NIS2 Directive: What You Need to Know

by: A-LIGN 4 mins

In an era where digital threats loom large, the European Union has introduced the NIS2 Directive—an evolution of its cybersecurity strategy to safeguard essential services and networks. For businesses operating within the EU, understanding this directive is crucial for compliance and enhancing their cybersecurity posture.

This blog post will guide you through the intricacies of the NIS2 Directive, discussing who needs to comply, its purpose, coverage, requirements, and timeline. By the end, you’ll know how to prepare your organization for this pivotal shift in cybersecurity governance.

What is the NIS2 Directive?

The NIS2 Directive, a successor to the original NIS (Network and Information Systems) Directive, marks a significant step forward in the EU’s approach to cybersecurity. It aims to address the growing complexities and sophistication of cyber threats that can disrupt essential services. While the original NIS Directive laid the groundwork for cybersecurity measures across member states, NIS2 expands on these foundations, introducing more stringent requirements and a broader scope.

The directive aims to bolster the EU’s resilience against cyber threats. By enforcing higher cybersecurity standards, NIS2 seeks to protect critical infrastructures and sectors vital to modern society’s functioning. From energy and healthcare to transport and finance, the directive ensures that all essential services maintain robust cybersecurity practices to safeguard against potential disruptions.

NIS2 is not just about setting rules but about fostering a cybersecurity awareness and action culture. The directive encourages organizations to take proactive measures in identifying and mitigating cyber risks, ultimately leading to a more secure and resilient European digital landscape.

Who must comply with NIS 2?

The NIS2 Directive casts a wide net, encompassing a broader range of sectors and entities than its predecessor. While the original NIS Directive focused primarily on operators of essential services (OES) such as energy, transport, and health, NIS2 extends its reach to include digital infrastructure providers, public administration entities, and other critical sectors.

Organizations that fall under the directive’s scope must comply with its requirements, regardless of size. This includes private and public entities providing essential services or operating critical infrastructure within the EU.

Organizations must assess whether they fall within the directive’s scope and understand their obligations. Compliance with NIS2 is not optional. Failure to adhere to its requirements can result in significant penalties and reputational damage. Therefore, organizations must proactively align cybersecurity practices with the directive’s mandates.

What is the purpose of NIS2?

The NIS2 Directive is designed to enhance the EU’s cybersecurity resilience and protect its digital landscape from evolving threats. The directive aims to ensure that essential services and critical infrastructure remain operational and secure, even in the face of cyber threats.

One of NIS2’s primary objectives is to foster a harmonized approach to cybersecurity across EU member states. The directive seeks to eliminate fragmentation and inconsistencies in cybersecurity measures by establishing common standards and practices, ensuring that all member states work collaboratively to address cyber risks.

Furthermore, NIS2 aims to enhance information sharing and cooperation between member states. This collaborative approach enables member states to pool their resources, expertise, and knowledge, strengthening the EU’s cybersecurity posture.

What does NIS2 cover?

The NIS2 Directive covers a wide range of sectors and entities. Its scope includes traditional critical infrastructure sectors, such as energy, transport, and healthcare, digital service providers, public administration entities, and manufacturing industries.

Within these sectors, the directive applies to organizations that provide essential services or operate critical infrastructure. This includes entities responsible for maintaining the security and availability of network and information systems that underpin these services.

The directive also emphasizes the importance of supply chain security. With cyber threats often exploiting vulnerabilities in the supply chain, NIS2 requires organizations to assess and mitigate risks associated with their third-party suppliers and service providers.

What are the NIS2 requirements?

The NIS2 Directive establishes requirements for organizations to achieve their objectives. These requirements cover various aspects of cybersecurity, including risk management, incident reporting, and governance.

Firstly, organizations are required to implement robust risk management practices to identify and mitigate cyber risks. This includes conducting regular risk assessments, implementing appropriate security measures, and continuously monitoring their network and information systems for potential threats.

Secondly, the directive mandates timely incident reporting. Organizations must report significant cyber incidents to the relevant national authorities without delay. Timely incident reporting facilitates information sharing and collaboration between member states, enabling a coordinated response to cyber threats.

Lastly, NIS2 emphasizes the importance of cybersecurity governance. This includes appointing a designated person or team responsible for overseeing cybersecurity measures and ensuring compliance with the directive’s requirements.

What are the minimum measures for NIS2?

Beyond the key requirements, NIS2 mandates the following baseline security measures:

Policies and procedures to assess the effectiveness of cybersecurity risk management measures

Security in system acquisition, development and maintenance, including vulnerability handling and disclosure

Risk analysis & Information system security

Supply chain security

Policies on appropriate use of cryptography and encryption

Incident handling

Basic computer hygiene and trainings

Business Continuity measures (back-ups, DR, crisis management)

HR security, access control policies and asset management

Use of MFA or secured voice/ video/text comm & secured emergency communication

What are the penalties for non-compliance?

Failure to comply with NIS2 can result in financial penalties for an organization. The dollar amount of fines will be based on an organization’s classification. Essential entities are large companies (250+ employees or €50M+) that operate in sectors of critical importance. Important entities are large companies operating in the other sectors or medium-size companies (50-249 employees or €10M-50M) operating in any of the sectors in scope.

For essential entities administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.

For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the critical entity belongs, whichever amount is higher.

Conclusion

The NIS2 Directive represents a significant advancement in the EU’s efforts to enhance cybersecurity resilience and protect critical infrastructures. The directive aims to create a safer and more secure digital landscape for all member states by establishing common standards, fostering collaboration, and addressing supply chain security.

For organizations, compliance with NIS2 is not just a legal obligation—it’s an opportunity to strengthen their cybersecurity posture and gain a competitive advantage. By implementing robust risk management practices, timely incident reporting, and effective governance frameworks, organizations can protect their operations, safeguard customer trust, and contribute to the overall cybersecurity resilience of the EU.

Organizations should consider engaging with cybersecurity experts like A-LIGN to stay ahead of evolving cyber threats and ensure compliance with the NIS2 Directive. Reach out to our team today.

What is SOC 2? Complete Guide to SOC 2 Reports and Compliance

Audit Report Red Flags

Obsidian Security scales compliance program with A-LIGN and Drata

What Is CMMC 2.0? A Guide to CMMC Compliance Requirements for Defense Contractors