NIS2 - Directive on Security of Network and Information Systems

The Clock is Ticking on Compliance

By mid 2024 organizations will need to begin complying with national laws incorporating NIS2 requirement, the clock is already ticking on what will be a lengthy risk assessment, management, and training challenge for many medium and large organizations within NIS2 scope.

Whilst the first NIS Directive of 2016 was about establishing a framework for EU-wide cyber security of essential services, NIS2 is about regulation and enforcement it was brought into force as a directive that the EU 27 member states must transpose into national law by late 2024.

NIS2 can be regarded as ‘NIS on anabolic agents’ for an era in which organizations operating essential services need more than ever to manage the cyber risk of both their IT and operational technology (OT), the control systems that manage, monitor, automate and control industrial operations. Greater risk arises from greater connections between OT/IT and externally through the internet. NIS2 covers more sectors than NIS, as illustrated in figure 1.

The NIS2 Directive recognizes that some sectors may already have their own cybersecurity legal acts in place. In cases where these sector-specific acts provide equivalent or greater cybersecurity measures than those outlined in the NIS2 Directive, the relevant provisions of the directive will not apply to those entities. However, for entities not covered by these sector-specific acts, the provisions of the NIS2 Directive will continue to apply.

The directive advocates for stricter enforcement standards, increased oversight of national agencies, and greater alignment of penalty policies among Member States. Additionally, NIS2 reinforces the NIS Cooperation Group’s influence over strategic policy decisions and expands information exchange and cooperation among Member State authorities. The new directive also enhances operational coordination, especially in managing cyber crises. It compelling individual businesses to address cybersecurity risks in supply chains and supplier partnerships, enhancing cybersecurity for critical information and communication technology at the European level. Following the successful strategy employed in the European Commission’s Recommendation on Cybersecurity framework, Member States may conduct coordinated risk assessments of vital supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity (ENISA).

NIS2 main changes

1. Expands the scope of the existing NIS Directive by incorporating new sectors based on their significance to the economy and society. NIS2 introduces a clear size limit, encompassing medium and large businesses in certain sectors. It grants Member States flexibility in identifying smaller organizations with high security risk profiles. NIS2 also eliminates the distinction between digital service providers (DSPs) and operators of basic services. Entities will be categorized into essential and important classes, further divided into subgroups subject to various oversight types.

2. Establishes requirements for oversight and accountability of the ‘management body’ in security risk management. Introduces a risk management method specifying a minimal set of essential security features, enhancing and simplifying security and reporting obligations for businesses.

3. Provides more explicit guidelines for incident reporting, report content, and delivery schedules, necessitating the implementation of a more stringent incident response process.

4. Adjusts fines and penalties for non-compliance.

5. Proposes compelling individual businesses to address cybersecurity risks in supply chains and supplier partnerships, enhancing cybersecurity for critical information and communication technology at the European level. Following the successful strategy employed in the European Commission’s Recommendation on Cybersecurity framework, Member States may conduct coordinated risk assessments of vital supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity (ENISA).

6. Advocates for stricter enforcement standards, increased oversight of national agencies, and greater alignment of penalty policies among Member States. Additionally, NIS2 reinforces the NIS Cooperation Group’s influence over strategic policy decisions and expands information exchange and cooperation among Member State authorities. The new directive also enhances operational coordination, especially in managing cyber crises.

7. Establishes an EU registry in this domain, operated by ENISA, and outlines a fundamental framework with accountable key actors for coordinated vulnerability disclosure of recently identified vulnerabilities across the EU.

NIS2 requirements on organizations,
management, and supply chains

  • Analysis of risks and security policies for information systems;
  • Management of incidents, covering prevention, detection, and response;
  • Planning for business continuity and crisis management;
  • Ensuring supply chain security, addressing security-related aspects of relationships with suppliers, service providers (e.g., data storage and processing services), and managed security services providers;
  • Security considerations in the acquisition, development, and maintenance of network and information systems, encompassing vulnerability handling and disclosures;
  • Establishment of policies and procedures to evaluate the efficacy of cybersecurity risk management measures; and
  • Implementation of cryptography and encryption measures.

NIS2 Reporting

NIS2 aims to boost information sharing and collaboration on managing cyber crises between Member States at EU level. It mandates a greater degree of EU-wide harmonization of reporting obligations for organizations within scope and for national cyber security incident response teams (CSIRTs) or, where applicable, competent authorities.
NIS2 obliges organizations to issue ‘without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact’.
Within 72 hours of becoming aware of the significant incident, the organization must file an incident notification updating if applicable the first information and indicating an initial assessment of the significant incident, including its severity, impact and, where available, the indicators of compromise. The national CSIRT or competent authority can request a more detailed follow-up report one month after the 72-hour notification. This means that organizations with OT/IT within scope must have or develop compliant incident response processes that report incidents within prescribed deadlines (Section 3.2). This could be quite challenging for OT companies as many do not yet include incident response as part of daily security routines despite it being a critical aspect of cyber security .

3 Key Steps To Prepare for NIS2

Ensure a comprehensive understanding right from the beginning regarding which systems are encompassed within the regulatory scope established by NIS2. This proactive approach not only facilitates clarity but also lays the foundation for effective compliance management and strategic decision-making in alignment with the requirements of NIS2.

Take proactive steps in managing cybersecurity by assessing risks carefully. After the assessment, work on implementing and maintaining strong security measures to strengthen your organizational defenses against potential threats. Embracing a resilient cyber strategy, built on risk awareness and responsive control measures, ensures better preparedness in the constantly changing landscape of digital security challenges.

Thoroughly document essential information to show compliance with specified controls. This detailed documentation process aims to create a clear and comprehensive record, ensuring a full representation of adherence to controls. The purpose is to provide a detailed account of the measures taken for adherence, contributing to a strong and transparent record-keeping system.

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

We will send you an email once a new article is published

Follow Us

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque