What is NIS2?
NIS2 is a European Union directive which aims to enhance cyber security in EU member states. The NIS stands for Network and Information Security, the 2 stands for it being updated to the original NIS. As a directive, it sets the minimum requirements that member states must implement in their national legislation.
Who does it concern?
NIS2 affects more sectors and organisations than the original NIS did. Entities that provide essential or important services to the European economy and society are affected. This includes companies and suppliers. Altogether 15 sectors are subject to the NIS2. Eight of these are considered essential and seven are considered important. This means that more than 160,000 companies are affected by the directive.
- Banking and finance
- Drinking and wastewater
- Digital Infrastructure
- Public Administration
- Postal Service
- Waste management
- Digital providers
It should be noted that companies doing business in Europe must comply with the law, even if they are located outside of the EU.
What are the requirements?
There are requirements in four areas in NIS2 for organisations to comply with.
First is the commitment from management to oversee the cyber security in the organisations. Management must be competent to steer and approve measures taken to control cyber security and address cyber security risks. To enforce this, top management can be held accountable for cyber security to a degree.
The second is risk management. It is an essential part of ensuring cyber security. Risks related to the topics described below must be managed using appropriate controls.
Third are reporting obligations. In case of a severe security incident, organisations must report these incidents within the given deadlines.
Finally, organisations must be able to continue their business and provide services during and after security incidents.
The minimum measures that each organisation must take to address the four areas are:
- Risk assessment and security policies.
- A plan to handle security incidents.
- Evaluation of the security measures.
- Policies and procedures for the use of cryptography and encryption.
- Security of the procurement of systems and the development and operation of systems.
- Cybersecurity training.
- Security procedures for employees with access to sensitive or important data and information asset management.
- A plan for managing business operations during and after a security incident.
- The use of multi-factor authentication, continuous authentication solutions and encryption.
- Security around supply chains and the relationship between the company and direct suppliers.
What are the sanctions?
There are penalties of different levels for cases of non-compliance with the NIS2 requirements. These can differ between member states, but the directive sets minimum levels all must adhere to. The penalties vary from orders and instructions to fines and criminal sanctions.
National authorities supervising the implementation and compliance of NIS2 requirements can enforce compliance orders, binding instructions, security audit implementation orders and threat notification orders to the customers of the sanctioned organisation.
When it comes to fines, there’s a difference between essential and important entities. Essential entities may be obliged to up to €10,000,000 or 2% of their global annual revenue, whichever is higher. For important entities, the levels are €7,000,000 or 1,4% of their global annual revenue, again whichever is higher.
As mentioned before, top management can be held accountable for cyber security. They are personally liable for gross negligence in the event of a cyber security incident. The aim of this liability is to take pressure away from the IT team and make sure that management understands its responsibility over security.
When is the NIS2 deadline?
Like said in the beginning, member states must comply with the directive by October 17th, 2024. Thus, organisations have less than a year to be fully compliant with NIS2. I promised to try to answer the question of whether there is plenty of time to react or not. My answer is that it depends on the maturity of your cyber security level.
If this is the first time you start thinking about information security risks and appropriate controls to manage them, then you are in a hurry. If you have an information security management system up, running and certified, you are in a pretty good position.
What organisations need to understand and what must they do to be compliant with NIS2?
The first step is to assess whether your organisation is either an essential or important entity in one (or more) of the 15 sectors. I would also be interested in whether my organisation is working with such entities.
The second step is to analyse the current level of cyber security management. Is my organisation compliant with the requirements already? If you think your cyber security management is at a good level, it might still be wise to have a third party do the assessment. Just to be sure.
The third step is to plan and implement a cyber security management system. For this, I would suggest using a known best practice, such as the ISO27000 information security standard series. If you have an information security management system based on ISO 27001, you are practically compliant with the NIS2.
And after this, keep the management system up and running and improve it. Neither the management system nor NIS2 will make you immune to cyber security attacks, but they will help you comprehensively address cyber security risks.
In short: You have a year to implement a cyber security management system that addresses cyber risk management and business continuity. If you fail, you may face penalties up to criminal sanctions. In the end, top management is accountable for the level of cyber security in your organisation.
Read more information about NIS2 and our security services.