The NIS 2 Directive: What You Should Know

Klarrio
7 min readAug 27, 2024

--

Introduction

In our increasingly digital world, the integrity and security of information systems are more vulnerable than ever. The devastating Ukrainian power grid breach in 2015, the global disruption caused by WannaCry and Petya in 2017, and the significant cyberattack on Ukraine in 2023 are strong reminders of the profound threats we are facing.

Fortunately, there’s a silver lining: while some zero-day exploits are unavoidable, many cyberattacks can be prevented with proper security measures. All too often, security breaches are the result of reused passwords, human errors, lack of multifactor authentication, or phishing emails.

In response to rising cyberthreats and our growing dependence on information systems, the Network and Information Security (NIS) Directive was established in 2016 to protect vital sectors and ensure coordinated responses to pervasive threats. Its successor, NIS 2, will transition into law in EU member states starting on October 18, 2024.

NIS Is Dead, Long Live NIS 2

The NIS (Network and Information Systems) Directive, introduced by the European Union in 2016, aimed to enhance cybersecurity across the EU by improving national cybersecurity capabilities, cross-border collaboration, and the resilience of critical infrastructure.

Although NIS was a significant step forward, it had several shortcomings:

  • Inconsistent implementation across member states.
  • Broad and sometimes vague definitions that left too much room for interpretation.
  • Mainly focused on operators of essential services (OES) and digital service providers (DSP).
  • Insufficiently addressed newer and rapidly evolving areas, such as cloud computing, artificial intelligence, and the Internet of Things (IoT).

NIS 2 shifts gears and aims to ensure a higher level of cybersecurity and operational resilience across the EU. This ensures that organizations take their cybersecurity responsibilities more seriously.

We’ll dive into the specifics of all the requirements towards ’entities’ (businesses and private/public organizations), but let’s have a look at the high-level key objectives first:

Broader Scope

NIS 2 expands its scope to include sectors like energy, transport, health, finance, digital infrastructure, drinking water, wastewater, chemical and medical device manufacturing, food processing, and social network providers.

Stricter Security Requirements

The directive introduces stricter security requirements, ensuring businesses and organizations implement appropriate technical and organizational measures to manage risks and protect their networks and information systems.

Regulatory Oversight

NIS 2 provides for more robust regulatory oversight and enforcement mechanisms. Authorities have the power to subject non-compliant businesses and organizations to investigative methods, such as on-site inspections, targeted security audits, security scans, and requests for information necessary to assess compliance with cybersecurity measures.

Authorities can issue warnings, adopt binding instructions, order the cessation of non-compliant conduct, and enforce additional measures to ensure compliance.

Harmonized Sanctions

To ensure compliance, NIS 2 introduces harmonized sanctioning regimes across member states. Organizations that fail to meet the directive’s requirements may face significant fines and penalties: up to 10 million euros or 2% of global turnover, and “management bodies”, such as company boards and executives can be held personally liable.

Strict Incident Reporting

NIS 2 enhances the requirements for incident reporting, ensuring that significant incidents are reported in a timely and efficient manner. This helps in quicker response and mitigation of the impacts of such incidents.

Increased Cooperation and Information Sharing

NIS 2 fosters greater cooperation between member states and promotes information sharing on threats, vulnerabilities, and incidents. It establishes a network of Computer Security Incident Response Teams (CSIRTs) and a European Cyber Crises Liaison Organization Network (EU-CyCLONe) to coordinate responses to large-scale cyber incidents.

When Is NIS 2 Compliance Required?

At first glance, determining if a business or organization needs to be NIS 2 compliant seems straightforward. However, several variables are at play. Moreover, member states can decide to categorize specific businesses and organizations as essential.

Even if a business or organization doesn’t require NIS 2 compliance, it may need to meet additional security guarantees if it serves NIS 2 compliant businesses or organizations, as they are obligated to secure their supply chain.

Here are some key indicators to define if a business or organization should be NIS 2 compliant:

  1. The business or organization is EU-based or provides services in the EU.
  2. It has 49+ employees and an annual revenue/turnover of 10+ million, and is active in important sectors, such as energy, transportation, banking, financial services, health, and so on.
  3. Some businesses or organizations are considered of critical importance and will need to be NIS 2 compliant, regardless of their size. Think of digital infrastructures, trust service providers, public administration entities, sole providers of a service which is essential for societal or economic activities, … .

Check out the NIS 2 Annex I if you are interested in more detailed information.

Here’s a high-level flowchart to give you a better idea of the key indicators.

The Implications of the “Important” and ”Essential” Categorizations: Fines and Supervision

The NIS 2 directive makes a distinction between important and essential businesses and organizations.

Broadly speaking, a business or organization is categorized as essential in the following cases:

  • Categorized as critical due to their specific sector or importance.
  • A large organization (250+ employees and 50+ million euros in annual revenue) active in one of the NIS 2 sectors.

In all other cases, businesses and organizations are considered important if they are midsized (50 to 250 employees, 10 to 50 million euros in annual revenue).

Essential businesses and organizations must comply with stricter requirements and will face heavier fines if they are non-compliant:

  • Fines up to 10 million euro or 2% of the total annual turnover. They will be actively supervised, which may include:
  • On-site inspections and off-site monitoring.
  • Routine or targeted security audits.
  • Safety evaluations.
  • Requests for information.
  • Demands for access to any data, documents, or other information essential for carrying out supervisory duties.
  • Requests for proof that cybersecurity policies are being enforced, such as evidence from security audits performed by a certified auditor and related documentation.

Important businesses and organizations face fines up to 7 million euro or 1.4% of the total annual turnover. They will be supervised and checked if an incident takes place.

NIS 2 Compliance Obligations

To be compliant with the NIS 2 Directive, businesses and organizations need to adhere to a set of requirements as laid out in the directive. Here are the key aspects they need to focus on:

Cybersecurity Risk Management Measures

Implementing appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of network and information systems. This includes addressing threats that not only secures these systems but also their physical environments.

Cybersecurity measures should include:

  • Developing risk analysis and security policies.
  • Implementing effective incident handling protocols.
  • Ensuring business continuity and robust crisis management.
  • Securing the supply chain: ensuring that suppliers and service providers also comply with appropriate security standards, especially in sectors where outsourcing is common.
  • Safeguarding the acquisition, development, and maintenance of systems, including vulnerability management.
  • Evaluating the effectiveness of cybersecurity measures.
  • Enhancing cyber hygiene and providing cybersecurity training.
  • Utilizing cryptography and encryption as necessary.
  • Managing personnel security, access controls, and asset management.
  • Employing multi-factor or continuous authentication methods.
  • Establishing a coordinated vulnerability disclosure policy.

Incident Reporting

The directive mandates reporting any significant incident that could disrupt service provision or cause considerable damage to the competent authorities.

Businesses and organizations must notify the relevant Computer Security Incident Response Teams (CSIRTs) or competent authorities without undue delay about any significant incidents affecting their services.

Notifications should include information enabling the determination of cross-border impacts and must be made to the recipients of the services if their provision is likely to be adversely affected.

The notification process is as follows:

  • An initial early warning should be issued within 24 hours of detecting a significant incident.
  • A detailed incident notification is required within 72 hours.
  • Interim reports may be requested.
  • A final report is due no later than one month after the initial detailed notification.
  • Ongoing incidents necessitate progress updates until resolution.

Management Responsibilities

Management bodies of essential and important businesses and organizations must approve and oversee the implementation of cybersecurity risk-management measures. They are also responsible for ensuring compliance and can be held liable for breaches.

Cooperation and Information Sharing

Businesses and organizations must cooperate with competent authorities, including sharing relevant information during security risk assessments and audits. They need to register with the CSIRTs in the relevant member states and update information if changes are made.

Information should include:

  • the name of the entity.
  • the relevant sector, subsector and type of entity.
  • the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated.
  • up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3);
  • the Member States where the entity provides services
  • the entity’s IP ranges.

Proving NIS 2 Compliance

Businesses and organizations categorized as essential will be actively followed up by authorities, and for important businesses and organizations this means that they will need to prove their compliance in case an incident happens.

When it comes to certification, the NIS 2 directive leaves room for interpretation regarding the requirements. Article 24 states that “Member States may require essential and important entities to use certified ICT products, services, and processes under European cybersecurity certification schemes to demonstrate compliance with cybersecurity requirements.”

Article 25 states that “The Commission is empowered to adopt delegated acts to specify which categories of entities are required to use certified ICT products, services, and processes. This is to be done where insufficient levels of cybersecurity have been identified. Before adopting such acts, the Commission must carry out an impact assessment and consultations.”

It’s up to the member states to specify what these specifications entail.

In Belgium, for example, essential businesses and organizations must undergo a regular compliance assessment, where they can choose between:

  • A CyberFundamentals certification, granted by a conformity assessment body approved by the CSIRT.
  • ISO/IEC 27001 certification issued by a CSIRT-approved Conformity Assessment Body.
  • An inspection by the CSIRT or sector inspection service.

Conclusion

The NIS 2 Directive represents a significant evolution in the European Union’s approach to cybersecurity, addressing the shortcomings of its predecessor by broadening its scope, strengthening requirements, and imposing stricter penalties for non-compliance.

As cyber threats continue to evolve, the directive’s expanded focus on critical sectors, enhanced regulatory oversight, and harmonized sanctions aim to foster a more resilient and secure digital environment across the EU.

--

--

Klarrio

Klarrio empowers you with tailor-made, scalable data platforms & microservices for real-time data processing across various cloud & on-premises infrastructures.