NIS 2 is one of the latest cybersecurity directives that organizations need to know about. But what exactly is NIS 2? What does it require? Who must comply with it? This article answers these and other key questions about this directive — and offers effective strategies for achieving compliance.
What is NIS 2?
NIS 2 is a cybersecurity directive. Published in the Official Journal of the European Union as Directive (EU) 2022/2555, it came into force on 16 January 2023.
This directive replaces the Network and Information Systems (NIS) Directive from 2016, published as Directive (EU) 2016/1148 and often now referred to as NIS 1. The original NIS directive was designed to improved cybersecurity across the EU by establishing a common framework of standards and guidelines. NIS 2 builds upon that foundation, making some significant changes to address shortcomings of NIS 1. In particular, NIS 2 expands the scope of organizations subject to the directive, changes the information security requirements they must follow and increases the potential fines for noncompliance.
When does NIS 2 take effect?
While NIS 2 came into force on January 16, 2023, EU directives do not have direct effect in EU member states. Rather, each member state needs to transpose the requirements of the directive into their own national laws.
In the case of NIS 2, member states must adopt and publish the measures necessary for compliance by October 17, 2024, and apply the measures starting the following day. The repeal of the original NIS directive takes effect that same day.
What is the purpose of the NIS 2?
NIS 2 is based on extensive analysis of the effectiveness of NIS 1. While NIS 1 proved to be a solid initial cybersecurity directive, the European Commission identified several shortcomings. In particular, they noted a lack of clarity about its requirements, inconsistent implementation by different EU member states, ineffective enforcement, and a lack of information sharing among those states.
Moreover, the Commission realized that both technology and the cybersecurity threat landscape have evolved dramatically since NIS 1 was passed in 2016, and that societies and economies are far more dependent upon information technology.
The new directive is designed to address these findings. In particular, the revised directive includes the following changes, many of which are discussed in more detail in their own sections later:
- Broader scope and clearer rules — NIS 2 applies to more sectors and entities than NIS 1, and defines standard criteria for determining applicability.
- Expanded security requirements — The new mandate introduces multiple mandatory measures to help prevent cybersecurity incidents, including risk analysis and remediation for information systems, cyber hygiene practices, cybersecurity training and stronger authentication.
- Increased accountability — The new directive makes managers and boards more involved and responsible.
- Stronger oversight and steeper penalties — The new directive standardizes and strengthens penalties, and increases powers of supervisory authorities.
- Clearer incident reporting obligations — The directive lays out details like timelines for reporting incidents and the information that must be provided.
- Stronger supply chain security — NIS 2 enhances supply chain security with measures requiring risk assessments and appropriate management.
- Increased international cooperation — The directive recognizes a new platform for managing large-scale, cross-border cybersecurity crises.
Who does NIS 2 apply to?
NIS 1 applied any operator of essential services (OES) in seven critical sectors — energy, transport, banking, financial market infrastructures, healthcare, drinking water and digital infrastructure — as well as larger providers of key digital services, such as cloud computing services, search engines and online marketplaces.
NIS 2, on the other hand, applies to public or private organizations that are defined as either “essential” or “important” entities:
- Essential entity — The concept of an “essential entity” is much broader than OES, so NIS 2 applies not just to the areas covered by NIS 1 but 18 critical sectors:
- Transport, including by air, rail, water or road
- Financial market infrastructures
- Drinking water
- Waste water
- Digital infrastructure, including cloud computing and data center services, content delivery network, and public electronic communications networks
- Business-to-business service management companies, such as managed service providers (MSPs) and managed security service providers (MSSPs)
- Public administration
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing of medical devices, computers, electronic and optical products, machinery, and transport equipment
- Digital providers of online marketplaces, online search engines and social networking services platforms
- Important entity — Important entities include the “digital service providers” under NIS 1 as well as other organizations. Important entities are subject to more stringent obligations than digital service providers were under NIS 1. They must meet the same requirements as essential entities but are subject to less oversight.
With NIS 1, member states were responsible for determining which organizations met the criteria for being an OES. NIS 2, on the other hand, applies to all entities in the sectors listed that qualify as medium-sized or larger enterprises as defined by Article 2 of the Annex to Recommendation 2003/361/EC. Thus, it will be mandatory for any entity that has more than 50 employees and an annual turnover and/or annual balance sheet total that exceeds €10 million.
NIS 2 also applies to smaller entities that “fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.” For example, this caveat applies to providers of public electronic communications networks if the disruption of the service could have significant implications for public health.
The directive also applies to certain entities that are not established in the EU but offer services within the EU. These entities are:
- DNS service providers
- TLD name registries
- Entities providing domain name registration services
- Cloud computing and data center service providers
- Content delivery network providers
- MSPs and MSSPs
- Providers of online marketplaces, online search engines or social networking services platforms
Any such entity is required to establish a representative in one of the member states where its services are offered, and the entity will fall under the jurisdiction of that member state. If the entity fails to establish a representative, any member state in which the entity provides services may take legal actions against the entity for the infringement of the directive.
What are the security obligations of NIS 2?
Under the new directive, essential and important entities must implement technical, operational and organizational measures to manage the risks posed to the security of their network and information systems and to prevent and minimize the impact of incidents. These measures must include at least the following:
- Risk analysis and information system security
- Incident handling
- Business continuity, which includes cyber resilience strategies like backup and disaster recovery
- Supply chain security
- Security in network and information systems acquisition, development and maintenance
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and encryption
- Human resources security, access control policies and asset management
- Use of multifactor authentication (MFA) or continuous authentication; secured voice, video and text communications; and secured emergency communication systems
The measures are required to a level of security appropriate to the risks posed. When assessing the proportionality of those measures, the following factors should be considered:
- The entity’s risk exposure
- The entity’s size
- The probability that an incident will happen
- The potential severity of an incident, including its societal and economic impact
What are the reporting obligations of NIS 2?
While NIS 1 included obligations regarding incident reporting, NIS 2 clarifies these obligations. It details more specific provisions regarding the reporting process, content and timelines, such as the following:
Entities must submit an initial assessment on an incident to their computer security incident response team (CSIRT) or (where applicable) the competent authority within 24 hours of becoming aware of an incident and provide a final update within one month of the initial notification.
When it is necessary to notify the public in order to prevent or deal with an ongoing significant incident or for public interest, both the national or third-country CSIRTs and competent authorities may take the initiative to inform the public about the incident, or require the affected entity to do so.
When an essential or important entity becomes aware of a significant incident, they must issue the following:
- Early warning — An early warning must be submitted “without undue delay” and definitely within 24 hours. It should include only the information necessary to make the CSIRT or the competent authority aware of the incident and allow the entity to seek assistance. If should indicate whether the incident is suspected of being caused by unlawful or malicious acts, and whether it is likely to have a cross-border impact.
- Incident notification — This notification must be provided “without undue delay” and definitely within 72 hours of becoming aware of the incident. It should provide an initial assessment of the incident, including its severity and impact, as well as any indicators of compromise that are known.
- Final report — Not later than one month after the incident notification, the entity should provide a final report. If the incident is still ongoing, they should provide a progress report, followed by a final report within one month of handling of the incident.
- Notification to recipients of services — Where applicable, entities should inform their service recipients of a significant cyber threat and any measures they can take to mitigate the risks from it, again without “undue delay.” This information should be provided free of charge and written in easily comprehensible language.
What power do regulators have to investigate entities?
When evaluating a potential NIS 2 violation, regulators have the following powers of investigation:
- On-site inspections
- Security audits
- Requests for information to assess the entity’s security response plans and the measures they have in place
- Security scans
- Access to information to assess the entity’s cybersecurity risk management measures, evidence of the implementation of those measures, and any related documents and information
For organizations considered important rather than essential, these measures are allowed only after an incident. But at essential entities, regulators have the power to engage any of these measures that they see necessary as a means to ensure adherence.
What are the penalties for non-compliance?
The original NIS Directive required EU member states to establish penalties for noncompliance but specified no minimums, stating only that the penalties must be “effective, proportionate and dissuasive.”
The new directive, on the other hand, requires member states to empower authorities to impose steep fines for non-compliance:
- For essential entities: at least €10 million or 2% of global annual turnover, whichever is higher
- For important entities: at least €7 million or 1.4% of global annual turnover, whichever is higher
In addition, management personnel can be held liable for non-compliance with the new directive, and the entity could be subject to designation of a monitoring officer.
How can organizations meet the obligations of NIS 2?
There is no single silver bullet for cybersecurity and regulatory compliance. Indeed, it’s important to recognize that NIS 2 moves beyond a tight focus on cybersecurity to a broader attention to cyber resilience. That is, organizations must not only battle cybersecurity threats, but consider the larger goal of keeping their businesses up and running. After all, you want to effectively defend against and quickly recover from not just malicious attacks, but a wide range of adversity, including natural disasters, power failures, unexpectedly high loads and other threats to your vital IT systems.
Governments are particularly concerned about maintaining operational services at organizations that are vital to society, public safety and the economy, which is why NIS 2 targets critical sectors. But the truth is, the requirements laid out by this directive are useful for any organization that wants to be more resilient in the face of adversity.
To get started building a robust cyber resilience strategy, consider the following:
- Adopt one of the commonly used cyber resilience frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), to guide your strategy.
- Invest in cybersecurity risk management solutions that cover all the key pillars currently defined by the NIST CSF — Identify, Protect, Detect, Respond and Recover — as well as one that is expected to be added, Govern.
- Begin implementing a Zero Trust security model, which incorporates techniques required by the directive, such as MFA.
- Look for cyber resilience solutions built with a strong security mindset and that have earned certifications like SOC 2 Type 2 and ISO 27001, 27017 and 27018.
EU member states have already begun transposing the requirements of NIS 2 into their own regulations, and need to have that work completed by October 17, 2024. Even without the details of the exact laws that will be enacted, organizations can — and should — begin preparing now to ensure compliance.