NIS2 summary

This is a summary of what the NIS 2 Directive is about and a high-level overview of the law and its implications for businesses.

What is NIS2?

The NIS2 Directive is an EU-wide legislative act that provides legal measures to boost the resilience of European Union cybersecurity. The purpose of the new NIS2 framework is to keep up with increased digitisation and an evolving cybersecurity threat. NIS2 framework has a broad scope that includes many industry sectors and entities, as well as improving the resilience and incident response capabilities of public and private entities, competent authorities, and the European Union. NIS2 establishes an EU-wide collaboration and vulnerability-sharing program.

NIS2 Directive takes effect EU-wide on 18 October 2024 but will be implemented into national law in each member state. This means that the actual start date of NIS2 will vary across the EU.

The NIS2 Directive rests upon three main pillars: (1) National sovereignty, (2) Responsible risk mitigation, and (3) Collaboration and information exchange. NIS 2 introduces enforcement measures and sanctions, highlights better cybersecurity practices in network and information systems, and creates stricter incident reporting requirements. In a nutshell, the main requirements of NIS2 are as follows:

• New to NIS2: Expansion of the industry sectors and organisations subject to the strict network and information system security requirements
• New to NIS2: Mandatory registration of your entity to the national supervisory authority
• News to NIS2: New incident notification deadlines
• New to NIS2: Minimum security requirements (Article 21:2)
• New to NIS2: Management is personally liable for managing cybersecurity risks, subject to administrative fines, or prohibited from holding senior management positions for 1-3 years (will vary across EU member states).
• New to NIS2: Mandatory adequate training of the management.
• New to NIS2: Each NIS2 entity is responsible for the security of its supply chain.

Is NIS2 mandatory?

NIS2 is mandatory for any entity that is considered “critical”, “essential”, and “important” to society. The industries and criteria are listed in Annex I to II of NIS2. These covered entities must implement mandatory security measures to conduct business within that sector. There is an evolving scheme of certifications for NIS2 actors. There will be different forms of mandatory certifications. It may become mandatory for products and services that want to enter the EU market or for specific sectors. NIS2 mandates the European Commission to define the obligations for certification.

Does NIS2 cover us?

NIS2 divides entities under the directive’s scope into three categories: ”critical”, ”essential”, and ”important” in relation to the proper functioning of society. These industries and entities’ importance often makes them primary targets for cyber-attacks.

Critical entities:
• Entities specifically identified as societally important, with critical infrastructure and where an incident would bring a significant negative impact. Each member state government will identify and publish a list of these critical entities.
• The identification of critical entities is set out in Article 6 of Directive 2022/2557. Member States shall identify critical entities on 17 July 2026 at the latest.
• We find these critical entities in Article 2.3 and Annex I, third column of Directive 2022/2557:
Energy, Drinking water, Wastewater, Transport, Digital Infrastructure, Banking, Financial market infrastructure, Health, ICT service management, Public Administration, and Space. These are all sectors considered to be of high criticality.

Essential entities:
• Essential entities are defined in Article 3.1 NIS2.
• Entities that are mentioned in Annex I and are considered medium-sized enterprises according to Article 2(1) of the Annex to Recommendation 2003/361/EC, Qualified trust service providers and top-level domain name registries and DNS service providers (regardless of company size).

Important entities:
• Important entities are mentioned in Annex I or II, but are not considered essential according to point 1 of Article 3.2.
• Annex II mentions entities within: Postal and currier services, Production and distribution of food, Waste management, Research, Manufacturing and distribution of chemicals, Research and Digital providers.

The extent to which an organisation is covered by NIS2

The NIS2 requirements will apply to the entire organisation’s operations, not only for services of societal importance and digital services. All suppliers are covered, inclusive of any IT infrastructure. Municipal and regional operations are also covered.

Exempted entities from NIS2

As with all EU legislation, there are certain aspects in which the Member States have sovereignty. These are safeguarding national security and safeguarding other essential State functions, including territorial integrity and maintaining law and order (article 2.6).

There is a general exception to the scope of NIS2. An entity is exempt if it is a small or micro entity, meaning that it has no more than 50 employees and a maximum of EUR 10 million in annual turnover. However, regardless of size, an entity identified as critical, although small, will still be subject to NIS2 (Article 2:3).

What do we have to do to become compliant?

The main risk-management obligations are set out in Chapter IV NIS2.

Governance (Article 20)
Members of management bodies, i.e. the board of directors and members of the senior management, are required to approve their organisations’ cybersecurity risk management measures. These members must also follow applicable training and should offer similar training to their employees regularly.
This is done to gain sufficient knowledge and skills within cybersecurity.

Cybersecurity risk management measures (Article 21)
Entities are also required to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the network and information systems used. These measures must have an all-hazards approach.

Vulnerabilities specific to each direct supplier and provider, as well as the overall quality of products and cybersecurity practices of suppliers and service providers, need to be considered.

Union-level coordinated security risk assessments of critical supply chains (Article 22)
There will be guidance to assess critical ICT suppliers. The EU Commission will coordinate with the EU’s Cybersecurity Authority (ENISA) security, risk assessments of specific ICT services, ICT systems and ICT products supply chains.

Reporting obligations of significant incidents and all incidents (Article 23)
Entities are to notify significant incidents to either the Member States CSIRT (computer security incident response team) or competent authority. Without undue delay, the entity shall submit an early warning within 24 hours of a significant incident, an incident notification within 72 hours and a final report no more than a month after the notification submission. Reporting a summary of all incidents, threats, and near misses every three months to ENISA.

Use of European cybersecurity certification schemes (Article 24)
EU member states are allowed to order essential and important entities to use specific IT products, cloud services and IT processes that are certified according to the European schemes of cybercertifications. There are two main schemes from ENISA: the EUCC of products and the EUCS certification of cloud services and apps.

NIS2 entitles the EU Commission to issue mandatory certification requirements.

Standardisation (Article 25)
EU member states shall encourage using European and international standards and technical specifications relevant to the security of network and information systems without discriminating against a certain type of technology.

What level of security do we need to achieve?

What level of cybersecurity that is a requirement for your organisation is determined by, e.g., how critical your organisation is considered under NIS2 – “important”, “essential”, or “critical”, any additional sector-specific Union legal acts, which customers your organisation serves and their requirements on their supply chain, and the ambitions and risk appetite of your organisation’s management.

What are the ten NIS2 security requirements?

The ten minimum mandatory requirements are set out in Article 21:

1. Policies for Risk analysis and information system security
2. Incident management (prevention, detection, and response)
3. Business continuity and crisis management
4. Supply chain security, which includes the security of relationships between entities and their suppliers and/or service providers
5. Security in the acquisition, development, and maintenance of network and information systems and their handling, as well as disclosure of vulnerabilities
6. Policies and procedures (such as testing and auditing) to determine the effectiveness of cybersecurity risk management measures
7. Basic cyber hygiene practices and cyber training
8. Use of cryptography and encryption supported by policies and procedures
9. Human resources security, access control policies and asset management
10. Use of multi-factor authentication, secured voice, video and text communications, and secured emergency communication systems, where appropriate.

Essential and important entities should additionally adopt various basic cyber hygiene practices. This includes but is not limited to, zero-trust principles, software updates, user awareness, organising training for their staff and raising awareness of the most common cybersecurity attacks, such as phishing.

What is NIS2 supply chain security?

Your organisation is responsible for your supply chain security, which is the overall quality of your suppliers’ products and cybersecurity practises (Article 21:2d).

Supply chain security is a subset of supply chain management and addresses threats by external vendors, suppliers, logistics, resellers, and transportation. The threats include physical attacks and cyber-attacks. Third parties, such as suppliers, are often perceived to have weaker defences than the organisation targeted. Supply chain security consists of risk management and cybersecurity. The former helps identify, analyse, and mitigate the potential impact of incidents. This should include technological and physical security controls. Cybersecurity includes IT systems, software, and other networks used and the associated management controls.

At a European level, NIS2 will strengthen the level of cybersecurity within the supply chain regarding communication technologies and key information. Member States may, in support of the Commission and ENISA, conduct Union-level coordinated security risk assessments of critical supply chains. This is based on the previously proven positive method taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.

For a more in-depth analysis of the NIS2 supply chain security requirements and how to manage your third-party supplier, see our guide to NIS2 Supply Chain Security.

Mandatory training

The management bodies of essential and important entities are required to follow training. It is also encouraged for essential and important entities to offer similar training to their employees (Article 20:2). This is, as stated above, important to have effective supply chain security and may very well be necessary to comply with NIS2 fully.

Supervision under NIS2

Supervision and enforcement are at the centre of the NIS2 Directive. The NIS2 provides for a minimum list of supervisory means among which supervisory authorities can choose when supervising. These include on-site and off-site checks, requests for information, regular and targeted audits, and access to documents or evidence.

Failing to implement sufficient and effective security measures or report incidents can negatively affect cyber resilience. To establish effective enforcement, the NIS2 provides a consistent framework for sanctions across the Union.

Regarding administrative fines, the Directive distinguishes between essential and important entities. For essential entities, the administrative fine would be, whichever is higher, a maximum of at least EUR 10 million, or 2% of the total annual global turnover. For important entities, at least EUR 7 million, or 1,4% of the total annual global turnover, whichever is higher.

Personal liability of the management and board of directors

Natural persons holding senior management positions in essential and important entities failing to comply with NIS2 may face a temporary ban from discharging their managerial responsibilities in that entity (Articles 20:1, 32:5, and 32:6). Senior managers taking part in the risk assessment and/or approval of risk mitigation are part of the circle of people that face personal liability. It is believed that the CISO, Chief Legal Officer, CEO and other senior managers taking part in these critical decisions may face personal liability for NIS2 violations.

NIS2 Reporting requirements

Reporting obligations (Article 23) are considered to be necessary in order to ensure a high level of cybersecurity across the Union.

Exploitation of vulnerabilities in network and information systems can have significant disruption and harm. These vulnerabilities are often discovered by third parties, such as manufacturers or providers of ICT products and services. Reporting and receiving vulnerabilities can have a big impact on an entity’s cybersecurity. It is therefore encouraged to have a structured process for coordinated vulnerability disclosure through which weaknesses are reported to the manufacturer or provider NIS2 Recital (58).

The NIS2 Directive has a multiple-stage approach to the reporting of significant incidents. The aim is to balance a swift report and an in-depth report. The former helps mitigate the potential spread of significant incidents and allows the entities to seek assistance. The latter draws valuable lessons from incidents which will improve cyber resilience over time, both for individual entities and entire sectors (NIS2 Recital 101).

Where and when essential or important entities gain knowledge of significant incidents, they must submit an early warning within 24 hours without undue delay. The warning should be followed by an incident notification, which is to, without undue delay, be sent within 72 hours upon knowledge of the incident. A final report must be sent no later than a month after the notification (NIS2 Recital 102, Article 23).

Because reporting is a central part of the Directive, the Member States shall ensure that natural or legal persons can report anonymously. They are also to designate one of its CSIRTs as a coordinator acting as an intermediary and facilitating the interaction between the reporting person and the potentially failing entities (Article 12).

What is the difference between NIS2 and DORA?

The Digital Operational Resilience Act (DORA) is specifically tailored to the financial sector and highlights the necessity for strong ICT risk management. In addition to traditional risk management such as capital allocation, DORA emphasises the need for protective, detective, and responsive measures against incidents relating to ICT products and/or -services.

NIS2 and DORA both aim to enhance cybersecurity, but they have different scopes and applications. As we have seen, NIS2 has fairly broad coverage and imposes cybersecurity over several critical sectors. DORA is specifically tailored for the financial sector. It has more detailed and sector-specific requirements.

They distinguish each other in their applicability. NIS2 has a blanket approach, which aims to cover multiple sectors, whereas DORA is pinpointed towards one specific sector.

What is the difference between NIS and NIS2?

The NIS2-Directive expands its scope to include the sectors of energy, transport, banking, financial markets, infrastructures, health, water supply, and digital infrastructure. Additionally, the scope includes sectors such as online marketplaces, online search engines, and social networks.

Implementing a broader scope reflects the evolving digital landscape and increasing threats to digital infrastructures, which shows the importance of cybersecurity in different industries.

The NIS Directive focused on the resilience and security of operators.

In addition to broadening the scope, the NIS2 also introduces additional security requirements for communication networks, operational technology and specific obligations for cloud services (NIS2 Recitals 35 and 84).

NIS2 has stricter compliance requirements than NIS and has a bigger focus on security measures for digital service providers, online marketplaces, and search engines.

NIS2 also has stricter liability regulations and harsher penalties regarding non-compliance. Like the structure of administrative fines in accordance with the GDPR, whichever is the highest out of EUR 7 or 10 million, respectively, or 1,4% or 2%, respectively, would be the maximum fine placed for a non-compliant entity.

Incident reporting timelines and thresholds have been revised in the NIS2 Directive, and entities are to report significant incidents at different stages within specific timelines.

NIS2 checklist for compliance

After the strong demand for a simple, cost-effective process, we have streamlined our process to guide any organisation in improving its NIS2 compliance.

1. Start with a NIS2 scoping check. Perform a high-level review of your NIS2 readiness, priorities and action plan.
2. Perform an impact analysis and scoping. Determine the extent to which you are affected by NIS2 based on your infrastructure and your customers. Asses product features, services and customers to determine how your business is impacted.
3. Carry out a NIS2 gap analysis- The outcome shall inform your management of the appropriate assurance level and priorities in your action plan.
4. Establish a current situation, set goals for the NIS2 readiness, and get management’s approval.
5. Align your risk assessment framework with your information security classification system and general compliance (e.g. GDPR).
6. Consider any organisational changes to support your plan.
7. Update your internal processes and procedures. Mind the personal liability of senior managers and create a reporting structure and appropriate templates.
8. Take up dialogue with your supply chain – NIS2 requires an entirely new dialogue on supply chain security.
9. Regular check-ups are performed to check your level of NIS2 readiness.

We recommend that you seek professional advice to adapt and discern what requirements are relevant to you and how to adapt and implement these steps. Note that the abovementioned concerns are not exhaustive, and different interpretations exist.