The NIS 2 Directive (Directive (EU) 2022/2555), adopted by the European Parliament and Council on 14 December 2022, marks a significant legislative effort to enhance cybersecurity and resilience across the EU. This Directive amends Regulation (EU) No 910/2014 and updates the original NIS Directive (Directive (EU) 2016/1148), which will be repealed effective 18 October 2024. Aimed at establishing a high common level of cybersecurity, NIS 2 introduces comprehensive legal measures to strengthen the cybersecurity posture of critical infrastructure within Member States. NIS 2 specifies the minimum cybersecurity requirements for critical infrastructure, and it serves as a baseline for Member States to develop their own laws and regulations. The Directive is considered to be binding as to the results that each Member State needs to achieve. It sets out a goal, and it is up to the individual countries to create their own specific laws – applicable to both private and public sector organisations – on how this goal will be reached.
By expanding its scope to encompass new sectors and entities, the Directive addresses the challenges of increased digitization and the severity of supply chain attacks in an interconnected world, thereby enhancing the resilience and incident response capabilities of public and private entities, as well as competent authorities throughout the EU. Each Member State shall designate or establish one or more competent NIS authorities responsible for cybersecurity and for monitoring the implementation of the Directive at the national level, as well as a single point of contact, with the stipulation that if only one competent authority is designated or established, it shall also serve as the single point of contact for that Member State.
While 46 articles long, only 3 of those are particularly relevant for companies aiming to achieve compliance. Article 20 focuses on governance, requiring senior management to take control of cybersecurity, and oversee security measures within the organisation, while ensuring that personnel undergo cybersecurity training and awareness programs. Article 21 details cybersecurity risk management measures, outlining a variety of required controls such as supply chain security, and incident handling. Article 23 addresses reporting obligations in regard to incidents. The remaining articles focus on the responsibilities of governmental bodies.
Utilizing an all-hazards approach, NIS 2 emphasizes the need for Member States to be adequately prepared, which includes equipping them with a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority. Additionally, it sets out cybersecurity risk management and reporting obligations for large and medium-sized entities operating in critical sectors within the EU, impacting an estimated 160,000 companies. The Directive promotes cooperation among Member States by creating a Cooperation Group designed to enhance strategic collaboration and information sharing, thereby mandating improved information exchange to enable coordinated responses to large-scale cyberattacks. This initiative encompasses the sharing of data regarding cyber threats, vulnerabilities, and best practices, ultimately aiming to foster a strong security culture across sectors vital to the economy and society.
By 17 October 2024, all EU Member States must adopt and publish the necessary measures to comply with the NIS 2 Directive, ensuring that national laws are in place that apply to both public and private entities classified as essential or important, with the expectation that these measures will take effect from 18 October 2024. Currently, only Belgium has fully transposed the Directive into a national law, while some other Member States such as Austria, Croatia, Latvia and Hungary have also made progress. The specific sub-acts established by each Member State will define critical details, such as the classification of essential and important entities, ensuring that all stakeholders have a clear understanding of their obligations and responsibilities under the Directive. Failure of a Member State to transpose the Directive into national law on due time constitutes a breach of EU law and could lead to sanctions against the country. A formal infringement procedure may be launched by the Commission. While there may not be immediate penalties for entities’ non-compliance until the law is enacted, companies should proactively prepare for NIS2 compliance to mitigate risks and ensure they can adapt swiftly once the directive is implemented.
The Directive significantly expands the scope of organisations required to comply with new cybersecurity regulations, moving beyond the original focus on entities integral to national infrastructure. Under NIS 2, organisations are categorized as either essential or important. Essential entities are typically large organisations operating in critical sectors, defined as those with a minimum of 250 employees, or an annual turnover of €50 million or more, and a balance sheet total of at least €43 million. In contrast, medium-sized organisations must have fewer than 50 persons and an annual turnover and/or annual balance sheet total that does not exceed €10 million. Essential entities include large companies within critical sectors, such as energy, health, transport, finance, water supply, digital infrastructure, public administration, and space. Important entities encompass all other organisations that do not meet the criteria for essential entities but still fall under the outlined parameters, such as digital providers, postal services, waste management, food, manufacturing, chemicals, and research.
To determine compliance obligations under NIS 2, three general criteria are established: first, location—organisations providing services in any EU country, regardless of their base (even entities not established within the EU, are required to designate a representative in the EU, specifically in one of the Member States where their services are offered); second, size—focusing on mid-sized and large enterprises; and third, industry—pertaining to organisations within any of the specified 15 sectors. While NIS 2 does not directly target entities in sectors like defense, national security, public security, or law enforcement, its scope indirectly affects these areas as governments seek to implement and uphold compliance with the Directive.
Under the NIS 2 Directive, the management bodies of essential and important entities are tasked with approving cybersecurity risk-management measures, overseeing their implementation, and can be held liable for any infringements. Member States are required to ensure that members of these management bodies undergo training and encourage essential and important entities to provide regular cybersecurity training for their employees.
Furthermore, essential and important entities must implement appropriate and proportionate technical, operational, and organisational measures to manage risks associated with the security of their network and information systems. These measures should follow an all-hazards approach to safeguard both the systems and their physical environments from incidents. The Directive outlines several key areas that must be addressed, including risk analysis and information system security policies, incident handling, business continuity planning, supply chain security, secure acquisition and maintenance of information systems, cybersecurity training, and basic cybersecurity hygiene practices. Additionally, it emphasizes the importance of using cryptography and multi-factor authentication, along with robust human resources security and access control policies.
Incident reporting is a crucial component under the NIS 2 Directive, with the definition of a significant incident encompassing those that cause, or are capable of causing, severe operational disruptions or financial losses for the entity involved, as well as incidents that may significantly impact other individuals or entities. The Directive acknowledges the importance of enhanced coordination and communication, which should occur among Member States, their governments, and between public and private sector organisations. Consequently, there is a strong focus on efficient and prompt reporting processes.
NIS 2 establishes a multi-stage reporting framework that includes early warnings (without undue delay for recipients of the services, and within 24 hours of becoming aware of a significant incident to the national CSIRT), incident notifications (within 72 hours), and final reports (within one month of the initial notification unless the incident is ongoing, in which case a progress report is required), with the possibility of intermediate updates. Member States are responsible for ensuring that essential and important entities comply with these reporting obligations, providing necessary information for assessing any cross-border implications.
To comply with NIS 2, essential and important entities should adopt a structured approach by following a series of best practices for implementation. This begins with obtaining support from senior management and establishing a project management framework to guide the process. Initial training for relevant personnel is crucial, alongside the development of a top-level Policy on Information System Security. Entities must then define their Risk Management Methodology, followed by conducting a comprehensive risk assessment and treatment. The creation and approval of a Risk Treatment Plan is essential, after which organisations should implement necessary cybersecurity measures, establish supply chain security protocols, and set up assessments to evaluate the effectiveness of said cybersecurity efforts. Incident notifications and ongoing cybersecurity training must also be incorporated into the framework. Additionally, conducting periodic internal audits and management reviews will ensure that corrective actions are taken as needed. Essential and important entities must also note that around 30 specific documents should be prepared, including a Risk Assessment Methodology, Risk Treatment Plan, Training and Awareness Plan, Incident Management Procedure, and IT Security Policy, among others.
Under the NIS 2 Directive, and upon its transition to national law, significant penalties are imposed for non-compliance with its requirements, which can reach up to €10 million or 2% of an organisation’s global revenue (whichever is higher) for essential entities, and up to €7 million or 1.4% of the total annual turnover (whichever is higher) for important entities. This regulatory framework not only holds the organisation accountable but also extends liability to individual responsible parties, such as the Senior Management. This dual approach emphasizes the importance of compliance at both the organisational and individual levels, reinforcing the need for diligent oversight and effective risk management practices within organisations.
In conclusion, while the NIS 2 Directive introduces important cybersecurity challenges, the impact of these requirements may vary based on each organisation’s maturity in cybersecurity practices. As NIS 2 gains prominence, it could become a global benchmark for cybersecurity, similar to how the EU GDPR has shaped privacy legislation.
For organisations already adhering to the ISO 27001 standard, many aspects of NIS 2 will seem familiar, making its adoption more manageable, especially for mature companies. Although NIS 2 does not mandate certification for essential and important entities, and it does not explicitly require the implementation of ISO 27001, it references the ISO/IEC 27000 series as a valuable resource for establishing cybersecurity risk management measures.
We hope this article helped you to grasp the basics regarding NIS 2, and gave you a starting point if you want to research the subject in depth.
Until next time.
References
https://www.nis-2-Directive.com/
https://www.nis-2-Directive.com/NIS_2_Directive_Transposition.html
https://digital-strategy.ec.europa.eu/en/policies/nis2-Directive
https://eur-lex.europa.eu/eli/dir/2022/2555/oj
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02022L2555-20221227
https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-Directive-new
https://www.enisa.europa.eu/topics/cybersecurity-policy
https://eucrim.eu/news/legislation-to-strengthen-cybersecurity-across-the-union-nis-2-Directive/
https://www.sans.org/blog/nis2-compliance-for-ot-strategic-implementation-of-ics-controls/
https://www.sans.org/blog/the-nis2-mandate-what-every-organization-needs-to-know/
https://advisera.com/articles/what-is-nis2/
https://advisera.com/articles/who-does-nis2-apply-to/