The Network and Information Systems 2 (NIS2) Directive is a crucial piece of European Union legislation aimed at enhancing cybersecurity across member states. Introduced to address the growing challenges of digital transformation and evolving cyber threats, NIS2 builds upon its predecessor by expanding its scope, introducing stricter requirements, and strengthening enforcement measures.
This comprehensive guide will explore the key aspects of NIS2, including its purpose, requirements, and implications for organizations. We'll delve into compliance strategies, necessary policies, and the significant changes from the original NIS Directive.
Understanding the NIS2 Directive: Key Points and Objectives
The NIS2 Directive is a set of cybersecurity regulations and requirements applicable to a wide range of organizations and entities across the European Union. It covers operators of essential services, digital service providers, suppliers of critical technologies, and public administration entities. The key objectives of NIS2 include:
- Establishing a standard set of cybersecurity requirements across all EU member states.
- Expanding the scope of the directive to cover more sectors and entities.
- Introducing stricter incident reporting obligations and enforcement measures.
- Promoting better collaboration and information sharing between member states.
- Ensuring a high level of cybersecurity resilience as a standard across the EU.
NIS2 replaces the previous NIS Directive and aims to address the shortcomings and fragmentation observed in its implementation across the EU. It introduces a more comprehensive and harmonized approach to cybersecurity to protect the EU's critical infrastructure, digital services, and citizens from the growing threat of cyber incidents and attacks.
NIS2 vs. NIS: Key Differences and Enhancements
NIS2 represents a significant evolution from the original NIS Directive. Key differences include:
- Expanded scope: NIS2 covers a much broader range of sectors and entities compared to NIS.
- Stricter requirements: NIS2 introduces more detailed and harmonized security requirements, including risk assessments, incident response plans, and supply chain security measures.
- Stronger enforcement: NIS2 empowers national authorities to impose much harsher penalties for non-compliance, including fines or percentage of global annual turnover.
- Improved collaboration: NIS2 aims to enhance cross-border cooperation and information sharing between member states by creating a new Cooperation Group.
- Redefined entity categories: NIS2 replaces the "operators of essential services" and "digital service providers" categories with "essential" and "important" entities.
Scope and Application: Who Does NIS2 Affect?
NIS2 expands its reach to cover a much broader range of "essential" and "important" entities across various sectors. These include:
Essential Entities (EE):
- Energy (electricity, district heating and cooling, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health and healthcare providers
- Drinking water and wastewater
- Digital infrastructure and ICT service management
- Public administration
- Space
Important Entities (IE):
- Postal and courier services
- Waste management
- Chemical manufacturing, production, and distribution
- Food production, processing, and distribution
- Manufacturing (medical devices, computers, electronics, etc.)
- Digital providers (online marketplaces, search engines, social networking platforms)
- Research institutions
For Important Entities, the size threshold is generally lower, encompassing entities with 50 or more employees, an annual turnover of €10 million, or a balance sheet total of €10 million. Again, the exact thresholds can vary depending on the specific sector and its importance to the economy or security.
It's important to note that NIS2 can also apply to non-EU entities that provide essential or important services to the European market, even if they are not physically located within the EU. Furthermore, an entity may still be classified as "essential" or "important" even if it does not meet the general size criteria, such as in cases where it is the sole provider of a critical service vital to societal or economic activities in a Member State. This ensures that the directive covers not only large organizations but also smaller entities that play a key role in maintaining critical infrastructure or services within the EU.
NIS2 Compliance Requirements: A Comprehensive Overview
NIS2 introduces a comprehensive set of cybersecurity requirements and obligations that in-scope organizations must comply with by the October 17, 2024, deadline. These include:
1. Cybersecurity Risk Assessment and Management
NIS2 outlines mandatory cybersecurity measures that in-scope organizations must implement. Organizations must conduct regular risk assessments of their network and information systems and implement appropriate technical and organizational security measures to manage those risks. These include:
- Risk analysis and information security policies: Establishing policies and procedures for conducting regular risk assessments, identifying vulnerabilities, and implementing appropriate security controls.
- Data protection and encryption: Ensuring data confidentiality, integrity, and availability by leveraging encryption and other data protection techniques.
- Zero-trust authentication and access control: NIS2 mandates that organizations move beyond traditional multi-factor authentication (MFA) and adopt zero-trust principles. This ensures that no user or device is trusted by default. Implementing phishing-resistant MFA using FIDO2 standards is particularly recommended, as it provides strong, passwordless security through public key cryptography
- Vulnerability management: Implementing vulnerability handling and disclosure processes, including regular vulnerability assessments and timely patching of known vulnerabilities.
- Security monitoring and logging: Establishing comprehensive security monitoring and logging mechanisms to detect, analyze, and respond to security events.
-
Cybersecurity awareness and training: Provide regular security awareness training programs for staff to ensure they are equipped to identify and respond to cyber threats, such as phishing or spoofing attacks.
Organizations are also responsible for managing cybersecurity risks across their supply chains, implementing appropriate security measures for relationships with direct suppliers and service providers.
2. Incident Reporting and Response
NIS2 introduces a multi-stage incident reporting process that is mandatory in response to a cybersecurity incident. Organizations must have robust incident handling and crisis management procedures in place, including incident detection, analysis, classification, and notification to relevant authorities within set timelines:
- Initial notification (within 24 hours): An initial report must be submitted to the competent authority or the nationally relevant CSIRT. It should indicate whether an unlawful or malicious act caused the incident.
- Follow-up notification (within 72 hours): A more detailed notification report must be communicated, containing an assessment of the incident, including its severity, impact, and indicators of compromise.
- Final report (within one month): A comprehensive report must be submitted, including a detailed description of the incident, its severity and consequences, the type of threat or cause, and all applied and ongoing mitigation measures.
In addition to incident reporting, entities must report any major cyber threat they identify that could result in a significant incident. They must develop and maintain business continuity and disaster recovery plans to ensure the continuity of essential services in the event of a disruptive incident. This proactive approach aims to help authorities improve responses to potential threats.
3. Governance and Accountability
NIS2 places a strong emphasis on governance and accountability, particularly at the management level. Leadership must be actively involved in approving security policies, ensuring the effectiveness of cybersecurity measures, and providing cybersecurity training for staff. Key aspects include:
- Management approval: The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities.
- Oversight responsibility: Management is required to oversee the implementation of cybersecurity measures and can be held liable for infringements.
- Mandatory training: Members of management bodies are required to follow cybersecurity training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices.
- Personal liability: If gross negligence is found following a cyber incident, authorities can hold organization managers personally liable, potentially leading to temporary bans from management positions in cases of repeated violations.
Risks of non-compliance with NIS2
Non-compliance with the NIS2 Directive can result in significant financial penalties, including fines of up to €10 million or 2% of global turnover. Additionally, regulatory authorities may suspend authorizations, halting business operations, which can cause long-term operational setbacks. Reputational damage is also a critical risk, as public disclosure of breaches can erode customer trust, particularly in sectors like healthcare, finance, and manufacturing.
Senior management is directly accountable for ensuring compliance, and failure to do so can lead to personal legal consequences. Moreover, non-compliance increases the risk of cyberattacks, as organizations without adequate measures are more vulnerable to security breaches and operational disruptions. These risks make compliance essential for maintaining both business continuity and a strong cybersecurity posture.
Preparing for NIS2: Free Tools for Security Compliance
Meeting the security requirements of NIS2 doesn’t have to be a complex or costly process. With Hideez Workforce Identity system, you can simplify password management, implement phishing-resistant authentication and MFA, and ensure secure access to critical systems, all while adhering to zero-trust principles. Hideez helps organizations of any size and industry tackle more than half of the NIS2 requirements without the need for deploying complicated security systems.
Our platform offers a complete solution for passwordless digital and physical access, which enhances cybersecurity, reduces risks from cyber attacks, and aligns with NIS2's emphasis on secure access and identity management. By controlling security systems, encrypting data, and maintaining full visibility over IT assets, Hideez helps you take control of your compliance journey effortlessly.
Explore the benefits of going passwordless by registering for free on our Cloud portal, which supports up to 50 active users per company at no cost.
Interested in seeing how Hideez can further assist with NIS2 compliance? Book a personalized demo today and discover how to secure your organization while meeting essential regulatory requirements.