The NIS2 Directive: From NIS to NIS2

The NIS2 Directive is the second version of the NIS Directive, the European Union’s first cybersecurity directive. Reworked to eliminate vagaries and expand its reach, the NIS2 Directive includes more sectors as well as guidelines for its uniform implementation across EU member states.

Applicable to all “essential” or “important” entities in all EU member states, the NIS2 Directive aims to ensure that Europe’s organizations and citizens are protected.

The NIS2 Directive introduces a standard set of cybersecurity requirements across all EU member states, highlights better practices, creates strict incident reporting requirements, and introduces enforcement measures and sanctions. It also requires the establishment of an EU-wide collaboration and vulnerability-sharing program.

The NIS2 Directive holds management accountable for:

• Ensuring that cybersecurity risk assessments are carried out
• Implementing technical and organizational security measures
• Managing risks appropriately
• Supporting cybersecurity through training and risk management programs

It is noteworthy that the NIS2 Directive does not explicitly specify any technological changes that must be enacted. The NIS2 Directive outlines concepts and best practices for enhancing organizations’ security postures.

Deadlines for the NIS2 Directive

By October 17, 2024, EU member states must have adopted and published the provisions to legislation necessary to comply with the NIS2 Directive. EU member states must identify the essential and important entities described in the NIS2 Directive by April 17, 2025.

According to the NIS2 Directive, entities in EU member states can register themselves if they determine that their services fall within the scope of NIS2. Entities that are bound by the NIS2 Directive are required to register in any EU member state where they provide services before each of their deadlines. Before applicable registration deadlines, entities are required to provide:

• Their name, address, and registration number
• The sector or sub-sector in NIS2 Directive’s scope under which they fall
• Their contact details
• Member states in which they operate
• The list of their assigned IP addresses

History of the NIS2 Directive

The Directive on the Security of Network and Information Systems, commonly referred to as NIS, was established in July 2016 to enhance cybersecurity and cyber resilience across the European Union. The regulatory measures that were set forth focused on:

• Enhancing cybersecurity capabilities at a national level
• Increasing collaboration between EU member states to address cyber threats
• Improving cybersecurity in essential and important organizations

The Council of the European Union adopted the NIS2 Directive on November 28, 2022. The NIS2 Directive was published on December 27, 2022, officially replacing and repealing the NIS Directive (Directive 2016/1148/EC).

The European Union adopted a new version of the NIS Directive, the NIS2 Directive, on January 16, 2023. A primary goal of the NIS2 Directive is to expedite improvements to cybersecurity and resilience within essential and important organizations of the European Union.

EU member states were required to have the NIS2 Directive included in their national legislation by October 17, 2024.

NIS1 and the reason for the transition to NIS2

The first Network and Information Systems (NIS) Directive, NIS2, was adopted by the European Union (EU) in 2016. This marked a major step towards enhancing cybersecurity across EU member states. This ambitious directive aimed to materially raise the overall level of cybersecurity in critical sectors such as banking, energy, health, transport, and water.

With this pioneering directive, the European Commission took its first significant step towards a unified cybersecurity strategy across EU member states. The objective of this requirement was to ensure a baseline level of cybersecurity across member states, thereby reducing the fragmentation of cybersecurity practices within the EU.

NIS1 primarily focused on operators of essential services (OES), as noted above, as well as digital service providers (DSPs) such as cloud computing services, online marketplaces, and online search engines. Among the requirements set forth in NIS1 was the requirement that these entities implement proscribed security measures and report significant incidents to national authorities.

By mandating the implementation of security measures and incident reporting, NIS1 brought several benefits to EU member states.

Standardization of cybersecurity practices—With NIS1 helping to standardize cybersecurity practices across EU member states, it ensured that all critical sectors adopted similar levels of security.

Incident reporting mechanism—By establishing an incident reporting mechanism, NIS1 enabled better visibility of cybersecurity incidents and facilitated more coordinated responses.

Role of national authorities—National-level oversight and governance was put in place with the requirement that EU member states designate national competent authorities to be responsible for overseeing the implementation of the NIS1 directive.

The need for NIS2 became clear as the cyber threat landscape grew increasingly complex and continued to evolve at an exceedingly rapid pace. Because of this, the European Commission deemed it necessary to update NIS1 with a more robust framework. This became NIS2, an updated directive that aimed to address the shortcomings of NIS1 and further strengthen the EU member states’ cybersecurity posture.

Key enhancements and changes from NIS1 to NIS2

Broader scope and increased coverage

One of the most significant changes in NIS2 is the expanded scope of coverage. NIS1 primarily focused on critical infrastructure sectors, but NIS2 broadened this scope to include more entities. This change reflected the interconnections between sectors.

By expanding coverage, NIS2 eliminates weak links caused by organizations that were previously exempt. With significantly more organizations being required to adhere to robust cybersecurity standards, the overall resilience of the EU’s digital infrastructure is materially enhanced.

Changes in organizations covered

The transition from NIS1 to NIS2 involved several significant changes in terms of the organizations covered by the directive. These changes reflect the evolving cyber threat landscape and the need for a more comprehensive approach to cybersecurity across EU member states.

Enhanced accountability and governance

With NIS2, senior management’s responsibility and accountability are increased. By doing so, NIS2 brings cybersecurity and cyber resilience to the executive level and increases its integration into core corporate governance.

This stronger emphasis on the accountability of senior management sees organizations’ management teams more fully involved in and responsible for cybersecurity governance. This includes overseeing the implementation of security measures and ensuring compliance with the directive.

Expanded scope of coverage

NIS1 primarily targeted operators of essential services (OES) in critical sectors such as energy, transport, water, banking, financial market infrastructures, health, and digital infrastructure. Additionally, it covered some digital service providers (DSPs), such as online marketplaces, online search engines, and cloud computing services.

NIS2 significantly expands the scope of coverage to include a broader range of sectors and entities. This expansion acknowledges the increasing interconnectivity and digitalization of various industries. A detailed list of organizations required to adhere to the rules set forth in NIS2 is below.

Improved incident reporting and information sharing

Under NIS1, incident reporting requirements were seen by many to be ambiguous and inconsistent across EU member states. NIS2 aimed to standardize and streamline these requirements, making them more precise and consistent.

For instance, under NIS2, organizations must report significant incidents to the relevant national authorities within a specific timeframe, ensuring timely and effective responses. Additionally, NIS2 emphasizes the importance of information sharing among EU member states and with the EU Agency for Cybersecurity (ENISA). This collaborative approach facilitates the rapid dissemination of threat intelligence and enables a more coordinated response to cross-border cyber threats.

Risk management measures

NIS2 mandates stricter risk management measures compared to NIS1. Under NIS2, organizations are required to implement comprehensive cybersecurity policies and procedures tailored to their specific risk profiles. It also requires that these risk management measures be proportionate to the actual risks faced by the organization. This is meant to ensure that organizations implement the security controls that are appropriate for their specific profile and that they have the capacity to scale to meet future demands.

Stricter security requirements

NIS2 introduces stricter security requirements for covered entities. These requirements include enhanced risk management measures, mandatory security incident reporting, and more comprehensive security controls. These requirements are meant to ensure that organizations have the right systems in place to support a risk-based approach to cybersecurity.

In addition to basic cybersecurity, NIS2 includes requirements that organizations implement cybersecurity measures that are proportionate to the risks they face. This is a significant shift from the one-size-fits-all approach of NIS1.

How NIS1 and NIS2 complement one another

The foundation set out by NIS1 is complemented by the updates that were added with NIS2. NIS2 was built on NIS1 to address the need for more cyber resilience across EU organizations.

NIS1’s role in establishing a baseline and standardizing practices laid the groundwork for NIS2 to introduce more advanced measures. Together, they have brought EU member states a comprehensive and effective approach to cybersecurity that improves cybersecurity and cyber resilience.

NIS2 expectations of EU member states

NIS2 includes a number of specific administrative requirements for EU member states. These are meant to create local infrastructure to enforce the use of robust cybersecurity measures by covered entities. The following are the notable requirements for EU member states established with NIS2.

Creation of national competent authorities

Under NIS2, EU member states are required to designate one or more national competent authorities responsible for overseeing the application and enforcement of the NIS2 directive. EU member states must provide national competent authorities with adequate resources and support to perform their duties effectively. These duties include monitoring covered entities’ compliance, conducting audits, and imposing sanctions for non-compliance by those under their purview. EU member states must also ensure that national competent authorities are able to operate independently and impartially, maintaining high standards of transparency and accountability in their activities.

Development of national cybersecurity strategies

EU member states must develop and implement comprehensive national cybersecurity strategies in accordance with the rules mandated in NIS2. These strategies must outline the systems and processes that are used to achieve and maintain a high level of cybersecurity. They must also take into consideration the evolving threat landscape.

In addition, EU member states’ cybersecurity strategies must include measures for risk management, incident response, recovery, and cyber resilience. EU member states are also expected to regularly review and update their cybersecurity strategies to address new challenges and incorporate lessons learned from previous incidents.

Establishment of computer security incident response teams (CSIRTs)

NIS2 mandates that EU member states create national and regional CSIRTs to ensure effective incident response and coordination. These teams must be adequately resourced and trained to handle various types of cyber incidents.

EU member states’ CSIRTs are responsible for providing early warning, incident handling, and support for affected covered entities. They must also facilitate information sharing and collaboration with other CSIRTs within the EU to help enhance the overall cyber resilience of all EU member states.

Enhanced cooperation and information sharing

NIS2 emphasizes the importance of cooperation and information sharing among EU member states, the European Union Agency for Cybersecurity (ENISA), and other relevant stakeholders. EU member states are expected to participate actively in EU-level cybersecurity initiatives and forums. These are meant to provide opportunities to share threat intelligence, cybersecurity and cyber resilience best practices, and lessons learned. This collaborative approach aims to enhance the collective cyber resilience of the EU and enable a more coordinated response to cross-border cyber threats.

Implementation of risk management and reporting obligations

According to NIS2, EU member states are required to oversee the adoption of appropriate risk management measures and comply with incident reporting obligations by covered entities. These measures should be proportionate to the risks faced by each organization and should include technical and organizational controls to prevent and mitigate cyber threats.

Covered entities must report significant incidents to the national competent authorities within a specified timeframe, ensuring timely and effective responses. EU member states must establish clear guidelines and procedures for incident reporting and follow-up actions.

Promotion of cybersecurity awareness and education

EU member states are required to promote cybersecurity awareness and education among their citizens and businesses. This includes developing and promoting public awareness campaigns, providing training and resources for employees, and encouraging the adoption of good cybersecurity practices. EU member states must also support initiatives that enhance cybersecurity skills and competencies, addressing the growing demand for skilled cybersecurity professionals.

Regular assessments and continuous improvement

NIS2 mandates regular assessments and continuous improvement of covered entities’ cybersecurity measures. EU member states must conduct periodic assessments of their national strategies, CSIRTs, and other relevant frameworks to identify areas for improvement. They are also expected to implement corrective actions based on these assessments to ensure that their cybersecurity measures remain effective and up-to-date. This ongoing process of evaluation and improvement is crucial for ensuring preparedness to defend against cyber threats and for maintaining a high level of cyber resilience.

Supply chain security requirements under NIS2

A key focus area under NIS2 is supply chain security. Given the increasing sophistication and frequency of cyber attacks targeting supply chains, the directive mandates comprehensive measures to ensure the security of supply chains in EU organizations. The following are the main NIS2 requirements for supply chain security.

Compliance and accountability

NIS2 has strict requirements and related accountability for covered entities with regard to supply chain security to meet compliance standards. These include regular audits and assessments conducted by covered entities to verify suppliers’ compliance with NIS2 cybersecurity requirements.

NIS2 requires covered entities to have clear processes in place for evaluating supplier security practices and addressing non-compliance. In addition, covered entities must maintain comprehensive documentation of supply chain security practices, assessments, and incident reports. This documentation must be readily available for review by national competent authorities upon request.

Enhanced collaboration and information sharing

NIS2 emphasizes the importance of collaboration and information sharing between covered entities and their suppliers to enhance supply chain security. Organizations are encouraged to share threat intelligence and vulnerability information with suppliers to help them stay ahead of potential threats.

This collaborative approach intends to help both parties remain aware of emerging threats and take proactive measures to mitigate risks. Covered entities and their key suppliers are also encouraged to conduct joint security exercises and simulations. These are meant to test incident response capabilities and improve coordination. These exercises also help identify weaknesses and improve the overall resilience of the supply chain.

Identification and assessment of supply chain risks

NIS2 requires covered entities to implement systems and processes for identifying and assessing cyber risks within their supply chains. This includes mapping out the entire supply chain to identify critical suppliers and service providers and understand the flow of information. Covered entities must also assess suppliers’ security posture and identify vulnerabilities that attackers could exploit, leveraging insights from threat intelligence sources to conduct reviews.

Implementation of security measures

Organizations covered under NIS2 are required to implement robust security measures to mitigate supply chain risks. These should include:

• Ensuring that suppliers have robust incident response and recovery plans in place
• Establishing minimum cybersecurity requirements for suppliers and service providers, such as access controls, encryption, incident response, and data protection
• Implementing mechanisms to continuously monitor the cybersecurity posture of suppliers, including conducting regular audits and assessments as well as requiring suppliers to provide evidence of their security practices
• Writing cybersecurity requirements into agreements with suppliers that specify security expectations, compliance requirements, and penalties for non-compliance

Integration of supply chain security into governance

NIS2 requires organizations to integrate supply chain security into their overall cybersecurity governance framework. This should include:

• Developing and implementing comprehensive supply chain security policies that align with the organization’s overall cybersecurity strategy
• Ensuring that senior management is involved in overseeing supply chain security, including setting strategic objectives, allocating resources, and regularly reviewing the effectiveness of supply chain security measures
• Providing training and raising awareness among employees and suppliers about supply chain security risks and best practices

Which sectors are regulated by the NIS2 Directive?

The NIS2 Directive applies to organizations that are classified as medium or large by EU standards (i.e., organizations that have more than 50 employees and/or generate more than 10 million euros in revenue per year). However, these parameters do not apply to organizations in certain sectors, such as those that are:

• Deemed critical infrastructure
• Providers of public services (e.g., electronic communication networks)
• Providers of a service where an interruption could impact public safety, security, or health or cause systemic risks
• Sole providers of a service to a government

Organizations, companies, and suppliers that must abide by the NIS2 Directive are divided into two categories—essential and important. This is a material distinction in the NIS2 Directive, as there are different requirements for each category depending on the products and services provided to EU member states and the impact of an incident on their delivery.

Examples of essential entities (EE), according to the NIS2 Directive, are:

• Aerospace
• Banking and financial market infrastructure
• Digital infrastructure
• Drinking water supply
• Energy
• Healthcare
• ICT (Information and Communications Technology) service management
• Managed service provider
• Public administration (central and regional levels)
• Transport
• Wastewater

Following are examples of important entities (IE), according to the NIS2 Directive:

• Digital providers (e.g., search engines, social networking platforms)
• Food production, processing, and distribution
• Manufacturing of medical devices
• Postal and courier services
• Production, processing, and distribution of chemicals
• Research
• Waste management

NIS2 vs NIS requirements

Following is a comparison of NIS and NIS2 by the European Commission.

Additional changes included in the NIS2 Directive are:

• Reinforced obligations for essential and important entities to implement technical, operational, and organizational measures to manage the risks
• Significant expansion of incident reporting requirements
• More stringent penalties for failure to comply with NIS2

The NIS2 Directive and incident reporting

With the NIS2 Directive, the duty of care and the duty to report, which already existed under the original NIS Directive, have been expanded and made stricter. Under NIS2, all opt-out opportunities have been deleted. Every incident of a cybersecurity breach will now have to be reported, whether or not the attack affected the entity’s operations. The objective is to help authorities to improve monitoring and responses to potential threats.

As it was under the NIS1 Directive, the NIS2 Directive requires every EU member state to have a central point of contact for compliance and a coordinating Computer Security Incident Response Team (CSIRT) for incident reporting or a competent authority. As an example, in Belgium, this will be the role of the Centre for Cyber Security Belgium (CCB).

The NIS2 Directive details a multi-stage incident reporting process that is mandatory in response to an incident. It also specifies the content that must be included in these reports.

• Initial notification
  An initial report must be submitted within 24 hours of a cybersecurity incident to the competent authority or the nationally relevant CISRT. The initial reports should, if possible, indicate whether an unlawful or malicious act caused the incident. This first notification is intended to limit the potential spread of a cyber threat.
• Follow-up notification
  Within 72 hours, a more detailed notification report must be communicated. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. If the incident was criminal in nature, the impacted entity should also report it to law enforcement authorities.
• Final report
  Within one month of the submission of the initial notification or first report, a final report must be submitted. This final report must include:
• A detailed description of the incident
• The severity and consequences
• The type of threat or cause likely to have led to the incident
• All applied and ongoing mitigation measures

In addition to incident reporting, under the NIS2 Directive, entities must report any major cyber threat they identify that could result in a significant incident. A threat is considered significant if it results or may result in:

• Material operational disruption or financial losses for the entity concerned
• Affects or may affect natural or legal persons by causing significant material or immaterial damage

Entities outside the scope of the NIS2 Directive may voluntarily report significant incidents, cyber threats, or near misses without any regulatory consequences. This means that any entity that voluntarily submits reports may not be subject to more onerous obligations than if it had not submitted it. The intent is to make it easy and risk-free for organizations that are not bound by the NIS2 Directive to share their threat intelligence.

Non-compliance with the NIS2 Directive

Failure to comply with the NIS2 Directive comes with stricter penalties than under the first iteration. Under the NIS2 Directive, penalties for non-compliance differ for essential entities and important entities.

• For essential entities, administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
• For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.

How organizations should prepare for the NIS2 Directive

Following are several recommended steps that organizations should take to be prepared to meet the requirements of the NIS2 Directive.

Adopt a proactive approach to security

Continuously perform risk analyses to identify potential threats proactively. This allows organizations to address any issues and ensure that they are prepared to meet the compliance requirements of the NIS2 Directive.

Encrypt all critical data

To meet the strict cybersecurity standards of the NIS2 Directive, encryption should be used to protect critical data, including databases, communications, documents, servers, and critical infrastructure.

Foster a security-oriented culture

The importance of cybersecurity should be made clear by the top leadership of an organization, with cybersecurity a top priority for every department. A cyber-oriented culture starts with leadership and is infused into the organization by requiring a minimum-security awareness level among employees. Security training should be customized to help employees understand how their roles and responsibilities impact security.

Identify critical services, processes, and assets

Determining what will require extra protections to ensure NIS2 compliance can be done by conducting an impact assessment. This helps to identify which systems and processes fall under the NIS2 Directive’s scope.

Implement compliant risk and information security management systems

Many organizations find that they need to upgrade or change information security management systems in order to comply with the NIS2 Directive. The organization must be able to:

• Demonstrate defined responsibilities
• Ensure that key processes are operational, including:
• Identify, remediate, and monitor security risks
• Information system security policies
• Incident handling and management
• Business continuity (e.g., backup systems, disaster recovery plans)
• Third-party risk management
• Vulnerability management
• Employee security awareness training
• Identify, remediate, and monitor security risks

Make multi-factor authentication mandatory

Implementing multi-factor authentication (MFA) to secure all accounts, in lieu of passwords alone, plays an integral part in protecting assets and meeting the requirements of the NIS2 Directive.

Understand the NIS2 Directive’s requirements and prepare to meet them

Take time to study the requirements and assess the organization’s readiness to comply. This includes identifying gaps and implementing plans to complete them in advance of the compliance deadline.

A critical component of NIS2 preparedness is securing support from leadership, buy-in from stakeholders, and the necessary budget and resources.

Starting early is imperative as delays are almost inevitable, and the deadlines will not accommodate delays.

The NIS2 Directive – part of a growing trend

The NIS2 Directive represents a growing trend for cybersecurity and cyber resilience to be integral to legislation. With the NIS2 Directive, every EU member state is required to adopt it as law.

The NIS2 Directive has a far reach into organizations of all types with the intention of shoring up defenses against escalating cyber threats. The good news about the NIS2 Directive and similar initiatives is that it helps organizations improve their overall cybersecurity posture, which has positive impacts on all aspects of operations.