The NIS 2 Directive

On 27 December 2022, the Directive on Measures for a High Common Level of Cybersecurity across the Union, known as the ‘NIS 2 Directive’, was published in the Official Journal of the European Union.

The NIS2 Directive expands the reach of the original NIS Directive, in effect since 2016, by targeting a broader range of industries to enhance cybersecurity standards across the EU. It tackles supply chain security, simplifies reporting duties, and enforce strict compliance measures. Essentially, NIS 2 calls for organisations to adopt a robust cybersecurity risk management framework, aiming to boost the EU’s overall cyber resilience.

Effective from 16 January 2023, the directive must be integrated into national laws by October 2024. Soon after, member states’ authorities will oversee compliance and enforce the law, using severe administrative penalties and corrective actions when needed.

Who is affected by NIS 2?

The scope of NIS 2 is notably wider than the original directive, expanding its reach beyond just ‘Operators of Essential Services’ (OES) and ‘Digital Service Providers' (DSP). Now, it encompasses ‘essential’ and ‘important’ entities across the EU.

These entities play a vital role in the EU economy and society, including those offering public electronic communications services, digital services, waste water and waste management, manufacturing of key products, postal and courier services, and public administration at both central and regional levels.

Interaction with other (sector-specific) cybersecurity legislation

When sector-specific legislation, like the Digital Operational Resilience Act (DORA), require key entities under NIS 2 to adopt cybersecurity risk-management measures or report major incidents, NIS 2 won’t apply if these sector-specific requirements are equally effective as those in the NIS 2 Directive.

But if sector-specific legislation does not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of NIS 2 provisions will still apply to those entities not covered by the sector-specific legislation

When will NIS 2 impact my organisation?

With NIS 2 now officially adopted, many organisations will need to consider, implement, and comply with various binding obligations that will come into play once the directive is integrated into national legislation.

Here’s a timeline highlighting the key phases in NIS 2’s development and enforcement.

European Commission proposal

The Commission adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive), revoking the original NIS Directive.

Interinstitutional agreement

Following the publication of the proposal, the co-legislators - the European Parliament and Council of the European Union - started the negotiation process, which led to a political agreement in May 2022.

The Council adopted NIS 2 on 28 November, after the European Parliament voted in favour of the act on 10 November.

Entry into force

On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the ‘NIS 2 Directive’) and the Directive on the resilience of critical entities (“CER Directive”) entered into force.

National transposition

By 17 October 2024, member states had to adopt and publish the transposition measures necessary to comply with the NIS 2 Directive, which started to apply from 18 October 2024 onwards.

How does NIS 2 impact your organisation?

While national implementation laws are yet to be developed and adopted, the NIS 2 Directive highlights three key areas where organisations need to enhance their efforts to comply.

Comprehensive cybersecurity risk management
Incident reporting and supervision
Enforcement and management liability

Comprehensive cybersecurity risk management

NIS 2 requires organisations to shift for from a reactive to a proactive stance in risk management. This means adopting robust information security policies that ensure systematic and thorough risk analysis.

These policies should be crafted using an all-hazard approach, tailored to the risk, size, cost, impact, and severity of incidents specific to each organisation.

With this principle of proportionality in mind, organisations should adopt industry-accepted and advanced cybersecurity measures across various domains.

Incident prevention, detection and response

Under NIS 2, essential and important entities must establish a solid Incident Management Framework (IMF) that is regularly tested and shared with all relevant parties. The directive also calls for organisations to set up clear procedures to prevent attacks, investigate root causes, and adopt mitigating measures.

Business continuity and crisis management

Under NIS 2, essential and important entities must ensure their operations continue smoothly during major cybersecurity incidents. Organisations should implement a comprehensive resilience framework – that covers business continuity, disaster recovery, and crisis management to reduce disruption.

Supply chain security

As the importance of supply chain security grows, NIS 2 mandates that key entities actively participate in Third Party Risk Management (TPRM). Managing TPRM throughout their digital value chains presents a significant challenge for organisations. A robust framework for supply chain resilience is essential to navigate this landscape

Incident reporting and supervision

Under NIS 2, essential and important entities are required to promptly report any incident that significantly impacts their services to their

National Computer Security Incident Response Teams (CSIRT) or the appropriate national authority. To meet these obligations, organisations need to provide:

Early warning: This should be issued swiftly, within 24 hours of recognising the incident. It should indicate whether the event is suspected to be unlawful or malicious and if it might have cross-border implications.
Incident notification: This must be sent within 72 hours of becoming aware of the incident. It updates the information provided in the early warning and gives a preliminary evaluation of the incident's severity and effects.
Intermediate report: This is issued upon request by the CSIRT or the national authority, offering relevant updates on incident and crisis management.
Final report: Due within a month after the incident notification, this report should thoroughly describe the incident, its root cause, mitigation strategies, and any cross-border effects.
Supervisory framework: NIS 2 introduces a stringent enforcement framework to enhance compliance.

First and foremost, competent national authorities will be able to rely on a robust enforcement and investigation framework, the limits of which depend on the classification of your organisation.

Essential entities: These areubject to a comprehensive, ex ante, supervisory regime, in which the supervisory powers of the national authorities include the ability to conduct random raids, perform (ad hoc) security audits as well as the ability to request certain information and evidence of compliance.
Important entities: These face a lighter, ex post, supervisory regime that is applicable in the event of evidence and/or indications of non-compliance.

Enforcement and management liability

Management responsibility and liability

Under NIS 2, management bodies of essential and important entities must approve cybersecurity risk-management measures. They must oversee their implementation and can be held liable for infringements by their organisation.

In this context, all members of management bodies will also be required to follow training on a regular basis in order to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by their organisation.

Enforcement

Under NIS2, member states must provide the appropriate national authority with the discretionary power to impose considerable fines on organisations that do not comply with the national transposition laws.

Essential entities: Fines can reach up to €10 million or 2% of their worldwide annual turnover.
Important entities: Fines can be as high as €7 million or 1.4% of their worldwide annual turnover

How can we help your organisation?

We’re heere to support you every step of the way towards meeting NIS 2 compliance. With our Regulatory Readiness Assessment Framework (RRAF), we’ll work with you to assess your current readiness and guide you in implementing the necessary measures to meet NIS 2 requirements.

Now that NIS 2 is officially in place, it’s crucial for all relevant entities to start preparing for the upcoming national transposition measures. Getting ahead now means you can identify areas needing significant investment and prioritisation early on.

NIS 2 seeks to align cybersecurity risk management and reporting standards, building on obligations from its predecessor and existing national and international standards and regulations. But remember, the details matter. It’s vital for all entities under the NIS 2 Directive to conduct a

gap assessment and develop a strategy to achieve compliance within the 21-month preparation period.

How we can help?

Here’s how we can assist you in crafting a robust digital strategy. We offer a blend of proactive and protective cybersecurity services, structured around our five core pillars: