What is the NIS2 Directive?

The NIS2 Directive (Directive (EU) 2022/2555), published in the Official Journal of the EU, is a landmark piece of legislation that establishes the first horizontal instrument for cybersecurity across the EU. A horizontal instrument is one that applies to all sectors and industries, not just a select few.

Cybersecurity legislation in EU

Prior to NIS2, the original NIS directive laid the foundation for cybersecurity cooperation in the EU. However, the rapid pace of digital transformation and the stark realities exposed by the COVID-19 pandemic exposed the predecessor’s limitations, including:

• Insufficient overall cyber resilience: Many businesses operating within the EU were still vulnerable to cyber threats.
• Inconsistent resilience across member states and sectors: The level of preparedness varied significantly between member states and sectors.
• Limited understanding of threats: Member states lacked a shared perspective on the evolving cyber threat landscape, including the latest threats and vulnerabilities.
• Fragmented crisis response: The absence of a coordinated approach hampered collective response efforts during cyberattacks.

Recognizing these limitations, the European Commission saw the need for a future-proof solution and formulated the NIS2 Directive to enhance the overall security posture of the EU.

Here’s a breakdown of the key requirements of NIS2:

• Risk management: Organizations must implement a comprehensive risk management program to identify, analyze and prioritize potential threats to their critical infrastructure. This can involve threat modeling, vulnerability assessments and penetration testing. For example, an energy provider would need to assess the risks associated with a cyberattack disrupting their electricity grid.
• Security measures: Organizations must establish and maintain a baseline of technical and essential security measures that address areas like access control, incident response, business continuity and supply chain security.
• Management oversight: An organization's management body (e.g., Board of Directors, CEO) is responsible for overseeing and approving the cybersecurity risk management program, security measures and incident response plans. Management personnel can be held liable for significant breaches of these requirements.
• Incident reporting: Organizations must promptly notify relevant authorities of any significant security incidents that impact their operations or services. Within 24 hours, an "early warning" report is required, indicating if the incident appears malicious. This is followed by a more detailed "incident notification" report within 72 hours, outlining the severity, impact and any indicators of compromise. Finally, within one month, a comprehensive "final report" must be submitted, detailing the entire incident, its root cause and the remediation steps taken.
• Information sharing: NIS2 mandates better information sharing among member states to facilitate coordinated responses to large-scale cyberattacks. This includes sharing information about cyber threats, vulnerabilities and best practices.

Guidance provided by national regulators outlines the top 10 measures:

1. Risk analysis and information system security
2. Incident handling
3. Business continuity measures (back-up, disaster recovery, crisis management)
4. Supply Chain Security
5. Security in system acquisition, development and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
7. Basic computer hygiene and trainings
8. Policies on appropriate use of cryptography and encryption
9. Human resources security, access control policies and asset management
10. Use of multi-factor, secured voice/video/text communication and secured emergency communications

According to guidance, all measures must be proportionate to risk, size, cost and impact&severity of incidents, and must take into account the state-of-the-art, and where applicable relevant European and international standards.

NIS vs NIS2

Here’s a table that compares the key features of NIS and NIS2:

To ensure ongoing compliance with NIS2, national regulatory authorities have the power to investigate potential violations. During such investigations, they may use any of the following measures:

• On-site inspections: Regulators can visit an entity's physical location to assess its cybersecurity posture firsthand.
• Security audits: They can perform security audits to evaluate an entity's security infrastructure and identify potential vulnerabilities.
• Requests for information: They can request detailed information from an entity, such as its cybersecurity risk management plans, incident response protocol and evidence of implemented security measures.
• Security scans: They can conduct network or system scans to identify any exploitable security weaknesses or misconfigurations.
• Access to information: Regulators can request information about a company's cybersecurity measures, including how they're implemented and related documents.

It's important to note that for important entities, these investigative measures can only be taken after an incident has occurred. However, for essential entities, considered more critical infrastructure, regulators may use these measures, as and when needed to ensure ongoing adherence to NIS2 requirements – even before any breach happens.

The penalties for non-compliance are as follows:

• Essential entities will be required to pay at least €10 million or 2% of global annual turnover, whichever is higher.
• Important entities will be required to pay at least €7 million or 1.4% of global annual turnover, whichever is higher.

NIS2 imposes security measures on all organizations designated as “essential” or “important” under the directive. In simpler terms, if the public is dependent on an organization’s products or services on a day-to-day basis, then the organization must adhere to the NIS2 rules.

Examples of essential entities are: energy, transport, banking, financial market infrastructure, health, drinking water, waste, water and digital infrastructure.

Examples of important entities are: postal and courier services, chemicals, food, manufacturing, waste management and research.

In addition to essential and important organizations in the EU, NIS2 also applies to certain non-EU entities that offer services in the bloc. These include: DNS service providers, cloud computing and data center service providers, Top-level domain (TLD) name registries, Managed service providers (MSPs), Content delivery network (CDN) providers and providers of online marketplaces.

NIS2 is a comprehensive cybersecurity directive that aims to improve the overall security outlook of the EU. If yours is an organization that qualifies as an important or essential entity under NIS2, consider implementing stricter cybersecurity measures to protect your critical systems and services. This will not only make you more resilient to cyberattacks, but also contribute to a more secure digital landscape across the European Union.

EU member states are now in the process of transposing (adopting) the NIS2 directive to their own regulations with the deadline of October 17, 2024, with the rules coming into effect from the next day, October 18, 2024. These national regulations are expected to contain greater details on the technical aspects of the directive, and provide further guidance on compliance.