NIS2 Compliance Countdown: What You Need to Know

What is the NIS2 Directive?

The NIS2 Directive (Network and Information Security Directive (EU) 2022/2555) is an update to existing legislation that’s concerned with network and information security. It came into effect in 2023 and EU Member States have until October 17, 2024, to translate it into their national laws. Organizations that the new Directive applies to will need to comply with its requirements. But what exactly is the NIS2 Directive, who does it cover, and how can organizations that fall within its scope prepare? In this article, we answer those questions and a few more, but let’s start with where it came from…

Beginnings

The country of Estonia emerged from 50 years of Soviet rule to become an independent state, eventually joining the EU and NATO in 2004. But political tensions still bubbled under the surface, and when a Soviet-era war memorial was relocated in 2007, some of the nation’s ethnic Russians felt aggrieved about the move and rioted. That would’ve been bad enough, but what made it worse was an unprecedented series of cyber-attacks orchestrated by the Russian government that took the websites of banks, public services, parliament, and others offline for weeks.

This was the first time that an entire nation had almost been brought to its knees by a hostile neighbor without a shot being fired. Estonia learned from the experience and the European Union was taking notes too. In 2016, it issued the first Network and Information Security Directive (which we’ll call NIS1). It sought to protect EU member states from such attacks by establishing a high common standard of cyber defense for providers of infrastructure services.

While this initial NIS Directive looked good in principle, in practice it had shortcomings. The main problem was that it gave each EU member state the flexibility to implement the requirements according to its own legal and regulatory framework. This meant that a company might be classed as what the first Directive called an OES (Operator of Essential Services) in one country, a DSP (Digital Service Provider) in another, but be excluded from its scope altogether in a third. With different countries interpreting NIS in different ways, there was no common standard, which after all, was the whole point of creating it.

Even if this hadn’t been the case, the first NIS was due an update anyway, because things have moved on. Digitization has swept across even more sectors and the cyber-security threat landscape has become bigger and more challenging. This is what has driven the creation of other security-focused EU legislation such as the Cyber Resilience Act and the Digital Operations Resilience Act (DORA), and now the NIS2 Directive updates its predecessor to meet these evolving needs. It covers more sectors and entities than before so that the public and private organizations a nation relies on to function are more resilient and better able to respond to global threats.

The NIS2 Directive standardizes requirements for implementing cybersecurity measures across all member states, and it sets minimum reporting standards for essential service providers in sectors like energy, health, transport, water, and certain digital services and infrastructure providers.

Non-EU Organizations

While it may sound like GDPR, the NIS2 Directive is all about safeguarding network and information systems security rather than data security standards, but one way that it does resemble GDPR is that it doesn’t just apply to companies based in the EU; it can potentially affect those doing business with them. This means that any company in any country that’s involved with EU organizations that fall within the scope of the NIS2 Directive (perhaps because they are supply chain partners or cloud service providers) may also need to align their policies and procedures with its requirements.

The differences between NIS1 and NIS2

Since this is an update, let’s look at what has changed. NIS1 focused on these essential service sectors:

• Energy (electricity, oil, gas)
• Transport (air, rail, water, road)
• Banking
• Financial market infrastructures
• Drinking water
• Healthcare
• Digital infrastructure (internet exchange points, DNS providers, data centers, etc.)

NIS1 also included providers of digital services, but it treated them as a separate category.

Below are the sectors that the NIS2 Directive covers. It divides them into two categories, essential entities and important entities, but there are minimum threshold criteria for each, and the thresholds vary by industry.

In general, though, to be classed as an ‘essential entity’, a company must have at least 250 employees, an annual turnover of €50 million, or a balance sheet of €43 million. To qualify as an ‘important’ entity will generally have a minimum of 50 employees, an annual turnover of €10 million, or a balance sheet of €10 million.

That said though, in both cases, NIS2 will still apply to some smaller businesses if they are deemed to be important enough to their country’s economy or society, such as when they are the sole providers of an essential service.

Essential Entities

• All NIS1 sectors listed above
• Energy
• Transport
• Finance
• Public administration
• Health
• Space (as in ‘outer space’, not ‘storage’)
• Water supply (drinking and wastewater)
• Digital infrastructure (e.g., cloud computing service providers and ICT management)

Important Entities

• Postal and courier services
• Waste management
• Manufacturing
• Chemical production and distribution
• Food production and processing (wholesale and industrial)
• Digital providers (e.g., search engines, online marketplaces, social networking platforms)
• Research organizations (excluding education)

The NIS2 Directive applies to a much broader range of organizations than its predecessor. NIS1 did focus on operators of essential services like energy, transport, and finance, but the updated version includes a wider variety of companies across different sectors, including digital service providers like online marketplaces and search engines, which now need to comply with its requirements. This is a testament to the fact that the smooth running of everyday life now relies so heavily on digital elements.

New Requirements for Organizations

The directive places new requirements on organizations in these four areas:

Risk Management

Organizations will need to show that they are managing risks effectively by putting incident management strategies in place, strengthening their supply chain security (one of Reflectiz’s strengths), beefing up network security, tightening access control, and using encryption where appropriate.

Corporate Accountability

An organization’s managers will no longer be able to hold security teams solely responsible for cases of non-compliance. The NIS2 Directive has made cybersecurity a boardroom issue by placing the responsibility on them, to the extent that executives may be held personally liable if gross negligence is discovered following a cybersecurity incident. This means that corporate management will need to receive training on their organization’s cyber-security measures, oversee them, and approve their implementation.

Reporting Obligations

Organizations deemed to be ‘essential’ or ‘important’ need to have processes in place so they can properly report any security incidents that significantly affect their service or its recipients. NIS2 sets specific deadlines of 24 hours to notify the competent authority, then 72 hours for a full report, and one month for a final report.

Business Continuity

Businesses need to draw up a plan for how they will respond to major cybersecurity incidents, which should include the creation of a crisis response team, emergency procedures, and system recovery measures.

Minimum Security Measures

Organizations that come under the essential and important categories must set up minimum security measures to address specific forms of likely cyber threats. These include:

• security policies and risk assessments for information systems.
• policies and procedures for evaluating the effectiveness of security measures.
• policies and procedures for using cryptography, and encryption when necessary.
• a plan for handling security incidents.
• security concerning procuring, developing, and operating systems, which entails creating policies for handling and reporting vulnerabilities.
• basic computer safety practices and cybersecurity training.
• security procedures for employees with access to sensitive or important data, including data access policies. Organizations must also have an overview of all relevant assets and ensure that they are used properly.
• a plan that uses up-to-date backups to keep IT systems available and functioning properly with minimum disruption both during and after a security incident.
• using multi-factor authentication, continuous authentication solutions, encrypted voice, video, and text, and internal emergency communication, where appropriate.
• supply chain security that takes each supplier’s vulnerabilities into account, and then companies must assess the overall security level for all suppliers.

Supervision and Enforcement

National authorities now have more power to supervise and enforce compliance under the NIS2 directive, and they can impose stricter penalties in cases of non-compliance.

Under the NIS Directive 2 (NIS2), non-compliance fines will vary depending on the type of entity:

• For essential entities, the fines can be up to €10 million or 2% of their global yearly revenue, whichever is higher.
• For important entities, the fines can reach the greater of either €7 million or 1.4% of their annual global revenue.

Remember that these are maximum fines and the actual penalties handed out may vary depending on the specific circumstances of each case.

How to prepare for NIS2

With the NIS2 Directive set to be transposed into national law by October 17, 2024, there isn’t much time left. The first thing to do is check if your organization falls within the scope of NIS2 using the levels of turnover size that we already mentioned.

Evaluate Your Existing Cybersecurity Status

Conduct a comprehensive evaluation of your current IT infrastructure, security measures, and cybersecurity protocols. Take note of any discrepancies or vulnerabilities in relation to the NIS2 standards and plan to address them.

Educate and Involve the Leadership

Make certain that your organization’s leadership is fully aware of the implications and obligations that the NIS2 Directive brings. Present a compelling business argument highlighting the risks associated with non-compliance and the advantages of adopting proactive cybersecurity strategies. (The fact that they could be held personally liable for inadequately preparing for cyber-security attacks should ensure that you have their full attention.)

Secure Adequate Budget and Resources

Collaborate with the leadership to obtain the necessary funding and resources to put the required security controls and processes into action. This might necessitate investments in new technologies, staff, training, and continuous maintenance.

Formulate a Strategy and Execution Plan

Using your gap analysis, devise a comprehensive strategy and execution plan to meet the NIS2 standards. Prioritize the most crucial and time-intensive areas to ensure compliance by the October 2024 deadline.

Update Security Policies and Procedures

Examine and revise your organization’s security policies, incident response strategies, and other relevant procedures to comply with the mandates of the NIS2 Directive. This includes strategies for risk management, access control, data protection, and supply chain security. 

Deploy Technical Security Measures

Implement the required technical security measures, such as multi-factor authentication, encryption, vulnerability management, and security monitoring and logging capabilities.

Conduct Cybersecurity Training

Make sure all employees undergo regular cybersecurity awareness training to assist them in recognizing and responding to potential threats. This is a crucial requirement under the NIS2 Directive.

Evaluate and Control Supply Chain Risks

Assess the cybersecurity status of your organization’s suppliers and service providers and put in place a security solution like Reflectiz to mitigate risks throughout the supply chain.

Get Ready for Incident Reporting and Audits

Set up robust procedures for incident detection, analysis, and reporting to comply with the NIS2 Directive’s stringent notification requirements. Also, prepare for potential audits and inspections by regulatory bodies.

By proactively addressing these key areas, you can position your organization to achieve NIS2 compliance and boost its overall cybersecurity resilience before the directive comes into effect.

How Reflectiz can help

The NIS2 Directive places great emphasis on managing supply chain risks, which is something that Reflectiz excels at. This powerful but easy-to-use SaaS solution maps all first-, third-, and fourth-party components in your company’s digital ecosystem, establishes a baseline of permitted behaviors, and then actively monitors them for changes.

Under Reflectiz’s watchful gaze, the kind of malicious code changes that cyber attackers use to gain a foothold in systems will trigger prioritized alerts for swift mitigation before they can do damage. Achieve NIS compliance and take control of your company’s cyber security. Sign up for the Reflectiz’s continuous web threat managemen