- NIS2 is the new cybersecurity directive established by the EU to ensure cyber resilience and collaboration across its Member States.
- NIS2 is the extended version of its predecessor, Network and Information Systems (NIS) of 2016.
- The directive provides four overreaching requirements and a list of 10 baseline security measures for entities to comply with. NIS2 has more sectors under its scope than NIS.
- Now is the right time for organizations to start preparing and staying up to date with the deadlines of the NIS2 directive.
In this post, we will give you an overview of what NIS2 is, its background, applicability, security requirements, penalties for non-compliance and steps to get started.
What is NIS2?
NIS2 is the modernized version of the European Union’s first cybersecurity framework, the Network and Information Systems (NIS) Directive (EU) 2016/1148. EU introduced the NIS2 directive in 2020 to boost its Member States’ overall cyber resilience and security.
NIS2 builds upon its predecessor, NIS, by covering a broader scope of sectors. Came into effect in January 2023, the new directive imposes measures and the obligation to report, follow up and resolve cybersecurity incidents within stipulated timelines.
The Background Behind the Formation of the NIS2 Directive
Network and Information Systems (NIS) was introduced in 2016 to achieve a high common level of cybersecurity across the EU. NIS focused on establishing cyber resilience and promoting collaboration across organizations and Member States.
NIS was designed to ensure security across seven sectors vital for the EU’s economy and society and rely on ICT – energy, transportation, banking, finance, drinking water, healthcare, and digital infrastructure. Broadly, the scope of NIS can be categorized into the operators of essential services and relevant digital service providers. As the years passed, digital expansion increased. Though the growing dependence on digitalization is beneficial, it poses cyber risks to organizations and Member States. The increased interconnectedness across sectors and services could mean that a disruption in one entity can result in cascading effects.
The NIS implementation to control new cyber threats was found to have limitations. Following an extensive stakeholder consultation, the European Commission identified the following issues:
In the month of December 2020, the European Commission proposed the new NIS2 directive to fit the contemporary threat landscape.
Penalties for Non-Compliance with the NIS2 Directive
Failure to meet NIS2 requirements and report incidents can result in entities under the scope facing stricter penalties. The directive sets penalties for non-compliance as non-monetary remedies, administrative fines, and criminal sanctions.
- For Essential Entities (EE), NIS2 requires companies to provide administrative penalties of at least €10,000,000 or 2% of the company’s global annual revenue, whichever sum is higher.
- For Important Entities (IE), NIS2 requires companies to provide administrative penalties of at least €7,000,000 or 1.4% of the company’s global annual revenue, whichever sum is higher.
The Security Requirements of NIS2
NIS2 sets a list of minimum cybersecurity requirements that must be met to comply with the directive. Member states can choose to implement higher standards than these requirements.
Broadly, NIS2 provides four overreaching areas with requirements and obligations as follows:
- Risk Management:
By implementing robust processes, companies must protect their systems and networks from cybersecurity risks.
- Corporate Accountability
NIS2 holds companies’ executive level responsible for proper cyber protection. The directive requires the management to oversee, approve, be trained and address security requirements timely.
- Reporting Obligations
In case of a breach, essential and important entities must have processes in place to report the security incident. When a company becomes aware of a security incident, it must notify the Computer Security and Incident Response Team (CSIRT) or its national authority within 24 hours.
- Business Continuity
The NIS2 directive provides that companies must have a strategy to ensure business continuity without any disruptions in case of cyber-attacks. For example, the continuity plan must include building a crisis response team, system recovery and emergency procedures.
Ten Minimum Security Measures for Essential and Important Entities
- Risk assessments and security policies for information systems
- Policies and procedures for evaluating the effectiveness of security measures
- Policies and procedures for the use of cryptography
- A plan for handling security incidents
- Security around the procurement of systems and the development and operation of systems
- Cybersecurity training and practice for basic cyber hygiene
- Security procedures for employees with access to sensitive or important data, including policies for data access
- A plan for managing business operations during and after a security incident
- The use of multi-factor authentication
- Security around supply chains and the relationship between the company and direct supplier
Who Must Comply with the NIS2 Directive?
Two types of entities are designated in the scope of NIS2: Essential Entities (EE) and Important Entities (IE). Organizations under both these entities will have to comply with the same set of requirements. The difference comes in security supervision and penalties for non-compliance.
Essential Entities (EE) provide “Essential Services” to the European economy and society. According to the NIS2 directive, generally, organizations with an employee count of 250, an annual turnover of € 50 million or a balance sheet of € 43 million come under essential entities.
Important Entities (IE) provide “Important Services” to the European economy and society. According to the NIS2 directive, the size threshold for important entities is generally 50 employees, an annual turnover of € 10 million or a balance sheet of € 10 million.
Also, NIS2 mentions that when an entity doesn’t meet the size criteria but is the sole provider of critical societal or economic services in a Member State, it may still be considered “essential” or “important”.
Does NIS2 Apply if You are Not in the EU?
EU’s cybersecurity frameworks are world famous for their stringent territory-based compliance requirements. It is necessary to understand that the NIS2 does have an extraterritorial scope similar to GDPR. When your organization is not based out of the EU territory but provides services within the Member States of the EU, NIS2 applies to your entity.
For non-EU entities, the directive provides that you must assign a representative in one of the countries where your company is located. The representative then oversees the company’s NIS2 implementation and compliance.
Timeline to Comply with NIS2 Directive
- By 17 October 2024, the Member States of the European Union are required to adopt the directive and publish its requirements for compliance. NIS2 also specifies that the countries shall apply the security measures from 18 October 2024.
- The directive requires the Member States to prepare a list of all essential and important entities providing services to their countries.
If your company falls under the scope of the NIS2 directive, now is an excellent time to start!
How to Prepare for the Compliance?
- Assess whether NIS2 is Applicable to Your Organization
Before starting with NIS2, ensure you are familiar with the directive. Assess whether your organization falls under the scope of essential entities or important entities as defined by the directive.
- Identify Processes that Need to be Secured.
The first step in the compliance journey is identifying the critical systems and networks that need security. Conduct a risk assessment to get an overview of potential cyber risks, gaps, and vulnerabilities in your organization’s architecture.
You can start by assessing the fundamental parts of your network, such as endpoint access and user behaviour. NIS2 also talks about the security of human resources and user access. You can read more about securing enterprise user access and endpoint security here.
- Establish a Security-First Culture
Building a culture oriented towards cybersecurity hygiene and matured security awareness is essential. The NIS2 directive specifies that the companies must encourage cyber hygiene practices and implement awareness training to enhance the cybersecurity of member countries.
Hence, it is imperative that you provide necessary training to employees about their roles and responsibilities in an IT ecosystem. And the C-level must proactively build security as an integral element of an organization.
- Implement Security Requirements
As you complete assessing the existing security risks to your organization, the next step is to implement necessary security measures to mitigate the risks. Ensure that you implement the ten baseline security measures specified under the NIS2 directive for a better compliance experience.
Here is How We Can Help You
Sectona provides user access management and security solutions that let you assess user behaviour, implement multi-factor authentication and secure critical assets with cryptography and encryption. Our security-first approach aims to protect enterprise environments spread across endpoints, on-premises, and the cloud.
Sectona’s Privileged Access Management is an easy-to-implement solution that can help you comply with NIS2. Our PAM provides complete audit trail to simplify your compliance endeavours.
Also, Sectona PAM helps enhance the cyber hygiene by streamlining user access with stringent frameworks such as Just-in-Time access and Role-Based Access Controls.
Are you interested to know more about Sectona? Feel free to contact us.