Contact us

BOOK A PRESENTATION

Understanding the NIS2 Directive and Its Implications on Your Organization

NO NAME
In an era dominated by digital transformations and escalating cyber threats, the European Union has taken decisive action to enhance its cybersecurity framework. The newly introduced NIS2 Directive represents a significant upgrade from its predecessor, aiming to bolster the security of network and information systems across the continent.

This article explores the nuances of the NIS2 Directive, its differences from NIS1, the specific requirements it introduces, the sectors it impacts, its implementation timeline, its applicability, the necessity for its introduction, and the consequences for non-compliance.

What is the NIS2 Directive?

The NIS2 Directive, short for Network and Information Security Directive, is the European Union’s revised legislative effort to strengthen cybersecurity measures across all member states. Building on the foundation laid by the original NIS Directive (NIS1), NIS2 expands both the scope and depth of requirements to ensure a high common level of cybersecurity, cyber resilience, and incident response capabilities within the EU.

NIS1 vs. NIS2: What's new?

NIS2 isn’t just an update—it's a comprehensive overhaul designed to address the limitations and challenges observed in the NIS1 framework. Key differences include:

  • Expanded Scope: NIS2 broadens the range of sectors considered critical, including essential and important entities in different sectors. The new directive expands the number from 7 to a total of 15 impacted sectors.
  • Enhanced Security Requirements: The directive imposes stricter security obligations, mandating that entities adopt risk management practices and report incidents within a tighter timeframe.
  • Strict fines for non-compliance: Entities that do not comply with the newly formed directive will be subject to legal consequences as well as costly fines.

NIS2: Dates to remember

The NIS2 Directive was officially adopted by the European Parliament and the Council in December 2020, with the directive entering into force in January 2023. Member states are given a transition period to incorporate the directive into national law, typically requiring compliance within 21 months from its entry into force.

This means that the EU member states have until 17th October 2024 to transpose the NIS2 directive into their national law. Consequently, organizations subject to the directive need to be fully NIS2 compliant by Q4 2024. So, your organization must be NIS2 compliant in exactly:

  

NIS2 Requirements

NIS2 sets forth stringent and detailed requirements aimed at ensuring that both essential and important entities achieve a high level of cyber resilience. These requirements include:

  • Risk Management Measures: Organizations need to adopt measures that reduce cyber risks to adhere to the new Directive. These measures encompass managing incidents, fortifying supply chain security, improved network security, enhanced access control, and encryption.
  • Corporate Accountability Measures: NIS2 mandates that corporate management supervise, endorse, and receive training on the entity’s cybersecurity strategies, as well as manage cyber risks. Violations could lead to penalties for management, such as liability and possibly a temporary prohibition from holding management positions.
  • Incident Reporting: Essential and important entities are required to establish procedures for quickly reporting security incidents that significantly affect their service provision or recipients. NIS2 specifies exact notification timelines, including a 24-hour "early warning" period.
  • Business continuity: Organizations need to develop plans to maintain business continuity in the event of significant cyber incidents. This plan should encompass strategies for system recovery, emergency processes, and the formation of a crisis response team.

Baseline Security: 10 Minimum Measures

Additionally, NIS2 requires essential and important entities to establish foundational security measures to counteract probable cyber threats. These measures include:

  • Conducting risk assessments and formulating security policies for information systems.
  • Developing policies and procedures to assess the effectiveness of security measures.
  • Establishing policies and procedures for the application of cryptography and, where applicable, encryption.
  • Crafting a strategy for security incident responses.
  • Ensuring security in the procurement of systems, as well as in their development and operation, which involves policies for managing and reporting vulnerabilities.
  • Providing training and practices for basic cybersecurity hygiene.
  • Implementing security protocols for employees who access critical or sensitive data, including data access policies. Organizations must also maintain a comprehensive inventory of all relevant assets to ensure they are appropriate management and security.
  • Developing a strategy to manage business operations during and after a security incident, ensuring that backups are current and plans are in place for maintaining access to IT systems and their functionalities in the event of a security breach.
  • Applying multi-factor authentication, continuous authentication solutions, and when suitable, encryption for voice, video, and text communications, including encrypted internal emergency communications.
  • Securing supply chains and managing relationships with direct suppliers. Companies must select security measures that address the specific vulnerabilities of each supplier and assess the overall security posture of all suppliers.

Which Sectors and Organizations are Affected by the NIS2 Directive?

The directive applies to a wide array of sectors deemed critical for the social and economic welfare of the EU. These sectors include energy, transport, health, digital infrastructure, public administration, and the financial sector, among others. The inclusion of these sectors underscores their importance in maintaining societal functions and the collective EU economy.

NIS2 classifies organizations as '' essential entity'' or ''important entity'', according to two criteria:

  • Size (number of employees, annual global revenue, balance sheet)
  • Criticality of business sector in which the organization is operating

*member states can include/exclude organizations irrespective of these two criteria

Entity sizeNumber of employeesRevenue (MEUR)Balance sheet (MEUR)Sectors of high criticalityOther critical sectors
LargeX>=250y>=50z>=43Essential entitiesImportant entities
Medium50>=X>25010>=y>5010>=z>43Important entitiesImportant entities
SmallX<50Y<10Z<10Out of scopeOut of scope
NIS2 entities classification according to size, revenue, and balance sheet

According to NIS2, sectors falling under the ''essential entities (EE)'' category are:

  • Digital infrastructure
  • Water supply
  • Space
  • Health
  • Public administration
  • Finance
  • Transport
  • Energy

According to NIS2, sectors falling under the ''important entities (iE)'' category are:

  • Digital provides
  • Manufacturing
  • Food
  • Research
  • Chemicals
  • Waste management
  • Postal services
NIS2 sectors scope

Why the Need for NIS2?

Introduced in 2016, NIS1 was the first directive aiming to enhance the European legislation regarding cybersecurity. However, it soon became evident after its introduction that the application of the Directive varied significantly across Member States. This led to an uneven framework. Certain organizations were classified as essential in some countries, but the rule was bent in others.

In response, the European Commission opted to amend the NIS Directive to explicitly specify which organizations are included and what their precise requirements are. This revision materialized in 2021 as the Network and Information Security Directive (NIS2).

The revision to expand into NIS2 was also driven by the evolving and increasingly sophisticated nature of cyber threats. NIS2 aims to address these evolving threats by enhancing security measures, improving incident reporting, and fostering greater collaboration among EU member states.

Penalties Related to Non-Compliance with NIS2

Non-compliance with the NIS2 Directive will result in significant penalties. These can include substantial fines, which underscore the directive’s aim to ensure serious adherence to established cybersecurity practices. Penalties are divided into three main categories:

  • Non-monetary penalties
  • Administrative fines
  • Sanctions for management

It is important to note that fines vary depending on the member state for specific violations such as failure to report security incidents.

Administrative fines


Non-compliance with the NIS2 Directive carries more severe penalties than the original NIS. The NIS2 Directive imposes varying penalties for non-compliance based on the classification of the entities involved.

For essential entities, administrative fines can reach up to €10 MM or a minimum of 2% of the total annual worldwide turnover from the previous fiscal year of the company to which the essential entity belongs, depending on which is greater.

For important entities, administrative fines can go up to €7 MM or a minimum of 1.4% of the total annual worldwide turnover from the previous fiscal year of the company to which the important entity belongs, depending on which is greater.

Sanctions for management


NIS2 enables authorities in the Member States to assign personal liability to C-level management if a violation is established following a cyber incident. Sanctions include:

  • Requiring organizations to disclose compliance breaches publicly.
  • Issuing public statements that name the individuals and legal entities responsible for the breach and describing its nature.
  • For organizations categorized as essential entities, imposing a temporary prohibition on individuals from holding management positions in the event of recurrent violations.

These provisions intend to ensure accountability at higher management levels and to deter negligence in the handling of cyber risks.

How Can ASEE Help?


As organizations navigate the complexities of achieving compliance with the NIS2 Directive, ASEE offers a suite of solutions that align with the directive’s requirements for cybersecurity and data protection. Here's how ASEE can assist organizations in fulfilling some of the critical aspects of NIS2 compliance:

Access Management:


One of the key aspects of NIS2 is stringent access management, ensuring that only authorized personnel have access to sensitive or critical data. ASEE’s Identity and Access Management (IAM) solutions are designed to limit access based on defined roles and policies. This includes Single Sign-On (SSO) capabilities that simplify login processes while maintaining high security standards, thus reducing password complexities and enhancing security.

Multi-Factor and Risk-Based Authentication:


ASEE’s Multi-Factor Authentication (MFA) solutions utilize a broad range of both hardware and software authentication methods to ensure secure access to systems. Complementing this, our Risk-Based Authentication features adaptive authentication techniques, which consider user behaviour to provide dynamic security measures that strengthen system defences without compromising user convenience. Additionally, ASEE offers Passwordless Authentication options, which not only provide a seamless authentication experience but also mitigate the risks associated with password attacks and the burden of employees having to remember multiple passwords.

Securing Supply Chains:


In the context of NIS2’s emphasis on securing supply chains, ASEE’s IAM solution extend to managing customer identities and controlling third-party access to sensitive data, thereby safeguarding critical information from unauthorized access. For mobile app owners, ASEE’s App Protector enhances security postures by providing robust mobile app protection, ensuring that apps do not become the weak links in supply chains.

Risk Assessments and Security Policies:


You can use Inact AI/ML fraud monitoring and logging mechanisms to detect, alert and respond to security incidents in a timely manner. ASEE also offers products for Mobile Application Shielding, which play an important role in conducting risk assessments and formulating security policies. These products help organizations shield their mobile applications from potential threats and vulnerabilities, aligning with NIS2’s directives for maintaining rigorous cybersecurity measures.

PKI Solutions:

Public Key Infrastructure (PKI) significantly enhances compliance with the NIS2 Directive by ensuring encryption and authentication of data transmissions, critical for safeguarding sensitive information. PKI supports NIS2 requirements for digital signatures, ensuring the authenticity and integrity of electronic documents and transactions, making them legally binding and tamper-proof. It enables strong authentication measures, such as two-factor and multi-factor authentication, through secure management of digital certificates and keys. Additionally, PKI automates the management of digital certificates, crucial for maintaining compliance with NIS2, including issuance, renewal, and revocation processes. It also aids in maintaining data integrity and secure access control, further strengthening cybersecurity measures. PKI's capabilities extend to enhancing audit trails and logging with cryptographic timestamps. These are vital for compliance reporting and demonstrating adherence to NIS2 requirements during audits.

By integrating ASEE’s products into their cybersecurity strategies, organizations can not only meet the stringent requirements of NIS2 but also enhance their overall security infrastructure, protect critical data, and ensure continuous compliance with evolving cybersecurity regulations. This holistic approach to security management empowers organizations to tackle the challenges posed by the digital landscape effectively.

Feel free to contact us – zero obligation. Our ASEE team will be happy to hear you out. 

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram