A Step-by-Step Guide for EU's NIS2 Directive

In a nutshell:

• The NIS2 (Network and Information Systems) Directive is a piece of legislation that aims to improve the cybersecurity of networks and information systems across the European Union (EU).
• NIS2 builds on the previous NIS Directive, which was implemented in 2016, and is part of a broader effort to strengthen the EU's cybersecurity capabilities.
• The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term.
• Within the European Parliament, the file was assigned to the Committee on Industry, Research and Energy. The committee adopted its report on 28 October 2021, while the Council agreed on its position on 3 December 2021.
• The co-legislators reached a provisional agreement on the text on 13 May 2022. The political agreement was formally adopted by the Parliament and then the Council in November 2022.
• It entered into force on 16 January 2023, and the Member States now have 21 months, until 17 October 2024, to transpose its measures into national law.

As a business operating in the EU, it's important to understand what the NIS2 Directive entails and how it may affect your operations.

This step-by-step guide will provide a comprehensive overview of the NIS2 Directive, including what it covers, who it applies to, and what steps you need to take to comply with its requirements. By the end of this guide, you'll have a clear understanding of what you need to do to ensure your business is NIS2 compliant.

Why is the NIS2 Directive important for businesses in EU? 

While the first Directive (NIS) made significant strides in improving the cybersecurity capabilities of Member States, its implementation proved challenging and resulted in fragmentation across the internal market.

To address these challenges, the European Commission proposed the NIS2 Directive, which aims to enhance security requirements further, address supply chain security, streamline reporting obligations, and introduce stricter supervisory measures and enforcement requirements, including harmonized sanctions throughout the EU. By broadening the scope of entities and sectors obligated to take measures, NIS2 seeks to increase the level of cybersecurity in Europe over the long term

You might also be interested in reading: Strengthening Cybersecurity through the EU’s NIS2 Directive

NIS to NIS2 Directive: What changed exactly?

The Network and Information Security (NIS) Directive was first introduced in 2016 with the aim of creating a harmonised approach to cybersecurity across the European Union.

The Directive set out a series of security requirements for operators of essential services (OES) and digital service providers (DSP), including incident reporting obligations and risk management requirements. The NIS Directive was the first piece of EU-wide legislation on cybersecurity. It marked a significant step forward in the fight against cybercrime.

However, implementing NIS Directive proved to be a challenge for many businesses. Some organisations struggled to understand their obligations under the Directive, while others found it difficult to comply with the complex reporting requirements. In addition, the NIS Directive was criticised for not covering a wide enough range of organisations and sectors.

Moving towards increased cybersecurity

To address these issues, the European Commission proposed a new version of the NIS Directive, known as NIS2. NIS2 aims to build on the success of the original directive while addressing some of the shortcomings. One of the main changes in NIS2 is the expansion of its scope to cover more organisations and sectors, including smaller businesses and digital platforms. This will ensure that more organisations are taking steps to protect themselves against cyber threats.

NIS2 also places a greater emphasis on risk management, requiring organisations to regularly identify and assess cyber risks. This will help businesses to better understand the threats they face and take appropriate action to mitigate those risks. NIS2 also introduces new requirements for incident reporting and response, ensuring that businesses are better equipped to handle cyber-attacks when they occur.

Another important aspect of NIS2 is the focus on supply chain security. The Directive requires organisations to assess the security of their supply chains and take steps to ensure that their suppliers are also taking appropriate measures to protect against cyber threats. This is particularly important considering recent high-profile supply chain attacks, which have demonstrated the importance of securing the entire supply chain.

Who’s affected by the NIS2 Directive and who does it apply to?

The NIS2 Directive applies to a range of entities operating across 11 essential and 7 important sectors. Under the Directive, certain entities are required to comply with the regulations to protect their systems from cyberattacks and to ensure that they can quickly recover from any incidents that do occur. The entities that are affected by the NIS2 Directive are as follows:

Operators of Essential Services (OES): These are companies that provide services that are essential to the functioning of society and the economy. Examples include energy companies, water suppliers, and healthcare providers. OES are required to comply with the NIS2 Directive regardless of their size.

Digital Service Providers (DSPs): These are companies that provide online services such as e-commerce platforms, cloud computing services, and search engines. DSPs are only required to comply with the NIS2 Directive if they meet certain size criteria. Specifically:

• Medium entities: DSPs with 50 or more employees and an annual turnover of at least €10 million.
• Large entities: DSPs with 250 or more employees and an annual turnover of at least €50 million.

It's worth noting that even if a company does not meet these criteria, they may still choose to comply with the NIS2 Directive to improve their cybersecurity measures and protect their systems from cyberattacks.

In summary, the NIS2 Directive affects both Operators of Essential Services and certain Digital Service Providers that meet certain size criteria.

If your business falls into one of these categories, it's important to ensure that you are complying with the regulations in order to protect your systems from cyberattacks and to avoid potential fines for non-compliance.

What are the requirements of the NIS2 Directive?

NIS2 measures are based on “all-hazards approach” aiming to protect both network and information systems and physical environment of those systems from incidents. The requirements include:

• Policies
• Incident Management
• Business Continuity
• Supply Chain Security
• Training
• Asset Management
• Reporting Obligations

What are the NIS2 Directive fines? 

Fines for non-compliance with the NIS2 Directive can be substantial. In some cases, fines may be as high as €10 million or 2% of the entity's global turnover, whichever is higher. In the most severe cases, fines can be as high as €20 million or 4% of the entity's global turnover, whichever is higher.

National authorities also have the power to impose other measures such as orders to suspend or restrict an entity's activities to protect the security of networks and information systems. It is therefore important for OES and DSPs to ensure that they comply with the requirements of the NIS2 Directive.

Will NIS2 impact businesses in the UK?

NIS was fully implemented into the UK for businesses due to it being part of the EU; however, as a result of other factors NIS2 is not yet mandatory in the UK. On the flipside, the UK Government is currently reviewing the effectiveness of NIS2 to see if they wish to implement it anyway in some form. The recommendation should be that UK businesses need to prepare for the likely implementation of either the NIS2 requirement itself or a UK modified version.

There is truly little information about NIS2 in the UK due to it being an EU legislation. However, a resource stated that “Following Brexit, the UK is no longer required to follow the NIS2 Directive”.

How can the NIS2 Directive help improve your business operations? 

• Risk Management: The NIS2 Directive requires businesses to conduct regular risk assessments of their information systems, identify potential risks and vulnerabilities, and implement measures to mitigate them. By following this requirement, businesses can proactively manage their cybersecurity risks and minimise the likelihood of a cyber-attack.
• Incident Management: The Directive requires businesses to have incident management procedures in place, including reporting requirements and response plans. This helps businesses respond quickly and effectively to cyber incidents, minimise their impact, and prevent similar incidents in the future.
• Technical and Organisational Measures: Another requirement of NIS2 for businesses is to implement appropriate technical and organisational measures to ensure the security of their networks and information systems. This includes measures such as access controls, encryption, and monitoring systems. By implementing these measures, businesses can significantly reduce the risk of cyber-attacks and data breaches.
• Business Continuity: By having business continuity plans in place, including backup and recovery procedures, businesses can maintain their operations in the event of a cyber incident, minimising downtime and ensuring the continuity of critical services.
• Supply Chain Security: Implementing measures to ensure the security of their supply chain, including third-party suppliers and contractors, is also a part of NIS2. By ensuring the security of their supply chain, businesses can reduce the risk of cyber-attacks originating from third-party sources.

How can businesses better manage and mitigate cyber risks with the NIS2 Directive?

• Reduced Risk of Cyber Attacks: Implementing NIS2 guidelines can significantly reduce the risk of cyber-attacks and data breaches. These incidents can be expensive to remediate, and businesses may also face regulatory fines and legal liabilities. By reducing the likelihood of cyber incidents, businesses can save significant amounts of money.
• Better Management of Cyber Incidents: NIS2 requires businesses to have incident management procedures in place, including reporting requirements and response plans. By having a clear and well-defined incident management plan, businesses can quickly contain and mitigate the impact of cyber incidents. This can minimise the costs associated with downtime, lost productivity, and reputational damage.
• Enhanced Business Continuity: The NIS2 Directive requires businesses to have business continuity plans in place, including backup and recovery procedures. By having robust business continuity plans, businesses can minimise the costs associated with downtime and ensure the continuity of critical services in the event of a cyber incident.
• Improved Efficiency and Productivity: Implementing NIS2 guidelines can help businesses streamline their cybersecurity processes and reduce the administrative burden associated with managing their information systems. It can result in improved efficiency and productivity, leading to cost savings.

How can DataGuard help you comply with NIS2?

In today's world, information security is of utmost importance. With the advent of new technologies and increasing cyber threats, governments are taking steps to ensure that critical infrastructure and information systems are protected. One such step is the introduction of the new NIS2 regulation.

At DataGuard, we help our clients to increase their cybersecurity posture through ISO 27001 certification. ISO 27001 can help businesses prevent cyber-attacks by providing a comprehensive set of controls and guidelines for protecting information assets. The standard covers a wide range of areas including access control, network security, incident management, business continuity planning, and more.

We understand the challenges that businesses will face in complying with NIS2. We take a proactive approach to cybersecurity and specialise in supporting businesses in achieving ISO 27001 certification, a globally recognized standard for information security management.

Our platform empowers you to achieve compliance and ensure that your valuable information assets are protected. Our team of experts with extensive experience in ISO 27001 and ISMS implementation provide you guidance on how to prepare for the new NIS2 Directive.

We help you:

• Develop and implement incident management and business continuity plans,
• Create information security policies, and
• Ensure that employees are properly trained and aware of the importance of information security.

We also assist you with:

• Asset management, identifying and managing critical assets that may be targeted by cybercriminals.

Being prepared is key to success

At DataGuard, we believe being prepared is key to success. Our goal is to help businesses achieve compliance and stay ahead of the game in today's cybersecurity landscape. We stay up to date with the latest developments in the regulation, ensuring that our clients are always informed and prepared for any changes that may arise.

With our in-house experts and InfoSec platform businesses can be rest assured that they are ready to face the challenges of the NIS2 Directive.