What is the NIS2 Directive and how to prepare for it?

In a world where digitalization is advancing by leaps and bounds, data protection and regulation compliance have never been more crucial. In this scenario, the European NIS2 Directive has emerged, which will affect a large part of the organizations in the EU Member States and will be mandatory as of 17 October 2024.

If you do not want to suffer sanctions or be left out of its important implementation, read on. We have compiled the key data to familiarise you with the regulation and advise you to introduce it in your company as soon as possible.

What is NIS2

The Network and Information Security 2 Directive (NIS2) is a piece of legislation that seeks to establish a uniformly high level of cybersecurity across all member states of the European Union.

It establishes obligations to be adopted by those entities that fall within its scope and focuses on three main areas:

• Expansion of the scope of application: the 7 sectors covered by the original NIS Directive are complemented by several new ones.
• New mechanisms for incident reporting and information exchange: NIS2 requires timely reporting of major incidents.
• Stricter enforcement of compliance: the updated Directive introduces specific penalties for non-compliance, including fines of up to 2% of the overall annual bill.

This regulation represents a significant advance in EU cybersecurity.

NIS2: Major changes and obligations

As we said at the beginning, 17 October is the deadline for the transposition of the NIS2 directive and the complexity of the new obligations imposed by the regulation and the possible penalties for non-compliance are the main concerns of companies.

Among the most important measures to be adopted are the implementation of security policies and risk analysis, incident management, business continuity, supply chain security, and incident reporting. All of these will be proportional to the risks to which the company is exposed, the size of the entity, and the seriousness of the incidents that may occur.

The main changes and obligations are as follows:

Nomenclature of designation

The NIS2 introduces a significant change in the way organizations that must comply with their cybersecurity obligations are classified, which we discuss in detail in the following section.

Whereas the NIS Directive differentiated between operators of essential services and digital service providers, leaving it to each EU Member State to decide which entities fall into these categories, NIS2 seeks greater uniformity and clarity. Organizations are now divided into essential and important entities, using criteria such as the sector in which they operate, their size, and their annual turnover. This classification is clearer and more uniform at the European level, reducing inconsistencies in application by individual states.

Scope and Coverage

This regulation significantly broadens its scope of action compared to the previous version, mainly by identifying new sectors considered as ‘high criticality’ or ‘critical’. These sectors are fundamental to day-to-day activities and their disruption could have a severe impact on economic and social life.

This extension has resulted in many more organizations being subject to compliance with these measures.

Security requirements and risk management

The main objective of this directive is to raise security standards across the EU and to achieve this, specific risk assessment criteria have been introduced, as well as increased requirements for security measures and risk management.

One of the key aspects is the focus on supply chain security, as any vulnerability in the supply chain can compromise the security of the entire ecosystem.

Incident management is also strengthened, requiring stricter incident reporting procedures and the need for rapid and accurate reporting.

This encourages the development of a robust incident reporting framework and promotes greater public-private collaboration, improving responsiveness and resilience to potential cyber threats.

Penalties

NIS2 imposes more severe financial penalties as a deterrent for organizations that do not comply with risk management or reporting measures.

These can range from 1.4% to 2% of total annual global turnover depending on the size of the company.

Who does NIS2 apply to?

This updated directive has considerably broadened the scope of application compared to the original 2016 version. In addition, the NIS2 introduces a new classification that divides the sectors of application into two categories:

1. High-criticality sectors:
   1. Energy
   2. Transport
   3. Banking
   4. Financial market infrastructure
   5. Health
   6. Water
   7. Digital infrastructure
   8. ICT service management
   9. Public administration entities
   10. Space
2. Other critical sectors:
   1. Postal and courier services
   2. Waste management
   3. Chemical manufacturing, production and distribution
   4. Food production, processing, and distribution
   5. Manufacturing
   6. Digital suppliers
   7. Research

In addition to the classification by sector, this directive also introduces an additional classification of specific entities:

• Essential:
  • Large entities in high criticality sectors (annual turnover over 50 million euros).
  • Certification authorities, top-level domain registrars, and DNS providers, regardless of the size of the company.
  • Medium to large telecommunications providers (revenues over 10M).
  • Public administration institutions.
  • Any entity belonging to a very critical or critical sector defined as ‘essential’ by a Member State.
  • Entities defined as critical according to Directive (EU) 2022/2557.
• Important:
  • Medium-sized entities (revenues of 10 to 50 million) in highly critical sectors.
  • Medium and large entities in other critical sectors.
  • Any entity defined by a Member State as ‘significant’.

The category to which each entity belongs has important practical implications, as the activities of those classified as ‘essential’ will be subject to much stricter and proactive supervision, such as random raids, essential security checks, and requests for proof of compliance.

In fact, in case of non-compliance with the NIS2, critical entities may face a fine of up to EUR 10 million or 2% of their annual global turnover.

Entities classified as ‘significant’ are subject to slightly less stringent controls, but may face penalties of up to €7 million or 1.4% of turnover.

NIS2 Compliance

If you are one of the organizations that must comply, you need to understand your compliance and reporting obligations and find a partner to help you along the way. For example, you must notify the authorities of any significant cyber threats you identify that could result in a major incident.

In fact, the NIS2 imposes phased notification obligations for incidents that have a ‘significant impact’ on the provision of your services. These notifications must be made to the relevant competent authority or to the CSRT (Computer Security Incident Response Team).

Furthermore, to promote standardization of standards, without imposing or discriminating in favor of the use of a particular type of technology, the use of relevant European and international standards and technical specifications for network and information systems security is encouraged.

Steps to take to comply with NIS2

In order to comply with all of the above, here are the recommended steps to follow:

• Pre-assessment: a comprehensive analysis of the company’s cybersecurity risks about the requirements of the directive should be conducted, which identifies gaps between the company’s current practices and the obligations imposed by the NIS2.
• Management policies: develop policies, procedures, and plans aligned with the directive’s standards and implement the relevant actions identified in the diagnostic.
• Awareness and training: foster a security culture within the organization, as well as provide ongoing training for employees on security and best practices.
• Detection and response: establish effective mechanisms for early detection of any threats and security incident response plans.
• Testing and upgrades: all systems and their components should be regularly updated and patched to ensure that they remain resilient to cyber-attacks.
• Monitoring and collaboration: continuously monitor systems to be able to detect and respond to potential threats, as well as maintain active collaboration with relevant cybersecurity agencies.

How to prepare for NIS2 implementation?

As you will have guessed after reading the article, most companies are subject to this regulation and will have to hurry to implement it to avoid penalties. So, to summarise, the first thing to do is to assess whether and to what extent the NIS2 requirements apply to your organization.

The next step is to further investigate how this Directive has been transposed into national legislation in your state and follow the recommendations of the national cybersecurity authorities. Once you have reached this point, assess and develop technical, operational, and organizational measures for network and IT systems management, security risks, etc.

But if all this is overwhelming, Plain Concepts is here to help. With many years of experience in cyber security, we can be your best partner in strengthening your commitment to security and compliance.

Our cybersecurity experts can help you reduce the likelihood and impact of a cyber incident and ensure compliance with NIS2. They will advise you on how to strengthen your security strategy through proactive defense and the implementation of tools such as Microsoft Purview, which will become an essential ally, providing robust security and compliance protections, as well as helping you adapt to and comply with NIS2 requirements.