Navigating NIS2 Compliance: What You Need to Know About the Latest EU Cyber Security Directive

Businesses will want to avoid the penalties and reputation damage risks which arise from non-compliance with these regulations. For businesses familiar with NIS1, the updated NIS2 includes more business sectors and stricter compliance requirements.

ToraGuard details what is important to know about this latest EU cyber security directive.

What is the NIS2 Directive?

The Network and Information Security (NIS) Directive legislation was first introduced in 2016 and was the European Union’s first piece of legislation to enforce a high level of common cyber security across member states. It applies to businesses and organisations providing essential services, governing their basic cyber security requirements and incident reporting obligations.

The NIS2 is the updated directive designed to address the growing and evolving cyber threats faced by the EU’s essential services and digital infrastructure. The updated directive builds on the previous framework after the NIS1 was identified to have limitations due to the rapid advancement of technology.

After the initial NIS introduction, shortcomings within the framework became clear as cyber threats became more complex and widespread.

The identified limitations within the original NIS included:

• As the directive only applied to a small range of sectors, many businesses vital to the economy were left without clear direction and legislation, making them vulnerable to attacks.
• Large inconsistencies in the way that the directive was enforced across states led to large variances and inconsistencies in the cyber security standards.
• There were insufficient obligations and responsibilities on top management within business to ensure the directive was being adhered to leading to a lack of implementation and ownership throughout all levels in the company.
• The directive was said to be too vague, leading to lose interpretations being implemented resulting in inconsistencies in application across member states.

The directive was reviewed to address these issues and to include further elements due to growing cyber security risks and technological advances. This created the NIS2, an enforceable directive requiring increased risk management, reporting, and adherence to its guidelines to ensure that organisations are prepared to handle incidents and provide better responses.

NIS2 came into force in January 2023, with member states having until the 17th October 2024 to transfer the directive into national law.

The updated NIS2 Directive includes:

• Expanding on the existing NIS directive and updating the way that businesses and sectors are classified
• Implementing updated risk management measures that member states need to abide by in order to reduce the risk of cyber incidents
• Amending how incidents are reported and ensuring that the relevant authorities are notified of significant cyber incidents.
• Ensuring that the incident reporting process is consistent and information sharing enhanced across member states.
• Updating the required and suggested security measures to reduce the risk of cyber attacks including using encryption, access controls and rules around regular security updates.
• Updates to the security of IT supply chains and supplier relationships and enforcing direct obligations.

Cyber Security Measures Required by NIS2

Organisations seeking to comply with NIS2 need to understand its key requirements and the updated aspects from the original directive. All those defined as essential and important entities are obligated to the same cyber security risk management requirements and incident reporting.

The NSI2 directive requires organisations to have documented measures for:

Risk management

The NIS2 requires organisations to implement comprehensive risk management frameworks. This includes incident prevention, detection and response, and continuity plans. This refers to organisations having to identify the risk to their security and information systems and implement appropriate measures to help mitigate those risks to critical infrastructure and services. There should be documentation of risk mitigation strategies, and clear identification or potential risks.

Incident Reporting

NIS2 has strict reporting requirements for when incidents do occur. Businesses must submit an initial report to the relevant national authority within 24 hours from when they become aware of the incident. The initial report must then be followed up by a more detailed incident notification within 72 hours, and then a final report no more than one month later. These reports must be comprehensive, detailing the nature of the incident, its impact and steps which have been taken to mitigate it. Where an incident may have affected users, they must also be notified.

These reports should be sent “without undue delay” within the strict timescales which is the main differentiator within this element of the NSI2 compared to the original directive.

A modification from the original NSI directive also details what type of incident should be reported in order to address the over-reporting of minor incidents. Incidents are now only required to be reported if they cause, or have the potential to cause, significant operational disruption, financial losses, or if they affect, or could affect, other individuals or organisations by resulting in considerable material or non-material damage.

Management Responsibility

NIS2 requires higher levels of accountability, requiring senior management to take responsibility for cyber security risks and to ensure the implementation of risk management measures. Those identified as accountable should follow training on a regular basis in order to ensure they have sufficient knowledge and skills to be able to identify risks and assess cyber security practices and their impact. Member states have to ensure that the elected person responsible, can ensure its compliance with NIS2 and if necessary, can hold them liable to any breaches.

Supply chain security and monitoring

With procurement of services and third party providers becoming increasingly common with businesses, the NIS2 directive recognises the risk posed by these interdependencies with vendors and supply chain relationships. As a result, the directive requires businesses to assess the cyber security of all their suppliers and partners to ensure there is both adequate security throughout the entire supply chain and that risk management processes are in place to stop cascading incidents.

These are not the only measures required by NIS2. Businesses should ensure that they are clear on the entire directive to ensure compliance.

Who Is Affected By NIS2?

The directive imposes compliance obligations to all entities which provide services or carry out activities within the EU and match their description of either an essential or important business within their defined list of sectors.

Key sectors affected by the NIS2 include:

• Banking and financial businesses
• Digital providers including search engines and social networking platforms
• Public electronic communication networks and services including cloud service providers and data centres
• Energy
• Healthcare
• Transport
• B2B ICT service management
• Certain manufacturing industries including technology, motor vehicles, computer and technology
• Production and distribution industries including food and utilities

The way in which these obligations are met is dependent on the businesses risk to exposure, defined importance and size. These measures ensure the minimum standard acceptable for cyber security across the member states.

There are exceptions to businesses which are deemed as too small by their definition outlined in the directive, and where exemptions are in place in relation to National Security, public security, defence or law enforcement activities. Unlike the original directive, medium sized businesses operating in these directives are also obligated to adhere to the requirements outlined.

What Are The Penalties For Non-Compliance with NIS2?

National regulators now have more power in the updated directive to impose penalties, fines and significant legal repercussions for compliance breaches or negligence in these areas. Fines and required corrective action can be very severe.

Important entities, as defined by the directive, can have fines up to €7 million or 1.4% percentage of the annual global revenue, whichever is the greater amount. Where essential entities, as defined by the directive, can have fines imposed of up to €10 million or a 2% percentage of their annual global revenue, whichever is the greater amount.

The national regulators also have the power to deliver binding instructions to correct omissions and can make non-compliance public knowledge. This affects the business and brand reputation. Due to the increasing importance placed on cyber security and data protection, businesses known to have failures in these areas often lose customers due to a loss in trust in the company’s ability to protect their data.

Solutions and Ways to Achieve NIS2 Compliance

To ensure compliance, begin by assessing current cyber security policies and practices implemented with your organisation. By looking for vulnerabilities and gaps in existing frameworks, a roadmap can be created to achieve NIS2 compliance, with an immediate focus on areas with the greatest risk.

Other practices which can help towards NIS2 Compliance include:

• Auditing reviews, vulnerability scanning and penetration testing are all forms of proactive cyber security which can help find vulnerabilities within networks that need to be addressed. These exposed weaknesses can then be addressed before they are exploited.
• Instil good cyber hygiene practices with operations including strong and regularly updated password processes, email security and regular training sessions within all levels of the organisation. Creating this security first culture within your organisation helps to improve cyber security defences and encourages employees to actively safeguard the company.
• Capturing and analysing any cyber security events that do happen is vital. Logging security incidents and documenting specific and extensive detail facilitates better responses, further investigation and any patterns and anomalies to be identified. This can also help with implementing strict incident response and reporting processes aimed at meeting the NIS2 deadlines should critical incidents occur.
• Implementing encryption for sensitive digital data and role-based access to critical systems helps to prevent unauthorised access to data.

Ensure NIS2 Compliance with ToraGuard

Organisations operating in the EU or trading closely with EU-located businesses must remain compliant with NIS2. By speaking to an NIS2 consultant and adhering to the NIS2 directive, businesses are able to protect themselves and demonstrate their proactive approach to updated legislation. ToraGuard’s NIS2 Consultancy Services support organisations, simplifying processes.