This article explores the nuances of the NIS2 Directive, its differences from NIS1, the specific requirements it introduces, the sectors it impacts, its implementation timeline, its applicability, the necessity for its introduction, and the consequences for non-compliance.
The NIS2 Directive, short for Network and Information Security Directive, is the European Union’s revised legislative effort to strengthen cybersecurity measures across all member states. Building on the foundation laid by the original NIS Directive (NIS1), NIS2 expands both the scope and depth of requirements to ensure a high common level of cybersecurity, cyber resilience, and incident response capabilities within the EU.
NIS2 isn’t just an update—it's a comprehensive overhaul designed to address the limitations and challenges observed in the NIS1 framework. Key differences include:
The NIS2 Directive was officially adopted by the European Parliament and the Council in December 2020, with the directive entering into force in January 2023. Member states are given a transition period to incorporate the directive into national law, typically requiring compliance within 21 months from its entry into force.
This means that the EU member states had until 18th October 2024 to transpose the NIS2 directive into their national law.
NIS2 sets forth stringent and detailed requirements aimed at ensuring that both essential and important entities achieve a high level of cyber resilience. These requirements include:
Additionally, NIS2 requires essential and important entities to establish foundational security measures to counteract probable cyber threats. These measures include:
The directive applies to a wide array of sectors deemed critical for the social and economic welfare of the EU. These sectors include energy, transport, health, digital infrastructure, public administration, and the financial sector, among others. The inclusion of these sectors underscores their importance in maintaining societal functions and the collective EU economy.
NIS2 classifies organizations as '' essential entity'' or ''important entity'', according to two criteria:
*member states can include/exclude organizations irrespective of these two criteria
Entity size | Number of employees | Revenue (MEUR) | Balance sheet (MEUR) | Sectors of high criticality | Other critical sectors |
Large | X>=250 | y>=50 | z>=43 | Essential entities | Important entities |
Medium | 50>=X>250 | 10>=y>50 | 10>=z>43 | Important entities | Important entities |
Small | X<50 | Y<10 | Z<10 | Out of scope | Out of scope |
According to NIS2, sectors falling under the ''essential entities (EE)'' category are:
According to NIS2, sectors falling under the ''important entities (iE)'' category are:
Introduced in 2016, NIS1 was the first directive aiming to enhance the European legislation regarding cybersecurity. However, it soon became evident after its introduction that the application of the Directive varied significantly across Member States. This led to an uneven framework. Certain organizations were classified as essential in some countries, but the rule was bent in others.
In response, the European Commission opted to amend the NIS Directive to explicitly specify which organizations are included and what their precise requirements are. This revision materialized in 2021 as the Network and Information Security Directive (NIS2).
The revision to expand into NIS2 was also driven by the evolving and increasingly sophisticated nature of cyber threats. NIS2 aims to address these evolving threats by enhancing security measures, improving incident reporting, and fostering greater collaboration among EU member states.
Non-compliance with the NIS2 Directive will result in significant penalties. These can include substantial fines, which underscore the directive’s aim to ensure serious adherence to established cybersecurity practices. Penalties are divided into three main categories:
It is important to note that fines vary depending on the member state for specific violations such as failure to report security incidents.
Non-compliance with the NIS2 Directive carries more severe penalties than the original NIS. The NIS2 Directive imposes varying penalties for non-compliance based on the classification of the entities involved.
For essential entities, administrative fines can reach up to €10 MM or a minimum of 2% of the total annual worldwide turnover from the previous fiscal year of the company to which the essential entity belongs, depending on which is greater.
For important entities, administrative fines can go up to €7 MM or a minimum of 1.4% of the total annual worldwide turnover from the previous fiscal year of the company to which the important entity belongs, depending on which is greater.
NIS2 enables authorities in the Member States to assign personal liability to C-level management if a violation is established following a cyber incident. Sanctions include:
These provisions intend to ensure accountability at higher management levels and to deter negligence in the handling of cyber risks.
As organizations navigate the complexities of achieving compliance with the NIS2 Directive, ASEE offers a suite of solutions that align with the directive’s requirements for cybersecurity and data protection. Here's how ASEE can assist organizations in fulfilling some of the critical aspects of NIS2 compliance:
One of the key aspects of NIS2 is stringent access management, ensuring that only authorized personnel have access to sensitive or critical data. ASEE’s Identity and Access Management (IAM) solutions are designed to limit access based on defined roles and policies. This includes Single Sign-On (SSO) capabilities that simplify login processes while maintaining high security standards, thus reducing password complexities and enhancing security.
ASEE’s Multi-Factor Authentication (MFA) solutions utilize a broad range of both hardware and software authentication methods to ensure secure access to systems. Complementing this, our Risk-Based Authentication features adaptive authentication techniques, which consider user behaviour to provide dynamic security measures that strengthen system defences without compromising user convenience. Additionally, ASEE offers Passwordless Authentication options, which not only provide a seamless authentication experience but also mitigate the risks associated with password attacks and the burden of employees having to remember multiple passwords.
In the context of NIS2’s emphasis on securing supply chains, ASEE’s IAM solution extend to managing customer identities and controlling third-party access to sensitive data, thereby safeguarding critical information from unauthorized access. For mobile app owners, ASEE’s App Protector enhances security postures by providing robust mobile app protection, ensuring that apps do not become the weak links in supply chains.
You can use Inact AI/ML fraud monitoring and logging mechanisms to detect, alert and respond to security incidents in a timely manner. ASEE also offers products for Mobile Application Shielding, which play an important role in conducting risk assessments and formulating security policies. These products help organizations shield their mobile applications from potential threats and vulnerabilities, aligning with NIS2’s directives for maintaining rigorous cybersecurity measures.
Public Key Infrastructure (PKI) significantly enhances compliance with the NIS2 Directive by ensuring encryption and authentication of data transmissions, critical for safeguarding sensitive information. PKI supports NIS2 requirements for digital signatures, ensuring the authenticity and integrity of electronic documents and transactions, making them legally binding and tamper-proof. It enables strong authentication measures, such as two-factor and multi-factor authentication, through secure management of digital certificates and keys. Additionally, PKI automates the management of digital certificates, crucial for maintaining compliance with NIS2, including issuance, renewal, and revocation processes. It also aids in maintaining data integrity and secure access control, further strengthening cybersecurity measures. PKI's capabilities extend to enhancing audit trails and logging with cryptographic timestamps. These are vital for compliance reporting and demonstrating adherence to NIS2 requirements during audits.
By integrating ASEE’s products into their cybersecurity strategies, organizations can not only meet the stringent requirements of NIS2 but also enhance their overall security infrastructure, protect critical data, and ensure continuous compliance with evolving cybersecurity regulations. This holistic approach to security management empowers organizations to tackle the challenges posed by the digital landscape effectively.
Feel free to contact us – zero obligation. Our ASEE team will be happy to hear you out.