What every business in the EU needs to know about the NIS2 Directive

About The NIS2 Directive

 

Full name: “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive).”

 

 

In a nutshell:

 

  • The NIS2 (Network and Information Systems) Directive is a piece of legislation that aims to improve the cybersecurity of networks and information systems across the European Union (EU).
  • NIS2 builds on the previous NIS Directive, which was implemented in 2016, and is part of a broader effort to strengthen the EU's cybersecurity capabilities.
  • The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term.
  • Within the European Parliament, the file was assigned to the Committee on Industry, Research and Energy. The committee adopted its report on 28 October 2021, while the Council agreed on its position on 3 December 2021.
  • The co-legislators reached a provisional agreement on the text on 13 May 2022. The political agreement was formally adopted by the Parliament and then the Council in November 2022.
  • It entered into force on 16 January 2023, and the Member States now have 21 months, until 17 October 2024, to transpose its measures into national law.

As a business operating in the EU, it's important to understand what the NIS2 Directive entails and how it may affect your operations.

This step-by-step guide will provide a comprehensive overview of the NIS2 Directive, including what it covers, who it applies to, and what steps you need to take to comply with its requirements. By the end of this guide, you'll have a clear understanding of what you need to do to ensure your business is NIS2 compliant.

 

Why is the NIS2 Directive important for businesses in EU? 

While the first Directive (NIS) made significant strides in improving the cybersecurity capabilities of Member States, its implementation proved challenging and resulted in fragmentation across the internal market.

To address these challenges, the European Commission proposed the NIS2 Directive, which aims to enhance security requirements further, address supply chain security, streamline reporting obligations, and introduce stricter supervisory measures and enforcement requirements, including harmonized sanctions throughout the EU. By broadening the scope of entities and sectors obligated to take measures, NIS2 seeks to increase the level of cybersecurity in Europe over the long term

You might also be interested in reading: Strengthening Cybersecurity through the EU’s NIS2 Directive

 

NIS to NIS2 Directive: What changed exactly?

The Network and Information Security (NIS) Directive was first introduced in 2016 with the aim of creating a harmonised approach to cybersecurity across the European Union.

The Directive set out a series of security requirements for operators of essential services (OES) and digital service providers (DSP), including incident reporting obligations and risk management requirements. The NIS Directive was the first piece of EU-wide legislation on cybersecurity. It marked a significant step forward in the fight against cybercrime.

However, implementing NIS Directive proved to be a challenge for many businesses. Some organisations struggled to understand their obligations under the Directive, while others found it difficult to comply with the complex reporting requirements. In addition, the NIS Directive was criticised for not covering a wide enough range of organisations and sectors.

Moving towards increased cybersecurity

To address these issues, the European Commission proposed a new version of the NIS Directive, known as NIS2. NIS2 aims to build on the success of the original directive while addressing some of the shortcomings. One of the main changes in NIS2 is the expansion of its scope to cover more organisations and sectors, including smaller businesses and digital platforms. This will ensure that more organisations are taking steps to protect themselves against cyber threats.

NIS2 also places a greater emphasis on risk management, requiring organisations to regularly identify and assess cyber risks. This will help businesses to better understand the threats they face and take appropriate action to mitigate those risks. NIS2 also introduces new requirements for incident reporting and response, ensuring that businesses are better equipped to handle cyber-attacks when they occur.

Another important aspect of NIS2 is the focus on supply chain security. The Directive requires organisations to assess the security of their supply chains and take steps to ensure that their suppliers are also taking appropriate measures to protect against cyber threats. This is particularly important considering recent high-profile supply chain attacks, which have demonstrated the importance of securing the entire supply chain.

Who’s affected by the NIS2 Directive and who does it apply to?

The NIS2 Directive applies to a range of entities operating across 11 essential and 7 important sectors. Under the Directive, certain entities are required to comply with the regulations to protect their systems from cyberattacks and to ensure that they can quickly recover from any incidents that do occur. The entities that are affected by the NIS2 Directive are as follows:

Operators of Essential Services (OES): These are companies that provide services that are essential to the functioning of society and the economy. Examples include energy companies, water suppliers, and healthcare providers. OES are required to comply with the NIS2 Directive regardless of their size.

Digital Service Providers (DSPs): These are companies that provide online services such as e-commerce platforms, cloud computing services, and search engines. DSPs are only required to comply with the NIS2 Directive if they meet certain size criteria. Specifically:

  • Medium entities: DSPs with 50 or more employees and an annual turnover of at least €10 million.
  • Large entities: DSPs with 250 or more employees and an annual turnover of at least €50 million.

 

Essential Sectors

Important Sectors

Energy
Transport
Banking
Financial markets

Health
Drinking water
Waste water
Digital infrastructure
ICT service management
Public administration
Space

Postal and courier services
Waste management
Chemicals
Food
Manufacturing
Digital providers
Research organisations

It's worth noting that even if a company does not meet these criteria, they may still choose to comply with the NIS2 Directive to improve their cybersecurity measures and protect their systems from cyberattacks.

In summary, the NIS2 Directive affects both Operators of Essential Services and certain Digital Service Providers that meet certain size criteria.

If your business falls into one of these categories, it's important to ensure that you are complying with the regulations in order to protect your systems from cyberattacks and to avoid potential fines for non-compliance.

NIS2-webinar-recap-_1_

External Content: YouTube Video

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.

You can find more information about the handling of your personal data in our privacy policy.

 

What are the requirements of the NIS2 Directive?

 

NIS2 measures are based on “all-hazards approach” aiming to protect both network and information systems and physical environment of those systems from incidents. The requirements include:

 

What are the NIS2 Directive fines? 

 

Fines for non-compliance with the NIS2 Directive can be substantial. In some cases, fines may be as high as €10 million or 2% of the entity's global turnover, whichever is higher. In the most severe cases, fines can be as high as €20 million or 4% of the entity's global turnover, whichever is higher.

 

National authorities also have the power to impose other measures such as orders to suspend or restrict an entity's activities to protect the security of networks and information systems. It is therefore important for OES and DSPs to ensure that they comply with the requirements of the NIS2 Directive.

 

Will NIS2 impact businesses in the UK?

 

NIS was fully implemented into the UK for businesses due to it being part of the EU; however, as a result of other factors NIS2 is not yet mandatory in the UK. On the flipside, the UK Government is currently reviewing the effectiveness of NIS2 to see if they wish to implement it anyway in some form. The recommendation should be that UK businesses need to prepare for the likely implementation of either the NIS2 requirement itself or a UK modified version.

 

There is truly little information about NIS2 in the UK due to it being an EU legislation. However, a resource stated that “Following Brexit, the UK is no longer required to follow the NIS2 Directive”.

 

How can the NIS2 Directive help improve your business operations? 


  • Risk Management: The NIS2 Directive requires businesses to conduct regular risk assessments of their information systems, identify potential risks and vulnerabilities, and implement measures to mitigate them. By following this requirement, businesses can proactively manage their cybersecurity risks and minimise the likelihood of a cyber-attack.
  • Incident Management: The Directive requires businesses to have incident management procedures in place, including reporting requirements and response plans. This helps businesses respond quickly and effectively to cyber incidents, minimise their impact, and prevent similar incidents in the future.
  • Technical and Organisational Measures: Another requirement of NIS2 for businesses is to implement appropriate technical and organisational measures to ensure the security of their networks and information systems. This includes measures such as access controls, encryption, and monitoring systems. By implementing these measures, businesses can significantly reduce the risk of cyber-attacks and data breaches.
  • Business Continuity: By having business continuity plans in place, including backup and recovery procedures, businesses can maintain their operations in the event of a cyber incident, minimising downtime and ensuring the continuity of critical services.
  • Supply Chain Security: Implementing measures to ensure the security of their supply chain, including third-party suppliers and contractors, is also a part of NIS2. By ensuring the security of their supply chain, businesses can reduce the risk of cyber-attacks originating from third-party sources.

 

How can businesses better manage and mitigate cyber risks with the NIS2 Directive?

 

  • Reduced Risk of Cyber Attacks: Implementing NIS2 guidelines can significantly reduce the risk of cyber-attacks and data breaches. These incidents can be expensive to remediate, and businesses may also face regulatory fines and legal liabilities. By reducing the likelihood of cyber incidents, businesses can save significant amounts of money.
  • Better Management of Cyber Incidents: NIS2 requires businesses to have incident management procedures in place, including reporting requirements and response plans. By having a clear and well-defined incident management plan, businesses can quickly contain and mitigate the impact of cyber incidents. This can minimise the costs associated with downtime, lost productivity, and reputational damage.
  • Enhanced Business Continuity: The NIS2 Directive requires businesses to have business continuity plans in place, including backup and recovery procedures. By having robust business continuity plans, businesses can minimise the costs associated with downtime and ensure the continuity of critical services in the event of a cyber incident.
  • Improved Efficiency and Productivity: Implementing NIS2 guidelines can help businesses streamline their cybersecurity processes and reduce the administrative burden associated with managing their information systems. It can result in improved efficiency and productivity, leading to cost savings.

How can DataGuard help you comply with NIS2?

In today's world, information security is of utmost importance. With the advent of new technologies and increasing cyber threats, governments are taking steps to ensure that critical infrastructure and information systems are protected. One such step is the introduction of the new NIS2 regulation.

At DataGuard, we help our clients to increase their cybersecurity posture through ISO 27001 certification. ISO 27001 can help businesses prevent cyber-attacks by providing a comprehensive set of controls and guidelines for protecting information assets. The standard covers a wide range of areas including access control, network security, incident management, business continuity planning, and more.

We understand the challenges that businesses will face in complying with NIS2. We take a proactive approach to cybersecurity and specialise in supporting businesses in achieving ISO 27001 certification, a globally recognized standard for information security management.

Our platform empowers you to achieve compliance and ensure that your valuable information assets are protected. Our team of experts with extensive experience in ISO 27001 and ISMS implementation provide you guidance on how to prepare for the new NIS2 Directive.

We help you:

  • Develop and implement incident management and business continuity plans,
  • Create information security policies, and
  • Ensure that employees are properly trained and aware of the importance of information security.

We also assist you with:

  • Asset management, identifying and managing critical assets that may be targeted by cybercriminals.

 

Requirements of the NIS2 Directive

How DataGuard Can Help

Policies

Leverage our user-friendly platform to identify gaps, assess risks, and generate ISO-compliant policies.

Incident Management

Develop customized incident response plan to ensure that businesses can quickly and effectively respond to cybersecurity incidents.

Business Continuity

Develop a comprehensive business continuity plan to minimise disruption in the event of a cybersecurity incident.

Training and Awareness

DataGuard's Academy provides digitalized training courses to upscale employees’ maturity on cybersecurity topics and reduce the impact of social engineering.

Asset Management

Using our platform’s Asset Management feature, we ensure that businesses have complete visibility over their Information asset inventory, which can be effectively managed.

Being prepared is key to success

At DataGuard, we believe being prepared is key to success. Our goal is to help businesses achieve compliance and stay ahead of the game in today's cybersecurity landscape. We stay up to date with the latest developments in the regulation, ensuring that our clients are always informed and prepared for any changes that may arise.

With our in-house experts and InfoSec platform businesses can be rest assured that they are ready to face the challenges of the NIS2 Directive.

 

 

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk