Ready or not, NIS2 is here. From October 2024, relevant organizations operating in the EU will need to comply with NIS2’s expanded set of cybersecurity measures, including supply chain checks, enhanced reporting obligations, and more detailed incident response planning.
If all of this is giving you a headache, don’t worry – we’re here to break down exactly what NIS2 means for you. In this article, we explain the ten baseline NIS2 requirements, and show how the right cybersecurity awareness training can help your team get ready.
Let’s get started with the basics: what is NIS2, and why does it matter?
Ready to make NIS2 a walk in the park? Download our free six-step compliance checklist.
What is NIS2, and why does it matter?
The Network and Information Security Directive (NIS2) is an EU regulatory directive establishing a higher common level of cybersecurity across organizations operating within Member States. It builds upon the 2016 NIS by requiring entities to take extra steps to protect themselves against cyber threats.
Specifically, NIS2 aims to:
- Increase cybersecurity resilience by requiring EU entities fulfilling important functions for economy and society to take adequate cybersecurity protection measures;
- Reduce inconsistencies in cybersecurity preparedness by further aligning security and incident reporting and outlining an expanded list of compulsory security measures; and
- Improve collective capability to respond to threats by building trust between authorities, sharing information, and setting rules to apply in the event of a large-scale security incident.
Following the EU’s approval of NIS2 in January 2023, Member States have until October 2024 to transpose its measures into national law. At that point, EU entities must comply with NIS2 requirements or risk facing fines or other enforcement measures.
Now, let’s dig into a related topic: what about the Digital Operational Resilience Act?
Wait, what about DORA?
Alongside NIS2, the Digital Operational Resilience Act (DORA) will also come into effect within EU Member States in early 2025. While the NIS2 directive and DORA regulation are distinct texts, in practice they achieve complementary goals.
NIS2 aims to harmonize the global level of cybersecurity across the EU, whereas DORA aims to strengthen the operational resilience of entities within the EU financial sector, ensuring financial systems are able to withstand cyber attacks.
Put simply, DORA outlines a specific regulatory framework for EU financial sector entities. If you work within one of the 21 types of entity referred to in Article 2 of DORA (credit institutions, payment institutions, investment firms, and others), or are a critical supplier to these entities, then you may need to expand your cybersecurity measures to keep up.
Here are the five key DORA requirements and what they mean for affected entities:
- Entities must have an Information and Communications Technology (ICT) Risk Management Framework in place, and must familiarize all staff with this framework.
- Similarly, entities must have an incident response process in place, including classifying incidents and reporting them correctly.
- Security testing will now be mandatory, and must be carried out more often than before.
- Entities must map out all third-party risks and show how they’re addressing these (for example, risks within key suppliers).
- It will now become mandatory for entities to share threat intelligence within the community of financial entities.
Many larger organizations within the EU financial sector will likely comply with these elements thanks to their existing cybersecurity systems and protections. However, for smaller entities working within the sector, these elements may require new levels of preparation.
Now, back to NIS2. How is it different from the 2016 NIS?
Learn more: A Culture of Cybersecurity Awareness Helps Manage Risk and Boost ROI – Here's How
How is NIS2 different from the 2016 NIS?
In the years following NIS coming into force, EU lawmakers identified some challenges with its application. Specifically, NIS standards didn’t reflect the level of interconnectedness between digitized sectors, and didn’t match the growing complexity of cyber threats. They also didn’t anticipate the rapid expansion of online activity due to the COVID-19 pandemic.
NIS2 addresses these challenges by covering a wider segment of EU industries, including ICT management and manufacturing (we’ve included the full list in the table below). With this expanded coverage, experts estimate NIS2 will apply to around 160,000 entities across 27 Member States, helping to create an enhanced set of shared cybersecurity practices.
Five key expansions from NIS to NIS2
Beyond applying to a greater number of EU entities, NIS2 requires organizations to take additional steps to protect themselves against cybersecurity threats. It does this by expanding upon NIS in five critical ways:
- Risk ownership: Management bodies will now have a more central role in owning cybersecurity risks, including approving and implementing risk management measures.
- Enforcement penalties: EU authorities can now impose fines of up to €10 million, or 2% of a company’s global annual turnover, in response to NIS2 breaches. They can also publicly disclose aspects of non-compliance and suspend certifications and authorizations.
- Security requirements: Essential and important entities will be required to take ‘appropriate and proportionate’ technical measures to manage risks to the security of network and information systems (more on this below).
- Supply chain security: Entities will now be required to perform a greater range of due diligence on their supply chain processes, including assessing the cybersecurity practices of their suppliers and service providers, and taking action to address any risks.
- Incident reporting: Entities must report cybersecurity incidents more promptly, submitting initial notifications to competent authorities within 24 hours of significant incidents, followed by a full notification report within 72 hours, and a final report after one month.
So, those are the core elements of NIS2. But how do they apply to your organization?
‘Important’ vs. ‘essential’ entities: How will NIS2 affect you?
NIS2 makes significant changes to how EU entities are categorized in terms of cybersecurity requirements. This addresses the risk of inconsistent treatment under the 2016 NIS, where Member States had applied divergent definitions of ‘vital organizations’ (covered by the NIS) and ‘non-vital organizations’ (not covered), creating confusion for affected entities.
To address these inconsistencies, NIS2 outlines a single set of simplified set of cybersecurity requirements covering all ‘essential entities’ and ‘important entities’, and requires Member States to identify and register entities operating within their territories by April 2025.
Here’s a quick overview on how entities within the EU will be classified under NIS2:
Note: * indicates new sectors added in transition from NIS to NIS2
Does NIS2 impact companies outside the EU?
NIS2 requirements apply only to essential and important entities within EU Member States. However, any companies doing business with EU entities should bear in mind NIS2’s new supply chain security requirements, and how these requirements will also extend to business partners.
Alongside NIS2, over 40 US states have introduced 250 bills focused on cybersecurity, with more expected to come. This makes it critical for US organizations to examine whether their security policies and systems remain fit-for-purpose in light of these expanding requirements.
Now, let’s unpack the ten foundational cybersecurity measures required by NIS2.
The ten baseline cybersecurity measures required by NIS2
NIS2 requires all essential and important EU entities to take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems.
Entities must prevent or minimize the impact of any security incidents on their clients, customers, and users. Specifically, Article 21 outlines ten minimum baseline measures all essential and important entities must have in place to manage cybersecurity risks:
- Policies on risk analysis and information system security, including guidance for staff members on basic IT security practices and risk management.
- A plan for handling security incidents, including reporting, investigating, and resolving incidents, and clarifying the individuals and groups responsible for these actions.
- Policies to ensure business continuity, including managing operations during and after a security incident. Specifically, this means ensuring backups are up-to-date, and maintaining access to IT systems and their operating functions.
- Supply chain security policies and best practices, including managing any security risks that may arise through the relationship between a company and its direct suppliers. Specifically, companies must assess the security level for all suppliers, identify any potential vulnerabilities, and address these with appropriate security measures.
- Policies to ensure the secure acquisition, development, and maintenance of networks and information systems. This includes handling and disclosing any security vulnerabilities.
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures, including scheduling third-party audits and acting on the results of these audits.
- Basic cyber hygiene practices and cybersecurity training. This includes training in how to identify the most common cybersecurity threats, what to do in response to these threats, and best practices to keep sensitive data secure.
- Policies and procedures regarding the use of cryptography and, when relevant, encryption. This includes storing and handling sensitive client and customer information.
- Human resources security policies and procedures covering employees with access to sensitive or important data. Specifically, organizations must have a clear overview of all relevant data assets, and ensure that they are properly utilized and handled.
- The use of multi-factor authentication and continuous authentication solutions, including secured voice, video, and text communications, and where relevant, encrypted internal emergency communication.
So, how can organizations be confident the measures they have in place are ‘appropriate and proportional’ within the meaning of NIS2? This involves considering three factors:
- The degree of the entity’s exposure to risks;
- The size of the entity and the likelihood of security incidents occurring; and
- The severity of the potential impacts of these security incidents (including their societal and economic impact).
What happens if we don’t comply with NIS2 cybersecurity measures?
Compared with the NIS penalty regime, NIS2 introduces a set of stricter penalties for entities failing to comply with baseline cybersecurity measures:
- Essential entities may face fines of up to €10 million, or at least 2% of the total annual global turnover in the previous fiscal year (whichever amount is higher).
- Important entities may face fines of up to €7 million, or at least 1.4% of the total annual global turnover in the previous fiscal year (whichever amount is higher).
In many cases, these penalties could potentially threaten future business viability, not to mention impacts on company reputation. But beyond these formal consequences, complying with NIS2 requirements is the right thing to do. It reflects a shared commitment to cybersecurity, and is an essential way to keep your customers, clients, and employees safe from cyber threats.
Ready to make NIS2 a walk in the park? Download our free six-step compliance checklist.
The key to NIS2 compliance? A great cybersecurity culture
Complying with NIS2’s expanded cybersecurity requirements might seem daunting, but it doesn’t have to be. One of the best ways to prepare? Build a culture of shared cybersecurity awareness.
You need everyone on your team to be aware of the latest cybersecurity threats (such as spear phishing or AI deepfakes), and how to keep your organization and your clients and customers safe from these threats with the right cybersecurity best practices.
To find out how Albert can deliver fun and unforgettable cybersecurity training to help boost your protection and comply with NIS2 requirements, chat to one of our experts today.
Frequently Asked Questions:
- What is the NIS2 Directive? NIS2 is a EU regulatory measure aimed at establishing a higher common level of cybersecurity across organizations operating within the EU. It requires EU Member States to implement a new set of cybersecurity requirements for organizations.
- Why does NIS2 matter for me? NIS2 prescribes a common set of cybersecurity measures for EU entities, including supply chain security, incident reporting, risk assessment and audit, and other security controls. These requirements come into effect in October 2024.
- What’s the difference between an ‘essential entity’ and an ‘important entity’? NIS2 distinguishes between these two categories based on industry sector, employee headcount, annual turnover, and asset value, and outlines different sets of penalties. The core cybersecurity requirements for essential and important entities are the same.
- Does NIS2 affect organizations outside of the EU? NIS2 does not apply to entities outside of the EU. However, companies with business relationships with EU entities will likely face new supply chain cybersecurity checks as a result of NIS2.
- What do I need to do to become NIS2 compliant? NIS2 compliance requires entities to implement a range of appropriate and proportional cybersecurity measures, outlined in NIS2 article 21. Our six-step compliance checklist can help you get started.
- What happens if I don’t become NIS2 compliant? Entities failing to comply with NIS2 may face a range of sanctions, including financial penalties and censures. Non-compliance with NIS2 requirements also creates a greater risk of cyber attacks.