What is NIS2 and what does it mean for your organisation?

In recent years, we have seen a sharp rise in the number of cyber attacks and incidents in Europe. In particular, phishing, malware and ransomware are major problems. Cyber-attacks can have a significant impact on society as we rely heavily on a well-functioning digital infrastructure, both at a business and personal level. As we all work mainly digitally, cybersecurity is a basic requirement rather than an option.

To strengthen cybersecurity across Europe, the European Parliament voted to adopt the revised Network and Information Systems Directive 2022/0383, more commonly referred to as "NIS2". Designed to extend, strengthen and harmonise the implementation of the EU's existing cybersecurity framework, NIS2 is a key part of the EU's cybersecurity strategy and is in line with the European Commission's priority to make Europe fit for the digital age. Which sectors does it apply to? And what does its implementation mean for your organisation? Find out in this article.

What is the NIS2 Directive?

In 2016, the EU introduced the Network and Information Security (NIS) Directive. This NIS1 sets strict cybersecurity requirements for so-called 'essential companies'. These are, for example, water, energy and telecoms companies. The NIS2 complements and extends the Directive by designating more companies as essential companies. In total, it covers around 160,000 organisations across Europe.

The key components of the NIS2 are:

• Based on their economic and social importance, the new Directive covers more sectors and revises the way companies are classified. Medium and large companies in selected sectors are included in the proposal. At the same time, it gives Member States some flexibility to identify smaller companies with a high-risk profile.

• More attention should be given to the governing bodies of companies falling within the scope, with Member States ensuring that those bodies can be held liable for breaches by the entity of provisions relating to those measures.

• The Directive strengthens the security requirements for companies by imposing a risk management approach and outlining the core cybersecurity measures that all in-scope companies must implement.

• The NIS2 no longer distinguishes between operators of essential services and providers of digital services. Organisations are classified according to their importance and divided into essential and important categories, with the result that they are subject to different supervisory regimes.

• Incident reporting requirements will be significantly amended and sanctions for non-compliance will be strengthened.

• Individual companies will have to address security risks in their supply chains and supplier relationships.

• There will be stronger supervisory measures for national authorities, stricter requirements for enforcing security measures and harmonisation of sanctioning regimes and reporting obligations in Member States, as well as enhanced cooperation and information sharing between Member States.

When and to whom does NIS2 apply?

The NIS2 applies to any organisation operating or carrying out activities within the EU that provide an essential service to consumers (i.e. they fit the description of an 'essential' or 'important' organisation in a defined list of sectors). Examples include internet providers, energy suppliers, drinking water companies, waste processors, banks, transporters, healthcare institutions and factories producing food or major household items. Notable exceptions will be smaller companies that could be considered essential but do not meet a size cap (which is expected to be EUR 10 million in annual turnover and/or fewer than 50 employees) and other entities explicitly excluded by Member States.

The NIS2 can label organisations as either essential or important – which are subject to the same cybersecurity management requirements and incident reporting obligations under NIS2. What is the biggest difference between essential and important organisations? Compliance monitoring. For essential providers, mainly parties in vital sectors, monitoring must be strictly proactive and clearly reflected in their processes. This means that regulators check that these organisations are applying and complying correctly. For critical providers, monitoring will be reactive, when there is evidence of a cyber incident.

The new legislation has a wider scope (more sectors and more organisations) than the NIS1 directive and aims to equalise and increase digital resilience across EU member states. NIS2 is expected to become law by October 2024 at the latest. “For many SMEs, NIS2 will have no impact unless you are essential. Then you have to be certified and you will get more frequent visits from a regulator,” explained Bart Groothuis, a member of the European Parliament.

What is the impact of the new legislation?

Is your organisation identified as essential? And are you not compliant with the requirements of the NIS2? Then you could face fines of up to 10 million euros or 2% of total annual global turnover. Individuals with relevant cybersecurity authority or (management) roles may be held personally responsible for non-compliance.