Oct 17, 2024

NIS2 compliance: NIS2 requirements and who is affected

To address the growing issues of cyberattacks, the European Commission introduced the NIS (Network and Information Security) Directive in 2016. Its goal was to improve cybersecurity across all EU countries.

However, as technology advanced and threats became more complex, new challenges emerged. Events like the shift to remote work and changes in global politics led to a rise in cyberattacks. To tackle these challenges, the EU revised the NIS Directive, resulting in NIS2. This updated Directive focuses on strengthening cybersecurity in even more industries and sectors, aiming to protect against evolving cyber risks.

In this article, we will answer the following questions:

  • What is NIS2 compliance?
  • When does NIS2 come into effect?
  • Who does NIS2 apply to?
  • What are the main NIS2 compliance requirements?
  • What are NIS2 penalties?
  • Why is the NIS2 Directive important for European businesses?

What is the NIS2 Directive? 

As we mentioned above, the NIS2 Directive builds on and improves the earlier EU cybersecurity Directive, NIS. Its main goal is to boost the security of network and information systems across the EU. It requires companies running critical infrastructure and essential services to put proper security measures in place and report any cyber incidents to the right authorities. 

NIS2 goes beyond what NIS did by covering more organizations and sectors across the EU. It focuses on securing supply chains, simplifying the process for reporting incidents, and enforcing tougher security rules and penalties across Europe. NIS2 entered into force on 16 January 2023. Let’s now find out when does NIS2 come into effect and what essential NIS2 deadlines are.

Important NIS2 deadlines  

  • EU Member States have until October 17, 2024, to turn the Directive into their national laws. By the end of 2024, any organization affected by the Directive will be required by law to meet its standards. 
  • By October 17, 2024, EU Member States must release their strategies to meet the goals of the NIS2 Directive.  
  • Starting October 18, 2024, the older NIS Directive (Directive 2016/1148) will no longer be in effect. 
  • By April 17, 2025, EU Member States need to create a list of essential and important entities. They will then review and update this list at least every two years. The list for each sector must also be sent to the European Commission and the Cooperation Group by the same date and updated every two years. 
  • The European Commission will review how the Directive is working by October 17, 2027, and then every three years after that. 

NIS2: Who is affected by an updated Directive? 

The updated NIS2 Directive takes a new approach to classifying industries that are affected by it. Unlike the previous version, which only applied to operators of essential services, the new Directive splits entities into two groups: essential and important. A business’s classification is based on its industry, number of employees, and annual revenue.  

It’s also important to understand whether the organization holds a leading role in its sector or country. However, even smaller companies can be classified as essential or important if they provide a critical service that supports social or economic activities in an EU Member State. 

The main difference between the two categories is how they’re monitored. Essential entities are under continuous supervision to ensure they meet compliance standards, while important entities are only inspected if a security issue, data breach, or significant loss occurs. Let’s look in more detail at who is affected by NIS2.   

Essential Entities (EE) Important Entities (IE) 
Size: medium size companies with over 250 employees, annual turnover of € 50M, or balance sheet of € 43M Size: small size companies with over 50 employees, annual turnover of € 10M, or balance sheet of € 10M 
  
1. Energy 
2. Transport 
3. Banking 
4. Financial market infrastructure 
5. Health 
6. Drinking water 
7. Wastewater 
8. Digital infrastructure (cloud providers, data centers, DNS, etc.) 
9. ICT service management (B2B): Managed service providers and Managed Security Service Providers 
10. Public administration 
11. Space 
1. Postal & courier services 
2. Waste management 
3. Manufacture, production & distribution of chemicals 
4. Food production, processing & distribution 
5. Manufacturing (medical devices, motor vehicles, computers, electrical, and other equipment) 
6. Digital providers (online marketplaces, search engines, social media platforms) 
7. All the sectors under the Essential Entities within the size for Important Entities 

You can get a free consultation on implementing NIS2 requirements in your company by contacting our team.

NIS2 penalties & fines 

Under the NIS2 Directive, both essential and important entities can face penalties and fines for not following cybersecurity laws. Depending on how serious the breach or incident is, fines can reach up to €10 million or 2% of the company’s annual revenue. 

NIS2 also puts a strong focus on holding top management accountable for their company’s security. If management fails to take the necessary steps to protect their organization, they can be personally held responsible. They may be required to publicly disclose the violation, explain what happened, and identify those responsible.  

In serious cases, they could even be temporarily banned from holding leadership roles. This Directive aims to improve cybersecurity practices and push management to take a more active role in protecting their organization from cyber threats. 

Avoid potential fines by reaching out to us for assistance with NIS2 Directive implementation in Germany. Let us guide you toward compliance. 

What are NIS2 requirements?  

To strengthen Europe’s resilience against both current and future cyber threats, the NIS2 Directive sets out new rules and responsibilities for organizations in four key areas: risk management, corporate accountability, reporting obligations, and business continuity. 

  • Risk management: To meet the Directive’s requirements, organizations need to put in place steps to reduce cyber risks. These steps include managing incidents, improving supply chain security, securing networks, controlling access, and using encryption. 
  • Corporate accountability: NIS2 says that corporate leadership is responsible for overseeing and approving the company’s cybersecurity efforts. Management also needs to be trained in handling cyber risks. If there are breaches, management could face penalties, including personal liability or even being temporarily banned from management roles. 
  • Reporting obligations: Organizations classified as essential or important must have systems ready to quickly report serious security incidents. NIS2 sets strict timelines for this, such as a 24-hour “early warning” notification for significant incidents. 
  • Business continuity: Companies must have a solid plan in place for keeping operations running during a major cyber incident. This plan should cover system recovery, emergency protocols, and setting up a crisis response team to handle incidents effectively. 

10 NIS2 baseline security measures 

Besides the four main areas of focus, NIS2 requires essential and important entities to put in place baseline security measures to tackle common cyber threats. These include: 

  • Conducting risk assessments and creating security policies for information systems. 
  • Setting up policies to regularly check how effective current security measures are. 
  • Using cryptography and encryption when needed, with clear guidelines in place. 
  • Developing a response plan for handling security incidents. 
  • Ensuring security during the procurement, development, and operation of systems, including rules for managing and reporting vulnerabilities. 
  • Providing cybersecurity training and encouraging good computer hygiene practices. 
  • Implementing security procedures for employees who handle sensitive data, including clear rules for data access and maintaining an updated list of important assets. 
  • Having a plan for keeping business operations running during and after a security incident, which includes keeping backups up to date and ensuring access to IT systems. 
  • Using multi-factor authentication, encryption for communication, and secure emergency communication methods where needed. 
  • Ensuring supply chain security by selecting security measures that address the risks of each supplier and regularly evaluating the security levels of all suppliers. 

Why is the NIS2 Directive important for European businesses? 

Europe, as a political, economic, and security leader, often finds itself a target for cyberattacks. According to Deloitte, cyber-attacks on critical infrastructure jumped by 45% worldwide and by a staggering 220% in EU Member States between 2020 and 2021.  

With these numbers likely to grow, it’s crucial for businesses to take steps to protect themselves from potential cyber threats. Following the NIS2 Directive can not only strengthen your organization’s online security but also help build a shared defense against emerging risks. 

By complying with NIS2, businesses can benefit from: 

  • Proactive risk management, allowing you to identify and deal with cyber threats before they cause any damage. 
  • Business continuity, ensuring that your operations can continue smoothly, even during a cyber incident, which helps maintain customer trust. 
  • Incident reporting, to quickly inform relevant authorities about security breaches, helping to protect other organizations from facing similar threats. 
  • Improved collaboration, by staying connected with partners and sharing best practices for preventing cyber threats. 

NIS2 Directive: Summary 

The NIS2 Directive marks a significant step toward enhancing cybersecurity across Europe, clarifying the NIS2 meaning and its impact on organizations. It ensures that both essential and important entities take proactive measures to safeguard their operations. Understanding NIS2 and who is affected is crucial, as compliance with these new regulations is not just a legal obligation but also a strategic move to protect businesses from potential attacks, especially given the rise in cyber threats.

Compliance Aspekte is a modern GRC tool and compliance consulting company. Whether you need assistance with NIS2 implementation or prefer us to manage the entire process for you, we are here to help. Contact us for a free consultation today!

Try Compliance Aspekte For Free

Book a 1-2-1 Live Demo and Obtain a 3-months Non-binding Trial

    What Standards are you interested in?

    I have read the privacy policy and agree.