, public administration, and waste management.

  • Stricter Security and Reporting: Imposes more stringent requirements, acknowledging the escalating sophistication of cyber threats.

  • Stronger Enforcement: Introduces tougher enforcement measures, including higher fines and stricter regulatory oversight, to ensure compliance.

  • Emphasis on Supply Chain Security: Places a greater focus on the security of supply chains and service providers, recognizing their crucial role in overall cybersecurity.

Widening the Net of Cybersecurity Regulations

The NIS 2 Directive significantly widens the scope of EU cybersecurity rules, tackling the expanding range of digital threats and the increasing reliance on digital systems across sectors. It incorporates new sectors like postal and courier services, waste management, public administration, and various digital providers, underscoring their growing importance in the digital realm.

Furthermore, the directive highlights the critical role of digital service providers, such as cloud computing services, online marketplaces, and search engines, in the digital economy.

A New Era of Incident Reporting

The NIS 2 Directive introduces stricter incident reporting requirements for essential entities in critical sectors. These entities are now mandated to report significant cyber incidents promptly and comprehensively, adhering to specific guidelines established by the directive. This standardization aims to facilitate a rapid and effective response to cyber threats across the EU.

Navigating NIS 2 Compliance: Challenges and Rewards

The NIS 2 Directive brings about more rigorous compliance requirements, encompassing risk management, incident reporting, and supply chain security. While adhering to these requirements may necessitate significant resource investment, particularly for smaller entities and those in newly included sectors, it also presents valuable opportunities.

Compliance strengthens cybersecurity resilience, offers competitive advantages, and can lead to operational improvements. Moreover, the directive opens doors to new markets for compliance solutions within the cybersecurity industry.  

Prioritizing Cybersecurity Risk Management

The NIS 2 Directive underscores the importance of cybersecurity risk management, mandating that key organizations adopt robust practices. This includes systematically identifying, assessing, and mitigating cyber risks, implementing advanced security measures, and conducting regular audits.

The shift towards a proactive cybersecurity approach extends to all organizational levels, encompassing security awareness among staff. Additionally, the directive recognizes the critical role of supply chain security in today's interconnected digital landscape.

Shaping the Future of the EU Digital Market

The NIS 2 Directive is set to reshape the EU digital market. By establishing unified and stringent cybersecurity standards across member states, the directive enhances the security of digital infrastructure and creates a level playing field for businesses in the digital space.

The heightened cybersecurity measures can also spur innovation within the cybersecurity sector, as companies develop novel solutions to meet the comprehensive standards. While compliance challenges may arise for some entities, the overall impact of the NIS 2 Directive is poised to strengthen the resilience and reliability of the EU digital market, fostering a secure and attractive environment for investment and innovation in the long run.

Important Vs Essential Organizations Under NIS 2 

Under NIS 2, the key differences between essential and important organizations boil down to:

  1. Stricter Supervision and Enforcement: Essential entities face more rigorous supervisory and enforcement measures than important entities. This reflects their critical role in maintaining vital societal and economic functions.

  2. Higher Fines: Non-compliance penalties are steeper for essential entities. Fines for them can reach up to 10 million euros or 2% of their total annual turnover, compared to a maximum of 7 million euros or 1.4% for important entities. This emphasizes the greater impact their potential breaches could have.

  3. Definition and Scope:

    • Essential entities are primarily large enterprises operating in 11 critical sectors, alongside specific service providers and entities designated by Member States.

    • Important entities encompass all other organizations meeting NIS2 criteria but not classified as essential. They are typically mid-size or large companies in sectors like public administration, space, postal services, waste management, manufacturing, etc.

In essence, while both essential and important entities must adhere to NIS2 requirements, the directive places a higher burden on essential entities due to their systemic importance. This is reflected in stricter oversight, higher penalties for non-compliance, and potentially more extensive security measures.

Is My Organization Important Or Essential? 

To determine whether your organization falls under the "essential" or "important" category within the NIS 2 Directive, consider these key factors:

  1. Sector:

    • Essential Sectors: If your organization operates in one of the 11 critical sectors (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space), and is classified as a large enterprise, you are likely an essential entity.  

    • Other Critical Sectors: If you're in sectors like postal and courier services, waste management, manufacturing, or digital providers, you might be considered an important entity.

  2. Size:

    • Large Enterprises: Organizations with more than 250 employees and over 50 million euros in annual revenue generally fall into the essential entity category if they operate within the critical sectors.

    • Mid-Size Organizations: Those with 50 to 250 employees and 10 to 50 million euros in annual revenue could be either essential or important, depending on their sector and specific circumstances.

  3. Specific Designations & Exceptions:

    • Essential by Designation: Certain entities like trust service providers, DNS service providers, public electronic communication networks, and public administration entities are automatically considered essential.

    • Critical Entities: Organizations designated as "critical entities" under the Critical Entities Resilience (CER) Directive also fall under the essential category.

    • Member State Specifications: Member States have the discretion to designate additional entities as essential based on their specific national or regional importance.

    • Exceptions for Smaller Entities: Even micro and small organizations might be considered essential or important if they are the sole provider of an essential service, their disruption could have a significant impact on public safety or security, or they pose a systemic risk.

Gearing Up for NIS 2 Compliance

As the NIS 2 Directive ushers in stricter cybersecurity requirements, organizations across the EU must take proactive steps to ensure compliance. This preparation involves a comprehensive approach that addresses both technical and organizational aspects of cybersecurity.

  • Understanding the Requirements: Thoroughly grasp the NIS 2 requirements and their implications for current practices. Identify any compliance gaps, particularly in areas like risk management, incident reporting, and supply chain security.

  • Updating Cybersecurity Frameworks: Revise and enhance cybersecurity frameworks to align with NIS 2 standards. This includes updating policies, adopting new security technologies, and strengthening internal controls.

  • Employee Training and Awareness: Conduct regular training to minimize risks associated with human error and keep staff informed about cybersecurity best practices.

  • Stakeholder Engagement: Collaborate with suppliers and service providers to ensure their compliance with NIS 2 requirements.

  • Regular Audits and Improvement: Implement a routine of regular internal and external audits to continuously assess and enhance cybersecurity measures.

  • Expert Consultation: Consider seeking advice from cybersecurity experts or legal advisors specializing in EU regulations for detailed guidance on compliance.

Moving Forward

In conclusion, the NIS 2 Directive marks a significant advancement in the EU's cybersecurity landscape. While it presents challenges in terms of compliance, it also offers opportunities for organizations to strengthen their cybersecurity posture and contribute to a more secure and resilient digital environment. By proactively preparing for NIS 2 compliance, organizations can navigate this new era of cybersecurity regulations with confidence and ensure the protection of their digital assets.

Want to know more about how to get yourself ready for NIS 2 adoption? Contact us!