What is NIS2 and what does it mean for your organisation?

In recent years, we have seen a sharp rise in the number of cyber attacks and incidents in Europe. In particular, phishing, malware and ransomware are major problems. Cyber-attacks can have a significant impact on society as we rely heavily on a well-functioning digital infrastructure, both at a business and personal level. As we all work mainly digitally, cybersecurity is a basic requirement rather than an option.

To strengthen cybersecurity across Europe, the European Parliament voted to adopt the revised Network and Information Systems Directive 2022/0383, more commonly referred to as "NIS2". Designed to extend, strengthen and harmonise the implementation of the EU's existing cybersecurity framework, NIS2 is a key part of the EU's cybersecurity strategy and is in line with the European Commission's priority to make Europe fit for the digital age. Which sectors does it apply to? And what does its implementation mean for your organisation? Find out in this article.

What is the NIS2 Directive?

In 2016, the EU introduced the Network and Information Security (NIS) Directive. This NIS1 sets strict cybersecurity requirements for so-called 'essential companies'. These are, for example, water, energy and telecoms companies. The NIS2 complements and extends the Directive by designating more companies as essential companies. In total, it covers around 160,000 organisations across Europe.

The key components of the NIS2 are:

Based on their economic and social importance, the new Directive covers more sectors and revises the way companies are classified. Medium and large companies in selected sectors are included in the proposal. At the same time, it gives Member States some flexibility to identify smaller companies with a high-risk profile.
More attention should be given to the governing bodies of companies falling within the scope, with Member States ensuring that those bodies can be held liable for breaches by the entity of provisions relating to those measures.
The Directive strengthens the security requirements for companies by imposing a risk management approach and outlining the core cybersecurity measures that all in-scope companies must implement.
The NIS2 no longer distinguishes between operators of essential services and providers of digital services. Organisations are classified according to their importance and divided into essential and important categories, with the result that they are subject to different supervisory regimes.
Incident reporting requirements will be significantly amended and sanctions for non-compliance will be strengthened.
Individual companies will have to address security risks in their supply chains and supplier relationships.
There will be stronger supervisory measures for national authorities, stricter requirements for enforcing security measures and harmonisation of sanctioning regimes and reporting obligations in Member States, as well as enhanced cooperation and information sharing between Member States.

When and to whom does NIS2 apply?

The NIS2 applies to any organisation operating or carrying out activities within the EU that provide an essential service to consumers (i.e. they fit the description of an 'essential' or 'important' organisation in a defined list of sectors). Examples include internet providers, energy suppliers, drinking water companies, waste processors, banks, transporters, healthcare institutions and factories producing food or major household items. Notable exceptions will be smaller companies that could be considered essential but do not meet a size cap (which is expected to be EUR 10 million in annual turnover and/or fewer than 50 employees) and other entities explicitly excluded by Member States.

The NIS2 can label organisations as either essential or important – which are subject to the same cybersecurity management requirements and incident reporting obligations under NIS2. What is the biggest difference between essential and important organisations? Compliance monitoring. For essential providers, mainly parties in vital sectors, monitoring must be strictly proactive and clearly reflected in their processes. This means that regulators check that these organisations are applying and complying correctly. For critical providers, monitoring will be reactive, when there is evidence of a cyber incident.

The new legislation has a wider scope (more sectors and more organisations) than the NIS1 directive and aims to equalise and increase digital resilience across EU member states. NIS2 is expected to become law by September 2024 at the latest. “For many SMEs, NIS2 will have no impact unless you are essential. Then you have to be certified and you will get more frequent visits from a regulator,” explained Bart Groothuis, a member of the European Parliament.

What is the impact of the new legislation?

Is your organisation identified as essential? And are you not compliant with the requirements of the NIS2? Then you could face fines of up to 10 million euros or 2% of total annual global turnover. Individuals with relevant cybersecurity authority or (management) roles may be held personally responsible for non-compliance.

Levert jouw bedrijf een essentiële dienst aan consumenten? Dan moet je voor 17 oktober 2024 jouw cybersecurity zaken op orde hebben. Dit lijkt ver weg, maar voor je het weet is het zover. Wij helpen je graag om te onderzoeken hoe de cybersecurity van jouw bedrijf ervoor staat en we zorgen er samen voor dat je op tijd alle zaken op orde hebt.

Thorough preparation

The formal approval of NIS2 took place on 10 November 2022, its formal publication came into force on January 16, 2023. This means that the European Member States must begin implementation within 21 months of this publication date. Thus, the implementation must be completed by October 17, 2024. This gives companies time to prepare ahead of time.

Fortunately, there is much can do to take your cybersecurity to the next level. Make sure you adopt security and privacy by design principles when implementing new processes or reviewing suppliers – and prepare for NIS2 compliance in a holistic way, taking into account relevant obligations under other laws. For example, your cybersecurity policies and incident management procedures will need to consider all relevant requirements across applicable laws, including GDPR requirements for incident reporting and for appropriate technical and organisational measures, but do not automatically assume that a GDPR-compliant incident response process will be sufficient for NIS2 purposes, particularly in light of NIS2’s tighter reporting deadlines. Review your requirements and incident reporting – and consider what changes are necessary.

Consistent use of multi-factor authentication (MFA), developing a strong identity and access management (IAM) framework and reducing the digital attack surface will also help to increase your digital security posture.

Security and privacy design is not something that “should” be considered - it is already part of existing policies.

Here's how Nomios helps

Are you struggling to meet the strict cybersecurity requirements? And do you find it a challenge to get your organisation ready for the NIS2? Then Nomios can help. We are a recognised specialist in cybersecurity and networking and we have the knowledge and solutions to help you meet the NIS2 requirements.

Help with NIS2