The Network and Information Security Directive 2 (NIS2) is the European Union’s bold response to the rising tide of digital threats, aiming to fortify its digital defenses and create a unified cybersecurity framework across the continent. The aim to is to harden cyberdefenses specifically in industries that are deemed “infrastructure” and therefore could present a threat to the functioning of society if they were disrupted, by, for example, a cyber-attack perpetrated by a foreign power.
This groundbreaking (and huge and complicated and confusing) legislation seeks to address the evolving landscape of cyber risks, harmonizing cybersecurity standards among EU member states like never before. It’s also going to create as least as much chaos as GDPR..! Companies are going to be scrabbling around trying to understand if they need to comply, and if so, what, EXACTLY, do they need to do? Like GDPR there will be a big stick in the form of huge potential fines, and like GDPR what fines will be levied for which offenses is as clear as mud.
It is expected to be released as an EU Directive in October 2024. Then it will be passed into laws in each EU member state in slightly different ways. It is not yet clear from which date companies are expected to be compliant with the local laws – and this may vary from member state to member state.
NIS2 significantly expands the scope of industries covered, (vs. NIS, the existing framework) encompassing a wide range of critical sectors such as energy, transportation, finance, health, and digital infrastructure, among others. Even providers of key digital services like cloud computing and online marketplaces are drawn into its orbit. Its net extends beyond merely those sectors, also reaching into entities that were not previously classified as essential services but are now recognized for their societal or economic importance. Sectors such as supply chain management and providers of public electronic communications networks are now encompassed under NIS2’s protection. Moreover, any company or public body that qualifies will also need to ensure that each of their suppliers is also compliant – so if you supply a software system to a public administration body, even if your company itself may not qualify, your client will need to make sure that you are compliant in order to fulfil its own compliance requirements.
Companies subject to NIS2 are tasked with a slew of rigorous requirements. These requirements include conducting thorough risk assessments, implementing sophisticated security measures, ensuring rapid detection and response to cyber threats, and preparing comprehensive incident reporting protocols. Governance structures must reflect this newfound emphasis on cybersecurity, with top management required to demonstrate accountability and expertise. Furthermore, companies must conduct regular training for staff, as a proactive measure against human error, one of the most potent threats to network security.
Enforcement of NIS2 will be uncompromising, with national regulators wielding enhanced investigative and punitive powers. Penalties for non-compliance could reach astronomical heights, with fines of up to 10 million euros or 2% of global annual turnover. Authorities will scrutinize compliance through systematic audits, meticulous inspections, and immediate demands for corrective actions where deficiencies are uncovered. The extent to which this will be proactive (e.g. inspections) vs. reactive (e.g. post-incident, or suspicion) depends on whether your company is deemed to be a “Critical Entity” or the less strict “Important Entity” (see bottom of this page for more detail).
So what does a company actually have to DO? A comprehensive system of security controls will be enforced, including multi-factor authentication for access to sensitive data, network segmentation to contain potential breaches, and sophisticated encryption standards to ensure the confidentiality and integrity of information. Simply put, a company will need an Information Security Management System. If you are currently working on the new ESG reporting requirements, there are similarities; identifying key focus areas, setting policies, enforcing processes, measuring outcomes and setting targets, dealing with incidents and so on.
Companies with ISO 27001 should not find that there is much additional work required to comply with NIS2. Some government authorities are even expressly recommending ISO 27001 as the ideal path to compliance. Regardless of whether an ISO 27001 certificate is sought, there is a large overlap between the NIS2 requirements and those of ISO 27001.
In summary, NIS2 is coming. It’s big. It’s going to be a turbulent few years while governments and companies learn how to enforce and comply with the Directive. There will be a dearth of expertise available to help during this transition and some companies will find it near-impossible to meet the deadlines and requirements. Our advice? Start planning now! Book a meeting to talk to us by first registering your email.
Essential Entities: These include organizations operating in sectors traditionally recognized as critical to the functioning of society and the economy. Examples include energy, transportation, financial services, healthcare, digital infrastructure, and public administration. Essential entities are considered high-impact targets whose disruption could have far-reaching consequences. Therefore, they are subject to the strictest security requirements, frequent audits, and rigorous oversight from national authorities. Failure to comply with NIS2 requirements can lead to severe penalties for these entities.
Important Entities: These organizations play a significant role but are not deemed as crucial as essential entities. They include digital service providers like cloud computing platforms, digital infrastructure operators, and research and development firms. Though the requirements are still substantial, important entities face slightly less stringent oversight. The approach is more risk-based, focusing on proactive monitoring and continuous improvement rather than the immediate punitive measures that essential entities might face.