The NIS2 (Network and Information Security) directive is the EU’s latest policy that aims to improve the collective cybersecurity of member states. The final text of the directive is expected to be approved in 2022, meaning that all relevant organisations are expected to comply with the new requirements in 2024. The NIS2 will ensure that all organisations which serve an essential function in society have a high level of cybersecurity. In this post, we discuss what the NIS2 is, which kinds of organisations it applies to, and the new security requirements that organisations will have to meet. Here’s what it’s all about, if it applies to your organisation and what you should do if it does.
Table of contents
- What is the NIS2?
- Why the NIS2 was developed
- The NIS2 has three general objectives
- Stricter cybersecurity requirements
- New incident reporting requirements
- Higher sanctions for NIS2 violations
- How will this impact organisations in Europe?
- Our recommendations for your organisation
What is the NIS2?
The NIS2 is a new EU policy in development, which all EU member states will be expected to comply with in 2024. At its core, the NIS2 aims to protect critical organisations and infrastructure within the EU from cyber threats and to achieve a high level of common security across the EU. To achieve this goal, the NIS2 focuses on organisations that provide essential services. These are organisations that we depend on for the normal functioning of society, so they are often big targets for cybercriminals who want to make an impact. The directive includes stricter requirements for security, stricter reporting obligations, and stricter enforcement requirements for a wider scope of organisations than the first NIS directive.
The question is if your organisation is essential for societal and economic activities?Organisations included in the NIS2 directive include businesses and organisations that provide services which are essential for societal and economic activities.
Does the NIS2 affect your organisation?
It does if you work in one of the sectors that the original NIS applied to or one of the sectors that the new NIS2 have added to the list.
The original NIS directive applied to organisations in the following sectors:
-
Healthcare
-
Digital infrastructure
-
Transport
-
Water supply
-
Digital service providers
-
Banking and financial market infrastructure
-
Energy
The new NIS2 directive adds:
-
Providers of public electronic communications networks or services
-
Wastewater and waste management
-
Manufacturing of certain critical products (e.g., pharmaceuticals, medical devices, and chemicals)
-
Food
-
Digital services (e.g., social networking platforms and data centre services)
-
Space (e.g., aerospace)
-
Postal and courier services
-
Public administration
It’s important to note that the NIS2 apply to organisations located within the EU, but organisations outside of the EU that are essential within an EU country are also required to comply with the directive.
If your organisation is in one of these sectors you are in category of being essential for societal and economic activities.
Why the NIS2 was developed
Before diving in what you should do, let’s have a little background information. The EU’s first cybersecurity policy, the NIS directive which came into force in 2016, needed an update in the wake of new cybersecurity threats. During the COVID-19 pandemic, the world experienced a rise in cyber-attacks, which led the European Commission to propose the NIS2 directive. The NIS2 will fill the gaps in the original NIS directive by expanding the scope of critical service providers it covers, strengthening security requirements for these organisations, addressing supply chain security, and increasing reporting obligations and enforcement. Once enacted, the NIS2 will replace the NIS directive with a more comprehensive policy to strengthen the cybersecurity and resilience of essential service providers in the EU. The goal is, that it will better prepare organisations to manage the cybersecurity risks of today.
The NIS2 will replace the NIS directive. It will require that more organisations comply with stricter cybersecurity requirements
The NIS2 has three general objectives
The three main goals of the NIS2 are to increase cyber resilience across essential service providers, streamline cyber resilience through stricter security requirements and penalties for violations, and improve the EU’s preparedness to deal with cyber-attacks.
Increase cyber resilience across essential service providers
The first objective is to increase resilience across essential service providers in the EU. The scope of service providers that must comply with the NIS2 is greater than the scope of the original NIS directive. All public and private organisations within these categories must abide by the same cybersecurity measures. This ensures that there are fewer areas of vulnerability within the EU’s critical service providers.
Streamline resilience with stricter security requirements and penalties
The second objective of the NIS2 is to better align the resilience of all relevant organisations through stricter security requirements and penalties for violations. The original NIS directive permitted organisations to tailor their adherence to the cybersecurity requirements. While this allowed for flexibility, it also created weak links and led to inconsistent levels of security across the EU. The new requirements, briefly outlined below, are better aligned and aim to reduce the inconsistencies created by the NIS directive.
Improve the EU’s collective ability to prepare for and respond to cyber threats
Finally, the third objective of the NIS2 is to increase the EU’s collective preparedness and responsiveness to cyber threats. This will be achieved by improving the communication and information sharing among EU and member state authorities. The NIS2 also outlines procedures to follow in case a large-scale cyber incident occurs.
Stricter cybersecurity requirements
To maintain a high level of security within essential service providers, the NIS2 will require that relevant organisations must comply with strict requirements for:
-
Completing a risk assessment and having sufficient information system security policies in place
-
Preventing, detecting, and responding to incidents appropriately
-
Crisis management and operational continuity in the case of a major cyber incident
-
Ensuring the security of their supply chain, including providers of data processing or storage services
-
Ensuring the security of their network and information systems, from the acquisition to the development and maintenance stages
-
Having policies and procedures in place that assess the effectiveness of cybersecurity risk management practices
-
Using cryptography and encryption
Luckily, most of these things are not new things and a lot of companies are hopefully already working on these areas. It also goes hand in hand with GDPR work as it is good steps to protect data.
New incident reporting requirements
Additionally, the NIS2 will require a two-step process for reporting security incidents to the relevant supervisory authorities. First, once an organisation becomes aware of the security incident, it must submit an initial report within 24 hours of first becoming aware of the incident. From there, the organisation has one month to submit a final report.
Higher sanctions for NIS2 violations
The directive outlines guidelines for minimum financial penalties that should be given when an organisation does not comply with the NIS2 requirements. There are different fines depending on an organisation’s type and size. For example, if an organisation violates the NIS2, it will face fines of 10 million EUR or 2% of the organisation’s gross annual global revenue (the same as a GDPR fine for a less serious violation). Additionally, the leadership of non-compliant organisations can be held personally responsible for the NIS2 breach.
How will this impact organisations in Europe?
Once the final legal text of the NIS2 directive is adopted, which is expected to happen this fall, EU member states and the organisations that operate within them will be required to comply with the new requirements within the time specified in the NIS2 (generally, within 2 years). Organisations that belong to the sectors that the NIS2 directive covers will be responsible for complying with the new security measures in the NIS2. This means that if you are a part of one of the sectors you have to keep an eye on the updates.
Our recommendations for your organisation
We don’t know exactly what the requirements are yet, so it’s mostly about taking the initial steps that would be a good idea no matter what happens. One of the focus areas of the NIS2 is to ensure that organisations have adequate risk analyses and security policies in place. We always recommend that organisations assess their security risks and make plans to avoid those risks. We’ve created a free risk analysis template and a guide that you can use to guide your risk assessment.
We also have resources that you can use to create and update different security policies every year:
Additionally, the ISO 27001 requirements related to risk assessment can help your organisation document your risk management practices. You can read more about getting ISO 27001 certified here.
Finally, it is important to work with data processing partners that have a high level of security to ensure a secure supply chain. You can read our guide on data processors and controllers here.
Interested in reading more about the NIS2 directive? Here is a European Commission fact sheet that summarizes the key elements.
