A Brief Overview of the NIS2 Directive

The Network and Information Systems Directive (NIS1) has been in effect across Europe since May 2018. Although NIS1 certainly helped secure networks across the European Union (EU), its limitations—including only covering a small set of organizations, allowing member states to implement varying levels of security postures, and permitting organizations to underreport incidents due to insufficient requirements—weakened its overall ability to secure and protect members.

As a result, the new and improved NIS2 passed in October 2024 with the aim of raising the baseline of security standards from the foundation of NIS1. While the directive contains extensive details, this article will provide you with a brief overview of what you need to know.

Who must comply with NIS2?

NIS2 expands the radius of companies in scope for this security directive outside of the EU to include any company that operates in or provides services to the EU within certain key business sectors. For example, a US-based cloud services provider with customers in the EU would need to comply with the directive. 

And it is this change in scope that provides one of the biggest evolutionary shifts from NIS1 to NIS2. Where NIS1 covered only 7 critical sectors, NIS2 covers 18 total sectors classified as Essential Entities and Important Entities—meaning more third-party suppliers will fall under this scope. Below is a breakdown of the different sectors that will now fall under NIS2.

Essential entities

• Energy
• Health
• Transport
• Drinking Water
• Financial Markets
• Digital Infrastructure
• Banking

Important entities

• Public Admin
• Space
• Waste Water
• Digital Providers
• Postal Services
• Chemical Production
• Manufacturing
• Research
• Waste Management
• Food Production

Risk Management

As a result of the increase in scope, member states must ensure that essential and important entities implement appropriate measures to manage risks to the security of their network and information systems. These measures would include policies for risk analysis, incident handling, business continuity, and even specific details about implementing multi-factor authentication (MFA) on critical systems.

This responsibility to adapt now falls to senior management to approve these risk management measures, as the directive states that these decision makers may be held liable if there are any infringements of Article 21.

Incident Reporting Timeframe

One of the major components in Risk Management include updates to the incident reporting standards organizations must follow. Previously, NIS1 required reporting significant incidents within a wide span of 72 hours. Article 23 of the new directive, however, breaks reporting into 3 phases.

The first phase of incident reporting mandates that organizations issue an initial alert within 24 hours of detecting a significant incident, ensuring that relevant authorities are promptly notified. 

The second phase involves submitting a comprehensive incident report within 72 hours, providing detailed information about the incident’s nature, impact, and any mitigation measures taken. 

The final phase requires that at the one-month mark, a final report be developed detailing the incident’s impact, the measures taken to mitigate it, and any lessons learned to prevent future occurrences.

Penalties

The penalties for non-compliance have gotten stricter as well. If an organization were to be found non-compliant with the directive, it could face hefty fines. An Essential Entity can be penalized up to €10 million or 2% of their total worldwide annual revenue, while an Important Entity could be penalized up to €7 million or 1.4% of their revenue—an additional incentive that organizations stay in compliance with the directive.

Zaviant is Here to Help

Navigating data privacy legislation can be challenging, but Zaviant’s team of experts can help guide your organization through NIS2 and other requirements. Reach out to today.