How to Achieve Compliance with NIS Directive

The original NIS Directive came into force in 2016 as the EU’s first comprehensive law governing cybersecurity in member states. As part of its key policy objective to make Europe “fit for the digital age,” the European Commission proposed in December 2020 that NIS be revised, and NIS2 entered into force in January of 2023. Member states were required to transpose it into law by October 17, 2024.

NIS2 has been applicable in the European Union (EU) since October 18^th, 2024, replacing the previous NIS framework. Here is a look at some of the provisions and objectives of NIS2, as well as outlined technical guidance to improve the cyber-resilience of Member States under the updated framework.

Scope of NIS2

The NIS2 Directive aims to boost the level of cybersecurity across the EU, and applies to critical economic and societal sectors, including:

• Digital services
• Health
• Energy
• Transport
• Public administration
• Postal services
• Public electronic communications providers
• Information and Communications Technology (ICT) service management

And more.

Goals of NIS2

In its scope, NIS2 seeks to accomplish the following:

• Strengthen the security requirements of the companies under its jurisdiction.
• Address supply chain security and supplier relationships.
• Streamline reporting obligations.
• Implement stricter supervisory and enforcement requirements for national authorities.
• Harmonize sanctions regimes across Member States.

Additionally, overarching goals include improving cyber crisis management and information sharing at the level of individual European countries and the EU at large.

The new NIS2 technical guidelines seek to improve the cyber-resilience of critical sectors within the EU, covering methodological requirements for the following NIS2 subsectors:

• DNS service providers
• TLD name registries
• Cloud computing service providers
• Data center service providers
• Content delivery network providers (CDNs)
• Managed service providers (MSPs)
• Managed security service providers (MSSPs)
• Online marketplace providers
• Online search engine providers
• Social networking platform providers
• Trusted service providers

The European Union Agency for Cybersecurity (ENISA) developed this implementation guidance in collaboration with the European Commission and Member States within the NIS Cooperation group (NIS CG).

New NIS2 Technical Guidelines – Policies 

On November 7, ENISA released for consultation the "Implementation guidance on NIS2 security measures" opening the draft of the proposed technical guidance for comment. The consultation period ended on January 9, 2025.

In other words, the NIS2 Implementation Guidelines provide technical and methodological clarity on achieving the provisions laid out in the NIS2 Annex. That technical guidance includes specifics on the following thirteen policies:

1. Policy on the Security of Network and Information
2. Risk Management Policy
3. Incident Handling
4. Business Continuity and Crisis Management
5. Supply Chain Security
6. Security in Network and Information Systems Acquisition, Development, and Maintenance
7. Policies and Procedures to Assess the Effectiveness of Cybersecurity Risk-Management Measures
8. Basic Cyber Hygiene Practices and Security Training
9. Cryptography
10. Human Resources Security
11. Access Control
12. Asset Management
13. Environmental and Physical Security

Key Differences: NIS vs. NIS2

While there are granular and specified policy changes, an overarching comparison of the two NIS Directives reveal the following distinctions:

A Broader Scope

While NIS focused primarily on essential services providers and some digital services providers, the NIS2 takes in a broader range, including DNS providers, public administration, and the food sector.

It also includes not only “essential,” but “important” entities as well.

Harmonization Across Member States

NIS left more cybersecurity measures up to the discretion of individual national authorities, which provided a challenge to uniformity and consistency. To alleviate these problems, NIS2 introduced uniform criteria and clear guidelines for classification of entities and enforcement of policy.

Penalties and Enforcement

NIS2 imposes stricter penalties for non-compliance than did NIS, ranging up to 10 million euros or 2% of global turnover. Also different is the fact that management bodies of in-scope entities bear the ultimate responsibility for ensuring their organizations are compliant with NIS2 standards and may be liable if they fail to comply.

Risk Management and Security Obligations

Under NIS, entities were required to have risk management policies in place. However, NIS2 makes those requirements more stringent, with an increased focus on third-party and supply chain risks. It also introduces necessary regulations around business continuity, encryption, and incident response planning.

Incident Reporting

While NIS demanded that security incidents be reported within a reasonable timeframe, NIS2 requires such incidents to be reported within 24 hours, with follow-up reports due within 72 hours and a detailed final report mandated within a month.

UK’s CAF Supports NIS Compliance

Apart from the ENISA guidelines, the UK’s National Cyber Security Centre (NCSC) has published the Cyber Assessment Framework (CAF) to help further NIS2 goals. As noted in a vendor publication, “The CAF provides a comprehensive framework to assist NIS Competent Authorities to carry out assessments, enable the identification and prioritization of cybersecurity improvement activities, provide a general purpose tool that is industry sector agnostic, and be cost-effective to use and apply.”

The CAF Collection consists of 14 cybersecurity & resilience principles, grouped into four major objectives, together with guidance on using and applying the principles and the Cyber Assessment Framework (CAF) itself. The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organization responsible. It is intended to be used either by:

• The responsible organization itself (self-assessment).
• An independent external entity, possibly a regulator or a suitably qualified organization acting on behalf of a regulator.

The NCSC cybersecurity and resilience principles provide the foundations of the CAF. The 14 principles are written in terms of outcomes, i.e., specification of what needs to be achieved rather than a checklist of what needs to be done. The latest version of the NCSC CAF can be found here.

How Fortra Can Help

The NIS2 Directive mandates that all in-scope entities of EU Member States have – and can prove that they have — robust risk management policies in place that extend to both third-party risk and supply chain threats. Fortra’s Vulnerability Management (VM) solution can help organizations meet NIS2 objectives and security requirements with visibility that goes beyond a scan alone. Designed as a proactive, risk-based vulnerability management solution, the solution:

• Identifies weaknesses and vulnerabilities within your environment.
• Evaluates which vulnerabilities would be exploitable in a real-world attack.
• Prioritizes which vulnerabilities are worth remediating first.

Additionally, Fortra reports on the status of your risk management program, including adherence to any relevant compliance standards. This is essential for easing audits and proving alignment with the NIS2 Directive. Available as a standalone solution or as a bundle with other proactive security services like penetration testing and red team engagements, Fortra offers continuous, risk-based vulnerability management that helps in-scope entities within the EU manage the risks that could undermine the safety of critical and important services.

“In today’s cybersecurity landscape, stepping up our capabilities... with up-to-date rules is of paramount importance,” asserted Margrethe Vestager, Executive Vice-President for A Europe Fit for the Digital Age, in relation to the NIS2 standard. "I urge the remaining Member States to implement these rules at national level as fast as possible to ensure that the services which are critical for our societies and economies are cyber secure.”