A Brief Overview of the NIS2 Directive

The Network and Information Systems Directive (NIS1) has been in effect across Europe since May 2018. Although NIS1 certainly helped secure networks across the European Union (EU), its limitations—including only covering a small set of organizations, allowing member states to implement varying levels of security postures, and permitting organizations to underreport incidents due to insufficient requirements—weakened its overall ability to secure and protect members.

As a result, the new and improved NIS2 passed in October 2024 with the aim of raising the baseline of security standards from the foundation of NIS1. While the directive contains extensive details, this article will provide you with a brief overview of what you need to know.

Who must comply with NIS2?

NIS2 expands the radius of companies in scope for this security directive outside of the EU to include any company that operates in or provides services to the EU within certain key business sectors. For example, a US-based cloud services provider with customers in the EU would need to comply with the directive. 

And it is this change in scope that provides one of the biggest evolutionary shifts from NIS1 to NIS2. Where NIS1 covered only 7 critical sectors, NIS2 covers 18 total sectors classified as Essential Entities and Important Entities—meaning more third-party suppliers will fall under this scope. Below is a breakdown of the different sectors that will now fall under NIS2.

Essential entities

• Energy
• Health
• Transport
• Drinking Water
• Financial Markets
• Digital Infrastructure
• Banking

Important entities

• Public Admin
• Space
• Waste Water
• Digital Providers
• Postal Services
• Chemical Production
• Manufacturing
• Research
• Waste Management
• Food Production

Risk Management

As a result of the increase in scope, member states must ensure that essential and important entities implement appropriate measures to manage risks to the security of their network and information systems. These measures would include policies for risk analysis, incident handling, business continuity, and even specific details about implementing multi-factor authentication (MFA) on critical systems.

This responsibility to adapt now falls to senior management to approve these risk management measures, as the directive states that these decision makers may be held liable if there are any infringements of Article 21.

Incident Reporting Timeframe

One of the major components in Risk Management include updates to the incident reporting standards organizations must follow. Previously, NIS1 required reporting significant incidents within a wide span of 72 hours. Article 23 of the new directive, however, breaks reporting into 3 phases.

The first phase of incident reporting mandates that organizations issue an initial alert within 24 hours of detecting a significant incident, ensuring that relevant authorities are promptly notified. 

The second phase involves submitting a comprehensive incident report within 72 hours, providing detailed information about the incident’s nature, impact, and any mitigation measures taken. 

The final phase requires that at the one-month mark, a final report be developed detailing the incident’s impact, the measures taken to mitigate it, and any lessons learned to prevent future occurrences.

Penalties

The penalties for non-compliance have gotten stricter as well. If an organization were to be found non-compliant with the directive, it could face hefty fines. An Essential Entity can be penalized up to €10 million or 2% of their total worldwide annual revenue, while an Important Entity could be penalized up to €7 million or 1.4% of their revenue—an additional incentive that organizations stay in compliance with the directive.

Key activities related to cybersecurity that will need to be carried out include:

Risk Management

•  Cybersecurity Risk Assessment: Conducting thorough risk assessments to identify vulnerabilities in network and information systems
•  Regular Cybersecurity Audits and Reviews: Conducting periodic audits and reviews to evaluate the effectiveness of cybersecurity measures
•  Cybersecurity Policy Development: Developing and enforcing policies for assessing the effectiveness of cybersecurity risk management
•  Business Continuity Planning: Developing and maintaining plans for business continuity, including backup management and disaster recovery processes
•  Data Protection and Privacy Compliance: Ensuring compliance with data protection and privacy regulations, in alignment with cybersecurity measures

Implementation

•  Development and Maintenance of Cybersecurity Frameworks : Creating and updating frameworks for managing cybersecurity crises and incidents
•  Training and Awareness Programs: Conducting regular cybersecurity training and awareness programs for staff at all levels
•  Implementation of Security Measures: Ensuring the adoption and implementation of appropriate security measures, including elements like multi-factor authentication, to prevent or minimize the impact of cyber incidents
•  Cross-border and Cross-sectoral Cooperation: Facilitating cooperation within and across sectors and borders, especially in information sharing and response coordination

Management and Reporting

•  Vulnerability Management and Reporting: Detecting, reporting and managing vulnerabilities, including maintaining an anonymous reporting process
•  Incident Response and Reporting: Establishing and executing incident response plans, including timely reporting of significant incidents to designated authorities
•  Monitoring and Analysis of Cyber Threats: Continuously monitoring and analyzing cyber threats and incidents, disseminating information about these threats
•  Supply Chain Security Management: Securing the supply chain, including evaluating the cybersecurity practices of suppliers and service providers

Zaviant is Here to Help

Navigating data privacy legislation can be challenging, but Zaviant’s team of experts can help guide your organization through NIS2 and other requirements. Reach out to today.