The European NIS 2 Directive: Overview, Requirements, and the Compliance Process

NIS 2 is the latest version of the EU cybersecurity legislation known as the NIS Directive. The updated version focuses on cybersecurity risk management and cyberattack reporting requirements and is intended to correct the current situation of under-reporting.

NIS 2 applies only to organizations where disruption to operations would significantly affect the broader society. These are divided into essential (vital) organizations such as energy, transportation, and health, and important entities who carry out critical but not urgent and immediate operations such as cloud computing, data center services, and food production.

NIS 2 poses requirements for implementation of cyber-risk measurement tools to ensure a level of security proportionate to the risk posed and for reporting significant cyber incidents and cooperating with national authorities.

NIS 2 also presents new governance mechanisms at both the national and the EU levels, including per-sector cybersecurity authorities and national cybersecurity coordination centers (NCCCs). In addition, the directive calls for setting up multiple Computer Security Incident Response Teams (CSIRTs) to bolster cross-border response to incidents.

NIS 2 imposes stricter measures for non-compliance, on-site inspections, audits, temporary suspensions, and restrictions imposed on C-level executives.

 

The Evolution of the NIS Directive

The main differences between the original NIS the new NIS 2 directive are:

· NIS 2 broadens sector coverage, adding the category of “important” (but not “essential”) sectors that are subject to lighter security and reporting obligations.

· NIS 2 sets more detailed and uniform security requirements for all entities covered by the directive, focusing on risk management, incident handling, supply-chain security, Zero Trust, and other areas that have become prominent cybersecurity concepts since the introduction of the original directive.

· Establishment of a single point of contact at national level for receiving notifications of incidents.

· Stricter compliance enforcement and uniform fines for non-compliance (up to €10 million or 2% of global annual turnover).

 

Incident Reporting and Coordination Mechanisms in NIS 2

One of the key elements in NIS 2 is the obligation to report cyber incidents that have a significant impact on the continuity of services or on the security of network and information systems. Compared to the original NIS Directive, NIS 2 establishes more clear and consistent criteria and thresholds for these aspects.

For example, essential and important entities are required to report incidents that have an impact on more than 100,000 users, caused a loss of more than EUR 1 million, or a disruption of more than 24 hours.

Coordination mechanisms include a network of Computer Security Incident Response Teams (CSIRTs), as well as the new the European Cyber Crises Liaison Organisation Network (CyCLONe), comprising representatives of Member States’ competent authorities and CSIRTs as well as representatives of EU institutions and agencies such as ENISA (the European Union Agency for Cybersecurity), CERT-EU (the Computer Emergency Response Team for EU institutions), and Europol.

NIS2

(Source: ENISA)

 

NIS 2 Preparedness Checklist

NIS 2 includes a preparedness checklist to help organizations comply with the directive. (This list is provided for informative purposes only. It does not ensure compliance.)

  • Identify whether yours is an essential or an important entity (per Annexes I and II).
  • List the essential/important services you provide and notify governing authorities.
  • Implement appropriate measures to manage the risks posed to the security of network and information systems used for providing those services.
  • Ensure that management bodies approve the cybersecurity risk-management measures taken by those entities and oversee their implementation. Management can be held liable for infringements.
  • Ensure that members of the management bodies follow training guidelines on cybersecurity risk-management practices and their impact on the services provided by the entity.
  • Notify, without undue delay, any incident having a significant impact on the continuity of those services to the competent authority or to the CSIRT (Computer Security Incident Response Team).
  • Provide information necessary for risk assessments carried out by competent authorities or CSIRTs upon request.
  • Cooperate with competent authorities or CSIRTs during inspections or audits.
  • Comply with any instructions or orders issued by competent authorities or CSIRTs in relation to incidents – actual or potential – affecting their services.
  • Participate in regular exercises organized by competent authorities or CSIRTs to test their incident response capabilities.

 

Implementation Requirements

NIS 2 was adopted by the EU Parliament in November 2022 and entered into force on January 16, 2023. Member States have until October 2024 to adopt its language into each nation’s legal structures.

Additional Resources

Request Demo Contact Us
Skip to content