Organizations operating in the European Union (EU) must make important security strides in the next few months because the second iteration of the Network and Information Security directive (NIS2) will become part of law across EU member states in October.
NIS2 introduces stringent cybersecurity requirements for medium and large-sized organizations in certain sectors that operate in the EU.
In part one of our NIS2 series, we’ll look at the background, requirements, and penalties of this important directive.
Background on NIS2
NIS2 was born from NIS1, the first EU-wide cybersecurity legislation launched in 2016. While NIS1 aimed to elevate cybersecurity standards across the EU, implementing it posed challenges, leading to ambiguity and minimal enforcement incentives for targeted organizations.
On January 16, 2023, the EU introduced NIS2 to rectify these shortcomings. Here are the major changes:
- Scope: NIS2 broadens its reach through the definition of essential and important entities. Essential entities encompass mission-critical organizations like energy, transport, and healthcare. Important entities include financial institutions and telecommunications companies. Overall, NIS2 is expected to apply to 160,000 organizations.
- Elevated security requirements: NIS2 sets a new benchmark with heightened security requirements and tougher penalties.
- Incident reporting: NIS2 mandates a culture of transparency. Organizations must promptly report cybersecurity incidents to the appropriate authorities.
What is the purpose of NIS2?
NIS2 aims to strengthen the overall cybersecurity of the EU’s critical organizations and infrastructure. The directive is also designed to enhance supply chain security and elevate the EU’s ability to respond to changing cyber risks and attacks.
Who does NIS2 apply to?
NIS2 entities are categorized into two distinct groups: ‘essential’ and ‘important’. The difference lies in the severity of the impact of a potential outage or a cyber-attack. An attack on an ‘essential’ entity would trigger substantial consequences for a nation’s economy or societal well-being. An incident within an ‘important’ entity would also cause disruption, but not to the same extent.
Both types of entity must adhere to NIS2’s security protocols. However, ‘essential’ entities will receive ongoing, proactive supervision from enforcement bodies, whereas ‘important’ entities will only be monitored after an incident of non-compliance.
Your business is considered an essential entity if you have 250 employees, annual turnover of €50 million or a balance sheet of €43 million, and you’re classed as an important entity if you have 50 employees, annual turnover of €10 million or a balance sheet of €10 million.
Here’s an overview of the industries and sectors NIS2 applies to:
- Transport
- Energy
- Banking and financial market infrastructure
- Healthcare
- Water supply
- Public administration (central and regional levels)
- Waste management
- Postal and courier services
- Food
- Manufacturing of medical devices
- Chemical and pharmaceutical production
- Aerospace
- Digital infrastructure and digital service providers
It is crucial to note that non-EU organizations, such as those headquartered in America, that operate within the EU must adhere to NIS2.
What are the NIS2 requirements?
The key requirements for NIS2 are separated into four overarching areas:
- Organizational and risk management measures: Organizations must design and implement cybersecurity and risk management strategies to safeguard their digital infrastructure from malicious actors.
- Technical and organizational measures: Organizations must implement required security controls and regular information security training to enhance their cybersecurity posture.
- Incident reporting: Organizations are mandated to notify relevant authorities of significant cybersecurity within 24 hours.
- Information sharing: To improve EU-wide cyber resilience, organizations must share cybersecurity threat insights with the NIS2 ecosystem.
Alongside these four overarching areas, NIS2 also established 10 baseline security measures that organizations must follow. These are:
- Organizations must conduct risk assessments and establish security policies for information systems.
- Companies must measure the effectiveness of security implementations through regular policies and procedures.
- Companies must establish policies and procedures for cryptography and encryption.
- Businesses must craft detailed incident response plans.
- Organizations are mandated to ensure system security during development and operation through practices like vulnerability management and reporting.
- Cybersecurity training is mandated, along with basic cybersecurity hygiene principles like robust passwords and the principle of least privilege.
- Where employees have access to sensitive information, policies must be established for data access. Organizations must also have real-time visibility and control over sensitive data.
- Organizations must combine incident response planning with regular backups and business continuity strategies.
- Companies must implement multi-factor authentication, single-sign on and so forth where appropriate.
- Companies must take a cyber-aware approach to supply chain risk management, ensuring appropriate security measures are applied to every supplier relationship.
Penalties for NIS2 Violations
The NIS2 Directive sets out specific penalties for non-compliance, which are as follows:
- Non-monetary remedies: NIS2 empowers national supervisory authorities to enforce non-monetary remedies, including compliance orders and binding instructions.
- Administrative fines: For essential entities, member states can set a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher. For important entities, the fine is set to a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.
- Criminal sanctions: To enhance accountability and executive buy-in, the directive enables supervisory authorities to hold C-level management accountable through penalties like making compliance violations public and/or publicly announcing the person(s) responsible for the compliance violation.
Preparing for NIS2 compliance
If your organization falls under the remit of NIS2, you have until October 17, 2024 to meet your obligations. This makes it imperative to take action urgently.
To help you meet NIS2 compliance by the deadline, we’ll outline the critical steps to take in our next blog.