Navigating the NIS2 Directive: Strengthening Cybersecurity Across the EU
The NIS2 Directive takes a significant step towards enhancing cybersecurity across the European Union. Designed to address the evolving threat landscape and ensure a robust, unified approach to cybersecurity, the regulations impose stricter security requirements and reporting obligations on organisations that provide essential services and critical infrastructure .
What is the NIS2 Directive?
The NIS2 Directive is a set of EU-wide cybersecurity requirements and regulations designed to increase the cybersecurity preparedness of EU member states. Organisations that provide essential services, digital service providers, suppliers of critical technologies, and public administration entities will have to comply with the security and notification requirements under the Directive. The role of the NIS2 Directive is to:
- Increase the cybersecurity posture of essential service providers
- Streamline cyber resilience through stricter requirements and enforcement
- Improve the EU’s preparedness with common security practices, incident reporting, and information sharing
- Address shortcomings of the previous directive
Does the NIS2 Directive apply to my business?
The NIS2 Directive applies to both public and private medium-sized and large-sized entities that provide critical services or infrastructure or conduct these activities within the EU – even if they are not physically located within the EU.
- Large Enterprises: Annual revenue of €50 million and 250+ employees
- Medium Enterprises: Annual revenue of €10 million and 50+ employees
The Directive also applies to small and micro enterprises if their services are critical to society, the economy, or specific sectors.
The NIS2 Directive categorises entities as “essential” and “important”. The difference is based on size, sector, and the potential impact of a disruption. Those entities that operate in high-risk sectors are more likely to be classified as essential, while smaller or less critical entities are considered important.
Essential entities have been identified by a Member State as belonging to one of the categories of essential services that are crucial for the functioning of society and the economy. They are subject to stricter supervisory requirements and higher potential fines for non-compliance than “important” entities. These include:
- Operators in the energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, and digital infrastructure sectors
- Providers of public electronic communications networks and services
- Qualified trust service providers and TLD (top-level domain) name registries
- Public administration entities at the central government level
- Entities designated as “critical entities” under the EU’s Critical Entities Resilience (CER) Directive. The (CER) Directive creates a framework to support Member States in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents.
Important Entities are subject to a more flexible, ex-post supervisory approach, where authorities can act if they receive evidence of non-compliance. These include:
- Postal and courier service providers
- Waste management entities
- Manufacturers of chemicals, food, medical devices, electrical equipment, and other products
- Digital service providers like online marketplaces, search engines, and social media platforms
- Research organisations (excluding educational institutions)
What are the key requirements of the NIS2 Directive?
NIS2 Directive requirements cover four key areas:
Risk Management – Regular risk assessments and the implementation of technical and organisational security measures to manage those risks.
- Policies and procedures for risk analysis and information system security
- Vulnerability handling and disclosure processes
- Effective use of cryptography and encryption
Corporate Accountability – Management must be actively involved in overseeing cybersecurity.
- Approval of security policies and risk management strategies
- Ensure effectiveness of cybersecurity measures
- Provide cybersecurity training and awareness for staff
Reporting Obligations – Strict incident reporting, incident handling and crisis management procedures.
- Incident detection, analysis, and classification
- Timely notification to relevant authorities
- Coordinated response and recovery measures
Supply Chain Security – Organisations must implement appropriate security measures for managing cybersecurity risks across their supply chains.
What is the difference between NIST and NIS2?
The NIS2 directive updates the existing EU cybersecurity rules introduced in 2016 to keep pace with digitisation and the evolving cybersecurity threat landscape. NIS2 has a broader scope, more stringent security requirements, stronger enforcement, and greater cross-border collaboration—all to raise the baseline of cybersecurity resilience across the EU.
- NIS2 “essential” and “important” entities across 15 different sectors, including energy, transport, banking, healthcare, digital infrastructure, and more.
- NIS2 includes more security requirements that in-scope entities must adhere to, including risk assessments, incident response plans, and supply chain security measures. Incident reporting obligations are more stringent, and entities have a shorter time frame to notify authorities.
- National authorities are empowered to impose harsher penalties for non-compliance and issue binding instructions and temporary service suspensions.
- A new Cooperation Group aims to enhance cross-border cooperation and information sharing between member states to strengthen the EU’s collective preparedness and response to cyber threats.
When does the NIS2 Directive come into effect?
The Network and Information Security Directive (NIS2) is set to come into effect on October 17, 2024. This is the date by which all EU member states must transpose the NIS2 directive into their national law, meaning that EU member states must adopt and publish the necessary measures to comply with the NIS2 Directive by October 17, 2024, and apply those measures from October 18, 2024.
How will the new NIS2 rules be supervised and enforced?
The enforcement and supervision of NIS2 will be managed through a combination of national and EU-level mechanisms.
- National Authorities: Each EU member state is required to designate one or more competent authorities responsible for overseeing the implementation of NIS2 within their territory. These national authorities will have the power to supervise entities covered by the directive, conduct audits, and enforce compliance through administrative measures, including fines.
- Cooperation at the EU Level: To ensure a harmonised approach across the EU, NIS2 establishes mechanisms for cooperation between national authorities. The European Union Agency for Cybersecurity (ENISA) will play a key role in this, providing guidance, facilitating information sharing, and coordinating cross-border incidents.
- Sectoral and Regional Collaboration: NIS2 encourages collaboration between different sectors and regions within the EU, fostering a collective response to cybersecurity threats. This includes joint exercises, shared threat intelligence, and coordinated response efforts in the event of large-scale cyber incidents.
What are the potential penalties for non-compliance with the NIS2 Directive?
The NIS2 Directive has a robust enforcement framework with substantial penalties for non-compliance. National authorities are empowered to impose sanctions on entities that are found to not adhere to the requirements.
Financial Penalties – The guidelines for financial penalties are designed to provide an incentive for entities to ensure they are compliant:
- For essential entities, the maximum fine is the higher of €10 million or 2% of the organisation’s global annual turnover
- For important entities, the maximum fine is the higher of €7 million or 1.4% of the organisation’s global annual turnover
Non-Financial Sanctions – National authorities can impose additional, non-financial sanctions if an entity is found to be non-compliant:
- Compliance orders requiring the remedy of the violation
- Binding instructions on specific security measures to be implemented
- Mandatory security audits
- Orders to notify customers of potential risks
- Temporary bans on providing services or activities
Personal Liability for Managers – New measures to hold senior management personally accountable for cybersecurity failures and are designed to ensure that cybersecurity is a priority at the highest levels of the organisation rather than just an IT department concern.
- Public disclosure of the compliance breach
- Publicly identify the individuals responsible
- For essential entities, temporary bans on specific managers from holding executive positions
How can I prepare my business for NIS2 compliance?
To achieve NIS2 compliance, organisations should:
- Determine if the organisation is in the scope for compliance and assess how it is classified under the directive.
- Look for other cybersecurity laws in the EU that may apply, so that a holistic approach can be taken to addressing requirements.
- Review current risk management and incident response processes and procedures to identify areas that require improvement.
- Develop the necessary policies, procedures, and controls to address shortfalls.
- Assess risk within the supply chain and develop the appropriate measures to manage this risk
- Ensure that the organisation has the programs in place to establish the necessary governance, accountability, and cybersecurity awareness.
- Create and develop effective incident response and business continuity capabilities.
