Building On Prem Promo Right Mobile

The new EU regulation NIS2 is the talk of the town in the IT world this year. Like GDPR a few years back, much of the focus has been on the fines non-complying organizations face. 

But it will also bring organizations up to a higher level of security while at the same time increasing awareness and cooperation throughout the entire European Union.

NIS2 will also give many organizations, not just the ones identified as essential or critical, an excellent reason to increase risk assessment, employee awareness, and overall security.

If you need help to begin the NIS2 project for your organization, this article will help you get started. Of course, you are always welcome to contact us for additional information on how to make your organization NIS2 compliant. 

Building On Prem Promo Right

In short — What is NIS2, and what is it about?

The Network and Information Systems (NIS2) Directive represents a significant step forward for European cybersecurity. It replaces and widens the score of the original NIS directive from 2016.

The goal is to significantly improve the cybersecurity and cyber resilience of organizations defined as essential or important for the European Union and its member states.

In very broad terms, the directive covers the following:

And yes, non-compliance can lead to fines and even suspension of business.

EU member states have until October 18, 2024, to transpose the directive into their national laws.
We further cover many details in our Q&A section on this page.

 

Where to begin to ensure NIS2 compliance?

However, the work towards NIS2 compliance does not need to start from scratch. Categorizing and identifying data before GDPR should get you on the way. Working towards the ISO 27001 standard for cybersecurity or using the CIS controls checklist will be a great starting point.

Since this is a directive within the European Union, it is crucial to collaborate with a trusted European-based cybersecurity vendor that understands the specific needs of this directive.

Questions

NIS2 in detail — everything you need to know

What does NIS2 stand for?

The Network and Information Systems is the full name of the NIS2 directive.
We recommend further reading on the Official Journal of the European Union for a full view of the new regulation.

When does NIS2 come into effect?

October 17, 2024, is the date you need to remember and work towards. That is when EU member states must adopt and publish their local legislation of the NIS2 directive.

By April 17, 2025, each member state must have identified essential and important entities within their own country.

What are the main differences between NIS and NIS2?

NIS came into effect in July 2016 and was meant to improve cyber resilience within the European Union. However, the regulations were more in line with recommendations than imposed laws. 

That is the most significant difference with NIS2, apart from a broader scope, with more industries included and higher requirements. Not complying with NIS2 for organizations deemed essential or important will result in severe fines or even suspension of business.

Why was the NIS2 directive developed?

The original NIS directive set out to improve cybersecurity throughout the European Union. However, geopolitical changes and the COVID-19 pandemic accelerated the digital workplace and remote work, leading to a required directive update.
The NIS2 directive sets out to harmonize cybersecurity in all member states and bring it up to a higher level. 

To align the entire Union, the NIS2 directive also aims to share knowledge and best practices by imposing incident reports on local authorities.

Which organizations are affected by NIS2?

The NIS2 directive divides affected organizations or entities into two categories:

Essential entity (EE): 

  • Energy. Including electricity, district heating and cooling, oil, gas, and hydrogen.
  • Transport. Including air, rail, water, and road. 
  • Banking. Including financial market infrastructures.
  • Healthcare. Including the manufacture of pharmaceutical products and vaccines. 
  • Drinking water. 
  • Wastewater. 
  • Digital infrastructure. Including internet exchange points, DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery networks, trust service providers, providers of public electronic communications networks, and publicly available electronic communications services.
  • ICT service management. Including managed service providers and managed security service providers, public administration, and space

Important entity (IE):

  • Postal and courier services 
  • Waste management 
  • Chemicals 
  • Food 
  • Manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers, and other transport equipment.
  • Digital providers include online marketplaces, search engines, and social networking service platforms. 
  • Research organizations.
     
My organization is not deemed essential or important. Should I care about NIS2?

Yes, absolutely. Because of two reasons:

  • Affected organizations are responsible for securing their supply chain and supplier relationships, according to NIS2. This means many organizations doing business with affected organizations must comply with NIS2 or risk losing contracts.

    Organizations outside the European Union are not directly affected by NIS2. However, they might want to comply to keep doing business with European organizations responsible for their supply chain.

  • To secure your own business operations. Ensure your organization’s security standards are up to at least the NIS2 requirements to protect your business.

What are the fines for not complying with NIS2?

The NIS2 Directive defines fines for non-compliance according to the essential and important entities above.

  • Essential entity. Ten million euros, or 2% of annual turnover.

  • Important entities. Seven million euros, or 1,4% of annual turnover.

There are also further sanctions involved. These include temporary bans of senior management and also temporary suspension of business.

Depending on the country, fines might not apply to the public sector. However, the other administrative sanctions might.
 

What is incident reporting according to NIS2?

Incidents must be reported to the local Computer Security Incident Response Teams (CSIRT).
An incident, according to NIS2, falls under two categories.

  • Something that has caused or is causing severe operational disruption.

  • Something that has, or can, affect natural or legal persons with considerable material or non-material damage.

Additionally, organizations can submit voluntary reports of non-significant incidents, prevented incidents, or cyber threats in general.

Regarding the actual reporting, three steps must be taken within specific timeframes.

  • Within 24 hours. Significant incidents should be reported, and an early warning should be communicated.

  • 72 hours. A full notification report containing assessment, severity, impact, and indicator of compromise should be reported.

  • One month. A full report of the incident must be submitted.
     

What are the differences between NIS2 and DORA?

The Digital Operational Resilience Act (DORA), which came into effect in 2023, and NIS2 share many similarities regarding cybersecurity.

DORA aims primarily to strengthen the security and cyber resilience of banking and financial institutions. 
The security measures are similar to NIS2, but NIS2 covers a larger group of entities outside the financial sector.
 

What is the difference between NIS2 and ISO 27001?

NIS2 and ISO27001 serve different purposes, but they do complement each other. If your organization is certified for, or is working towards, ISO 27001, much of the work needed for NIS2 compliance should already be implemented. 

Both strongly emphasize risk management and assessment, so by following ISO 27001, you are fulfilling one of the essential requirements for NIS2.

Is NIS2 related to GDPR?

Not directly, but they do operate within a similar space.

GDPR is, in short, a regulation requiring organizations operating within the European Union to have control over their data, what is stored, why, and for how long. Failure to comply with the regulation will lead to severe fines.

NIS2 is, in short, a regulation requiring organizations based in the European Union to have a solid cybersecurity strategy and to report any significant incidents to authorities.

However, much of the work that organizations did to comply with GDPR should also make it easier to gain compliance with NIS2.