NIS2 Directive: What It Means for Your Business (And How to Prepare)

March 10, 2024 | By Pietro Dubsky

The digital landscape is constantly evolving, and with it, the nature and sophistication of cyber threats. To bolster cybersecurity across the European Union, the NIS2 Directive has been introduced, significantly expanding and strengthening the original Network and Information Systems (NIS) Directive. But what does this mean for your business, and how can you ensure you're prepared?

What is the NIS2 Directive?

NIS2 is a new EU-wide legislation aimed at achieving a high common level of cybersecurity across Member States. It repeals and replaces the first NIS Directive, broadening its scope to cover more sectors and entities, and introducing stricter supervisory measures and enforcement requirements. The primary goal is to improve the resilience and incident response capabilities of both public and private entities that are critical to our economy and society.

Who is Affected by NIS2?

One of the most significant changes in NIS2 is the expansion of its scope. The directive categorizes entities into "essential" and "important" based on their criticality and size.

  • Sectors Covered: The list of sectors now includes (but is not limited to):
    • Essential Entities: Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure (IXPs, DNS providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, trust service providers), public administration, and space.
    • Important Entities: Postal and courier services, waste management, manufacturing of critical products (e.g., medical devices, chemicals), food production and distribution, digital providers (online marketplaces, online search engines, social networking services platforms).
  • Company Size: Generally, NIS2 applies to medium-sized and large enterprises within these sectors. However, some smaller entities with a high-security risk profile may also fall under its scope, irrespective of their size. Member States have some flexibility in identifying smaller entities crucial for their society or specific sectors.

It's crucial for businesses to assess whether they fall into one of these categories.

Key Requirements and Obligations under NIS2

NIS2 imposes a range of cybersecurity risk-management measures and reporting obligations. Entities covered must:

  1. Implement Robust Risk Management Policies: This includes conducting regular risk assessments, and establishing policies on information system security, incident handling, business continuity (like backup management and disaster recovery), and crisis management.
  2. Adopt Specific Security Measures: Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems. These include:
    • Supply chain security (addressing risks arising from suppliers and service providers).
    • Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
    • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
    • Basic cyber hygiene practices and cybersecurity training.
    • Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
    • Human resources security, access control policies, and asset management.
    • The use of multi-factor authentication or continuous authentication solutions.
  3. Report Significant Incidents: Covered entities must notify the competent national authorities (e.g., CSIRT) of any significant cybersecurity incident without undue delay and, in any event, within 24 hours of becoming aware of it (early warning), followed by a more detailed incident notification within 72 hours.
  4. Management Body Accountability: The management bodies of essential and important entities must approve the cybersecurity risk-management measures and oversee their implementation. They can be held liable for infringements of the directive.

How to Prepare for NIS2 Compliance

Preparation is key. Here’s a step-by-step approach:

  1. Determine Applicability: First, ascertain if your organization falls under the scope of NIS2 based on your sector and size.
  2. Conduct a Gap Analysis: Assess your current cybersecurity posture against the requirements of NIS2. Identify areas where your current measures fall short.
  3. Develop and Implement a Cybersecurity Risk Management Framework: Based on the gap analysis, develop or update your risk management policies and implement the necessary technical and organizational measures.
  4. Strengthen Incident Reporting Procedures: Ensure you have clear procedures for identifying, classifying, and reporting significant incidents according to NIS2 timelines.
  5. Review and Secure Your Supply Chain: Evaluate the cybersecurity practices of your key suppliers and service providers.
  6. Train Your Employees: Cybersecurity is a shared responsibility. Ensure your staff receives regular training on cyber hygiene and incident awareness.
  7. Engage Management: Ensure your management body is aware of their responsibilities and is actively involved in overseeing cybersecurity measures.

Consequences of Non-Compliance

Non-compliance with NIS2 can lead to significant penalties. For essential entities, fines can be up to at least €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For important entities, it's up to €7 million or 1.4% of turnover. Beyond financial penalties, non-compliance can result in reputational damage and loss of customer trust.

How I Can Help

Navigating the complexities of NIS2 can be challenging. As an IT professional with expertise in system administration, web application security, and automation, I can assist your business in:

  • Assessing your current IT infrastructure against NIS2 technical requirements.
  • Implementing security best practices for your servers and web applications.
  • Advising on data backup and disaster recovery strategies.
  • Helping to automate security monitoring and reporting tasks where feasible.

While I don't offer full legal compliance consultancy for NIS2, I can help you strengthen the technical foundations of your cybersecurity posture, which is a critical part of meeting the directive's requirements.

Conclusion

The NIS2 Directive represents a significant step forward in enhancing cybersecurity resilience across the EU. While it introduces more stringent requirements, it also provides an opportunity for businesses to strengthen their defenses against ever-evolving cyber threats. Proactive preparation and a commitment to robust cybersecurity practices are no longer just good business sense – they are a regulatory imperative.

Disclaimer: This article provides a general overview of the NIS2 Directive and should not be considered legal advice. Businesses should consult with legal and cybersecurity professionals to ensure full compliance with specific national implementations of NIS2.

« Back to Blog