The Network and Information Security 2 (NIS2) Directive is the European Union's (EU) second attempt at an all-encompassing cybersecurity directive. The EU introduced the legislation to update the much-misinterpreted Network and Information Security (NIS) Directive (2016) and improve the cybersecurity of all member states. It signed NIS2 into law in January 2023, expecting all relevant organizations to comply by October 18th, 2024.
This article will explore NIS2's goals, why the EU introduced it, whom it applies to, its essential elements, and the penalties for non-compliance.
Why was NIS2 introduced?
As we have established, the EU introduced NIS2 to update the NIS directive of 2016. NIS aimed to ensure all "essential" sectors in all member states took the necessary measures to protect themselves from cybercrime. However, experts criticized NIS for being too vague, and member states interpreted it differently; the definition of an "essential" sector differed from state to state.
NIS2 aims to eradicate those discrepancies. Compared to NIS, it has a considerably more detailed scope, requirements, and intentions, leaving little room for interpretation across member states.
What are the goals of NIS2?
NIS2 aims to establish a standard level of cybersecurity across all member states by introducing standardized requirements and measures. By establishing affected sectors, security requirements, reporting obligations, enforcement measures, and sanctions, NIS2 strives to protect the EU's critical infrastructure and citizens.
Additionally, NIS2 has three primary objectives:
- Increase cyber resilience across essential service providers.
- Streamline cyber resilience through stricter security requirements and penalties for violations.
- Improve the EU's preparedness to deal with cyberattacks.
To whom does NIS2 apply?
NIS2 applies to entities with more than 50 employees, an annual turnover of more than €10 million, and those that the EU deems essential to the European economy and society. However, different entities have different regulations and potential consequences based on their perceived criticality.
Essential Entities (EE) include organizations that employ roughly 250 people, turnover €50 million annually, have a balance sheet of around €43 million, and operate in one of the following sectors:
- Public Administration
- Water Supply
- Digital Infrastructure (for example, cloud services providers and ICT management)
Important Entities (IE) include organizations that employ roughly 50 people, turnover €10 million annually, have a balance sheet of €10 million, and operate in one of the following sectors:
- Postal Services
- Waste Management
- Digital Providers (for example, social media and search engines)
What are the essential elements of NIS2?
NIS2 builds on the following elements of the previous NIS Directive:
- The NIS1 strategy on the security of network and information systems: NIS2 requires member states to adopt a national cybersecurity strategy, designate national Computer Security Incident Response Teams (CSIRTs) who are responsible for risk and incident handling, establish a competent national cybersecurity authority, and appoint a single point of contact (SPOC) to liaise with other member states.
- The NIS1 framework establishing the NIS Cooperation Group: NIS2 continues the NIS1 framework to support and facilitate strategic cooperation and the exchange of information across member states and the CSIRTs Network. The framework promotes swift and effective operational collaboration between national CSIRTs.
- The elements of NIS1 that ensure cybersecurity measures across seven vital sectors: As we covered earlier, NIS2 expands the scope of NIS1's sectors and introduces a size threshold to define which entities it applies to and what entities would be required to report significant cybersecurity incidents to the national competent authorities.
Additionally, NIS2 has ten essential requirements that all companies must address or implement. Under NIS2, relevant entities must:
- Establish a cybersecurity governance framework: Relevant entities must identify and document the roles and responsibilities of key stakeholders and define clear lines of authority and communication. The European Union Agency for Cybersecurity’s (ENISA) European Cybersecurity Skills Framework (ECSF) if a great place to start.
- Administer regular cybersecurity awareness training: Relevant entities must ensure all staff are up to date on the latest threats and best practices for safeguarding their employer's digital assets. Training must cover password hygiene, phishing scams, and reporting processes.
- Create an incident response plan: Relevant entities must define clear guidelines for detecting and reporting incidents, establish a methodical process for containing and mitigating damages, and ensure all staff are clear on their roles and responsibilities.
- Conduct regular risk assessments: Relevant entities must regularly assess their infrastructure and supply chain to identify potential vulnerabilities and improve cybersecurity strategies.
- Bolster supply chain security: Relevant entities must implement security measures into their supply chain, carry out vendor risk assessments and audits, implement securing monitoring tools, and regularly communicate with suppliers.
- Regularly patch and update infrastructure and applications: Relevant entities must monitor their environments to identify and patch any potential security vulnerabilities.
- Deploy threat detection tools: To identify potential threats, such as Intrusion Detection Systems (IDS) or Security Information and Event Management (SIEM) tools, relevant entities must implement the necessary tools.
- Implement strong authentication controls: Relevant entities must implement robust authentication methods such as multi-factor authentication (MFA) and secure all sensitive communication channels.
- Establish cryptography and encryption policies: Relevant entities must use cryptography and, when appropriate, encryption technologies to secure sensitive information.
- Secure human resources assets: Relevant entities must secure staff data by implementing access control and asset management policies.
Penalties for NIS2 non-compliance
The penalties for failing to comply with NIS2 requirements are:
- For Essential Entities, €10 million or 2% of global turnover, whichever is highest.
- For Important Entities, €7 million or 1.4% of global turnover, whichever is highest.
The Network and Information Security 2 (NIS2) Directive is the EU's proactive response to improve cybersecurity across member states. By addressing the shortcomings of the NIS Directive, NIS2 aims to create a uniform cybersecurity standard, enhance resilience, and foster better cooperation. With specific requirements and penalties, it ensures essential entities prioritize cybersecurity, safeguarding critical infrastructure and citizens from cyber threats. Non-compliance can result in substantial fines, incentivizing organizations to take cybersecurity seriously. NIS2 represents a significant step forward in the EU's efforts to enhance digital security and protect its economy and society from cyber risks.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.