NIS2 Directive: A Step Forward in the EU’s Cybersecurity Strategy

With the NIS2 Directive, the European Union takes an important step forward in defining its cybersecurity strategy, aiming to strengthen the security of networks and information systems across all member states.

NIS2, short for “Network and Information Systems Directive 2” ,introduces several new provisions compared to the previous NIS Directive to address implementation gaps and tackle emerging cybersecurity challenges.

In this article, we explain the key updates introduced by the directive, the sectors affected, the deadlines and sanctions to be applied, and the actions we believe should be taken immediately.

What the NIS2 Directive Provides

The NIS2 Directive:

• Expands its scope, extending the sectors and services subject to the regulation (see which companies are affected).
• Eliminates the distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP), which is now considered outdated; introduces the classification between Essential Entities and Important Entities.
• Establishes a more uniform regulatory framework, stricter measures for organizations, and consistent sanctions for public administrations and companies across all EU member states.
• Imposes direct obligations on corporate management bodies regarding the implementation and supervision of the required compliance measures.
• Proposes the establishment of a European Cyber Crisis Liaison Organization Network (EU-CyCLONe) and strengthens the role of ENISA (European Union Agency for Cybersecurity).
• Introduces precise requirements for the process and timing of incident reporting, promoting information sharing among member states.
• Designates competent national authorities, contact points, and CSIRTs (Computer Security Incident Response Teams), responsible for monitoring, detecting, managing, and reporting cybersecurity incidents internationally.

The 5 Key Principles

NIS2 is based on five fundamental principles aimed at ensuring a high level of cybersecurity across the European Union.

1. Multi-Risk Strategy
The directive outlines a multi-risk approach, requiring security measures that address a broad spectrum of risks to networks and information systems.
Cyber defense is no longer limited to technical threats but must also consider risks stemming from physical causes, human errors, inefficient internal processes, and external factors.

2. Cooperation and Information Sharing
The directive promotes cooperation and the exchange of information between EU member states, as well as among competent authorities and private sector stakeholders, to more effectively combat transnational cyber threats.

3. Principle of Proportionality
NIS2 mandates the implementation of risk-proportionate measures aligned with the state of the art in cybersecurity, considering the nature, scope, and complexity of activities.
This principle is closely linked to the sustainability of security measures in relation to business operations.

4. Digital Resilience of the Supply Chain
NIS2 cybersecurity requirements apply not only to organizations classified as critical and their direct employees but also to subcontractors and service providers working with them.
It is therefore crucial to immediately engage the entire partner ecosystem in defining security measures.

5. Management Responsibility
The directive places direct responsibility on organizations to ensure the security of their digital infrastructure and cybersecurity incident management.
Company boards must take an active role in understanding new risk management obligations and implementing effective cybersecurity governance.

NIS2 Deadlines and Sanctions

The directive came into effect on January 16, 2023, and the EU has set October 17, 2024, as the deadline for transposition into national laws by member states.

What Does This Mean for Companies?

By this date, organizations will be required to comply with stringent requirements regarding:

• Risk management
• Operational continuity
• Supply chain security
• Incident reporting

Failure to comply with cybersecurity risk management measures and/or incident reporting obligations may result in administrative and financial penalties imposed by national regulatory authorities.

What Types of Sanctions Are Imposed?

Sanctions include:

• Hefty fines
• Revocation of company certification
• Personal liability for board members, impacting corporate reputation and business continuity, as well as causing financial repercussions.

The maximum fines are proportional to company revenue:

• Essential entities failing to meet cybersecurity obligations may be fined up to €10 million or 2% of their total revenue, whichever is higher.
• Important entities may face fines of up to €7 million or 1.4% of their total revenue, whichever is higher.

Affected Companies

The NIS2 directive outlines three criteria to determine which companies must comply with its requirements: sector of operation, company size, and role within their industry.

Organizations involved are classified into “highly critical sectors” and “other critical sectors” as follows:

Highly Critical Sectors

• Energy (electricity, district heating, oil, gas, hydrogen)
• Transport (air, rail, waterway, road)
• Finance
• Public Administration
• Healthcare (service providers, laboratories, R&D, pharmaceutical companies, critical medical device manufacturers)
• Water Supply (drinking water and wastewater)
• Digital Infrastructure (Internet exchange providers, DNS services, cloud computing, data centers, trust services, TLD registries, content delivery networks, public communication networks, B2B ICT service management)
• Aerospace

Other Critical Sectors

• Postal and courier services
• Waste management
• Chemical manufacturing, production, distribution, and disposal
• Food production, processing, and distribution
• Manufacturing (medical and diagnostic devices, computers, electronics, optics, electrical equipment, vehicles, trailers, transport means)
• Digital service providers (e-commerce, search engines, social networks)
• Research

Essential entities include all large companies from the highly critical sectors, while important entities include all medium-sized companies from the highly critical sectors and medium and large companies from the other critical sectors.

NIS2 and ISO 27001

Companies can use standard cybersecurity frameworks, such as ISO 27001, to prepare for NIS2 compliance, especially concerning the directive’s new emphasis on management responsibility for cybersecurity risk governance.

Organizations already implementing ISO 27001 controls, particularly those related to business continuity and disaster recovery, as well as ISO 27002 guidelines, will have fewer gaps to address compared to others.
We consider these ISO standards an excellent starting point for achieving NIS2 compliance.

Practical Steps: Our Perspective

Since NIS2 is a directive (unlike GDPR, which is a regulation), it must first be transposed into national laws before becoming enforceable.
The real compliance obligations and penalties will only take effect from October 17, 2024.

NIS2 promotes overall cybersecurity best practices for both companies and suppliers, focusing on four key areas:

• Risk assessment
• Identification of security measures
• Incident management
• Continuous improvement and training

At Betrusted, we have supported dozens of companies in achieving cybersecurity compliance and navigating the gray areas of NIS2.

Stay calm, Betrusted!

For more information and guidance on the next steps, contact us.