The EU’s cybersecurity regulation, Network and Information Systems Security Directive 2 (NIS2), set to be introduced in October 2024, is expected to impact more than 100,000 organisations globally. Building upon NIS1, it aims to enhance the resilience and security of critical infrastructure and digital services, like GDPR, affecting all entities providing “essential or important services” to the European economy.
NIS2 fosters international cooperation, mandates corporate accountability, promotes business continuity, and introduces Zero Trust principles while imposing penalties for non-compliance. Compliance includes implementing security procedures, data access policies, cybersecurity training, and managing business operations during a security incident.
In an increasingly digital world, cybersecurity has become a paramount concern for governments, organisations and individuals alike. As cyber threats continue to evolve in complexity and frequency, it is essential for nations to adopt robust cybersecurity regulations to protect their critical infrastructure, sensitive data and citizens.
The NIS1 directive
The NIS1 Directive was introduced in response to the rising cybersecurity threats due to an increase in digitalisation after the COVID-19 pandemic. Its primary objective was to improve the cybersecurity posture of critical infrastructure operators and digital service providers within the EU. The directive required member states to adopt measures to enhance cybersecurity and report significant cybersecurity incidents.
The scope and implications of NIS2
NIS2 aims to enhance the resilience and security of critical infrastructure and digital services across the continent further by expanding on the previous requirements and scope of covered organisations and sectors. Like the General Data Protection Regulation (GDPR), NIS2 will have global ramifications, as it will impact all entities that provide “essential or important services” to the European economy and society, including companies and suppliers both within and outside Europe.
Under NIS2, businesses outside the EU that fit into the specific categories listed in the directive will be expected to comply if they want to conduct business with European companies and countries. This not only improves the effectiveness of cybersecurity but also fosters international cooperation and increases trust and benefit relations between member states in other areas.
NIS2 also leads member states to strengthen their cooperation in cyber crisis management by providing a formal framework for the Cyber Crisis Liaison Organization Network (CyCLONe). This network aims to facilitate information sharing and coordination during cyber crises.
Entities covered by NIS2
NIS2 defines “essential and important entities” as businesses and organisations with over 50 employees that bring in at least €10 million in annual revenue. Essential entities include companies in sectors such as energy, health, transport, public administration, finance, water supply and digital infrastructure. Important entities include sectors such as postal services, waste management, manufacturing, food, chemicals and research.
These organisations are required to implement risk management practices, including risk assessments and mitigation measures, to identify and address potential cybersecurity threats effectively. They are also obligated to report cybersecurity incidents to relevant authorities within specific timeframes.
Corporate Accountability and Business Continuity
Taking cybersecurity accountability one step further, NIS2 highlights the importance of corporate management’s role in overseeing and approving the entity’s cybersecurity measures. C-level management is required to be trained on cybersecurity measures and address cyber risks. In cases of gross negligence, top management can be held personally liable for cybersecurity incidents.
NIS2 also promotes the need for business continuity by requiring organizations to develop plans for ensuring continuity in the case of major cyber incidents. These plans should include considerations for system recovery, emergency procedures, and the establishment of a crisis response team.
Zero trust compliance
NIS2 outlines the adoption of zero trust principles as part of “Basic Cyber Hygiene” requirements. Zero trust is a security framework and set of principles focused on ensuring that organisations do not trust any entity, whether internal or external, and continuously verify trust as part of their security posture. This approach allows for the timely detection of suspicious behaviour and potential cyber threats.
Penalties for non-compliance
The NIS2 directive introduces penalties and sanctions for non-compliance to incentivise organizations to prioritize cybersecurity. Essential entities that fail to comply can be fined up to €10 million or 2% of their global annual revenue, while important entities can be fined €7 million or 1.4% of global annual revenue.
Business impact and considerations
For the 100,000-plus organisations set to be impacted by the implementation of NIS2 in a year’s time, the directive creates additional obligations and responsibilities. These include implementing security procedures for employees with access to sensitive or important data, developing policies for data access, providing cybersecurity training, and practicing basic computer hygiene.
Furthermore, organisations must have a plan for managing business operations during and after a security incident. This includes ensuring up-to-date backups, maintaining access to IT systems, and establishing a crisis response team.
To navigate the NIS2 transition process, organizations can seek support from solution providers that offer a solution portfolio that includes cybersecurity technologies, webinars, training and more.
While the implementation of NIS2 may present challenges for some organisations, it is ultimately a positive step towards improving European cybersecurity and making the EU more resilient to evolving cyber threats.
1. [Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive)
2. [The NIS2 Directive: A high common level of cybersecurity in the EU | Think Tank](https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333)
3. [NIS 2 Directive](https://www.nis-2-directive.com/)
4. [How to prepare for the NIS2 Directive? – EY](https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive)
5. [NIS2 Directive | Prepare Your Organization Now](https://nis2directive.eu/)
6. [New EU Cyber Law “NIS2” Enters Into Force | Inside Privacy](https://www.insideprivacy.com/cybersecurity-2/new-eu-cyber-law-nis2-enters-into-force/)
7. [Everything you need to know about the NIS2 Directive – Eversheds Sutherland](https://www.eversheds-sutherland.com/lists/static/uploads/nis2-whitepaper.pdf)
8. [European Commission Publishes Guidance on NIS2: Interplay with Sector-Specific Laws](https://www.insideprivacy.com/critical-infrastructure/european-commission-publishes-guidance-on-nis2-interplay-with-sector-specific-laws/)
9. [NIS2 and the Cyber Resilience Act (CRA): What You Need to Know](https://www.cov.com/en/topics/emea-tech-regulation/nis2-cyber-resilience-act-cra)
10. [What is The Network and Information Security 2 Directive (NIS2)? – Tripwire](https://www.tripwire.com/state-of-security/what-network-and-information-security-2-directive-nis2