The NIS2 Directive is the second version of the NIS Directive, the European Union’s first cybersecurity directive. Reworked to eliminate vagaries and expand its reach, the NIS2 Directive includes more sectors as well as guidelines for its uniform implementation across EU member states.
Applicable to all “essential” or “important” entities in all EU member states, the NIS2 Directive aims to ensure that Europe’s organizations and citizens are protected.
The NIS2 Directive introduces a standard set of cybersecurity requirements across all EU member states, highlights better practices, creates strict incident reporting requirements, and introduces enforcement measures and sanctions. It also requires the establishment of an EU-wide collaboration and vulnerability-sharing program.
The NIS2 Directive holds management accountable for:
- Ensuring that cybersecurity risk assessments are carried out
- Implementing technical and organizational security measures
- Managing risks appropriately
- Supporting cybersecurity through training and risk management programs
It is noteworthy that the NIS2 Directive does not explicitly specify any technological changes that must be enacted. The NIS2 Directive outlines concepts and best practices for enhancing organizations’ security postures.
Deadlines for the NIS2 Directive
By October 17, 2024, EU member states must adopt and publish the provisions to legislation necessary to comply with the NIS2 Directive. EU member states must identify the essential and important entities described in the NIS2 Directive by April 17, 2025.
According to the NIS2 Directive, entities in EU member states can register themselves, if they determine that their services fall within the scope of NIS2. Entities that are bound by the NIS2 Directive are required to register in any EU member state where they provide services before each of their deadlines. Before applicable registration deadlines, entities are required to provide:
- Their name, address, and registration number
- The sector or sub-sector in NIS2 Directive’s scope under which they fall
- Their contact details
- Member states in which they operate
- The list of their assigned IP addresses
History of the NIS2 Directive
The Directive on the Security of Network and Information Systems, commonly referred to as NIS, was established in July 2016 to enhance cybersecurity and cyber resilience across the European Union. The regulatory measures that were set forth focused on:
- Enhancing cybersecurity capabilities at a national level
- Increasing collaboration between EU member states to address cyber threats
- Improving cybersecurity in essential and important organizations
The Council of the European Union adopted the NIS2 Directive on November 28, 2022. The NIS2 Directive was published on December 27, 2022, officially replacing and repealing the NIS Directive (Directive 2016/1148/EC).
The European Union adopted a new version of the NIS Directive, the NIS2 Directive, on January 16, 2023. A primary goal of the NIS2 Directive is to expedite improvements to cybersecurity and resilience within essential and important organizations of the European Union.
EU member states are required to have the NIS2 Directive included in their national legislation by October 17, 2024.
Which sectors are regulated by the NIS2 Directive?
The NIS2 Directive applies to organizations that are classified as medium or large by EU standards (i.e., organizations that have more than 50 employees and/or generate more than 10 million euros in revenue per year). However, these parameters do not apply to organizations in certain sectors, such as those that are:
- Deemed critical infrastructure
- Providers of public services (e.g., electronic communication networks)
- Providers of a service where an interruption could impact public safety, security, or health or cause systemic risks
- Sole providers of a service to a government
Organizations, companies, and suppliers that must abide by the NIS2 Directive are divided into two categories—essential and important. This is a material distinction in the NIS2 Directive, as there are different requirements for each category depending on the products and services provided to EU member states and the impact of an incident on their delivery.
Examples of essential entities (EE), according to the NIS2 Directive, are:
- Aerospace
- Banking and financial market infrastructure
- Digital infrastructure
- Drinking water supply
- Energy
- Healthcare
- ICT (Information and Communications Technology) service management
- Managed service provider
- Public administration (central and regional levels)
- Transport
- Wastewater
Following are examples of important entities (IE), according to the NIS2 Directive:
- Digital providers (e.g., search engines, social networking platforms)
- Food production, processing, and distribution
- Manufacturing of medical devices
- Postal and courier services
- Production, processing, and distribution of chemicals
- Research
- Waste management
NIS2 vs NIS requirements
Following is a comparison of NIS and NIS2 by the European Commission.
| NIS | NIS2 |
| Capabilities | |
| EU member states improve their cybersecurity capabilities. | More stringent supervision measures and enforcement are introduced. A list of administrative sanctions, including fines for breaches of the cybersecurity risk management and reporting obligations, is established. |
| Cooperation | |
| EU-level cooperation is increased. | The European Cyber Crises Liaison Network (EU-CyCLONe) is established to support the coordinated management of large-scale cybersecurity incidents at the EU level. Information sharing and cooperation between member state authorities is increased with the enhanced role of the Cooperation Group. Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU is established. |
| Cybersecurity risk management | |
| Operators of Essential Services (OES) and Digital Service Providers (DSP) must adopt risk management practices and notify their national authorities about significant incidents. | Security requirements are strengthened with a list of focused measures, including incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, the effective use of cryptography, human resources security, access control policies, and asset management. The cybersecurity of the supply chain for key information and communication technologies is strengthened. Incident reporting obligations are strengthened with more precise reporting processes, content, and timeline provisions. |
Additional changes included in the NIS2 Directive are:
- Reinforced obligations for essential and important entities to implement technical, operational, and organizational measures to manage the risks
- Significant expansion of incident reporting requirements
- More stringent penalties for failure to comply with NIS2
The NIS2 Directive and incident reporting
With the NIS2 Directive, the duty of care and the duty to report, which already existed under the original NIS Directive, have been expanded and made stricter. Under NIS2, all opt-out opportunities have been deleted. Every incident of a cybersecurity breach will now have to be reported, whether or not the attack affected the entity’s operations. The objective is to help authorities to improve monitoring and responses to potential threats.
As it was under the NIS1 Directive, the NIS2 Directive requires every EU member state to have a central point of contact for compliance and a coordinating Computer Security Incident Response Team (CSIRT) for incident reporting or a competent authority. As an example, in Belgium, this will be the role of the Centre for Cyber Security Belgium (CCB).
The NIS2 Directive details a multi-stage incident reporting process that is mandatory in response to an incident. It also specifies the content that must be included in these reports.
- Initial notification
An initial report must be submitted within 24 hours of a cybersecurity incident to the competent authority or the nationally relevant CISRT. The initial reports should, if possible, indicate whether an unlawful or malicious act caused the incident. This first notification is intended to limit the potential spread of a cyber threat. - Follow-up notification
Within 72 hours, a more detailed notification report must be communicated. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. If the incident was criminal in nature, the impacted entity should also report it to law enforcement authorities. - Final report
Within one month of the submission of the initial notification or first report, a final report must be submitted. This final report must include:- A detailed description of the incident
- The severity and consequences
- The type of threat or cause likely to have led to the incident
- All applied and ongoing mitigation measures
In addition to incident reporting, under the NIS2 Directive, entities must report any major cyber threat they identify that could result in a significant incident. A threat is considered significant if it results or may result in:
- Material operational disruption or financial losses for the entity concerned
- Affects or may affect natural or legal persons by causing significant material or immaterial damage
Entities outside the scope of the NIS2 Directive may voluntarily report significant incidents, cyber threats, or near misses without any regulatory consequences. This means that any entity that voluntarily submits reports may not be subject to more onerous obligations than if it had not submitted it. The intent is to make it easy and risk-free for organizations that are not bound by the NIS2 Directive to share their threat intelligence.
Non-compliance with the NIS2 Directive
Failure to comply with the NIS2 Directive comes with stricter penalties than under the first iteration. Under the NIS2 Directive, penalties for non-compliance differ for essential entities and important entities.
- For essential entities, administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
- For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.
How organizations should prepare for the NIS2 Directive
Following are several recommended steps that organizations should take to be prepared to meet the requirements of the NIS2 Directive.
Adopt a proactive approach to security
Continuously perform risk analyses to identify potential threats proactively. This allows organizations to address any issues and ensure that they are prepared to meet the compliance requirements of the NIS2 Directive.
Encrypt all critical data
To meet the strict cybersecurity standards of the NIS2 Directive, encryption should be used to protect critical data, including databases, communications, documents, servers, and critical infrastructure.
Foster a security-oriented culture
The importance of cybersecurity should be made clear by the top leadership of an organization, with cybersecurity a top priority for every department. A cyber-oriented culture starts with leadership and is infused into the organization by requiring a minimum-security awareness level among employees. Security training should be customized to help employees understand how their roles and responsibilities impact security.
Identify critical services, processes, and assets
Determining what will require extra protections to ensure NIS2 compliance can be done by conducting an impact assessment. This helps to identify which systems and processes fall under the NIS2 Directive’s scope.
Implement compliant risk and information security management systems
Many organizations find that they need to upgrade or change information security management systems in order to comply with the NIS2 Directive. The organization must be able to:
- Demonstrate defined responsibilities
- Ensure that key processes are operational, including:
- Information system security policies
- Incident handling and management
- Business continuity (e.g., backup systems, disaster recovery plans)
- Third-party risk management
- Vulnerability management
- Employee security awareness training
- Identify, remediate, and monitor security risks
Make multi-factor authentication mandatory
Implementing multi-factor authentication (MFA) to secure all accounts, in lieu of passwords alone, plays an integral part in protecting assets and meeting the requirements of the NIS2 Directive.
Understand the NIS2 Directive’s requirements and prepare to meet them
Take time to study the requirements and assess the organization’s readiness to comply. This includes identifying gaps and implementing plans to complete them in advance of the compliance deadline.
A critical component of NIS2 preparedness is securing support from leadership, buy-in from stakeholders, and the necessary budget and resources.
Starting early is imperative as delays are almost inevitable, and the deadlines will not accommodate delays.
The NIS2 Directive – part of a growing trend
The NIS2 Directive represents a growing trend for cybersecurity and cyber resilience to be integral to legislation. With the NIS2 Directive, every EU member state is required to adopt it as law.
The NIS2 Directive has a far reach into organizations of all types with the intention of shoring up defenses against escalating cyber threats. The good news about the NIS2 Directive and similar initiatives is that it helps organizations improve their overall cybersecurity posture, which has positive impacts on all aspects of operations.
