NIS2 Directive: strengthening cybersecurity across the EU

18/10/2024

A new era of cybersecurity for essential and critical industries in the European Union

The European Commission adopted an implementing act for the NIS2 Directive on October 18, 2024, detailing cybersecurity measures for critical networks and entities. This move coincides with the deadline for EU member states to transpose the NIS2 Directive into national law.

What is the NIS2 Directive?

The NIS2 Directive (EU Directive 2022/2555) was adopted by the European Parliament in December 2022 and came into force on January 16, 2023. It represents an overhaul and extension of the original NIS (Network and Information Security) Directive of 2016, which laid the groundwork for improving cybersecurity within essential services and digital infrastructures across the EU. NIS2 expands on this framework to cover more sectors and tighten security measures in response to the rapidly evolving cyber threat landscape.

NIS2 aims to improve the overall security posture of organizations and critical sectors across the EU, enhancing their ability to respond to, manage, and recover from cybersecurity incidents. The directive aims to:

  • Improve cybersecurity risk management across key sectors.
  • Increase collaboration and information sharing between EU member states and businesses.
  • Strengthen incident response to ensure a faster and more coordinated approach to cyberattacks.

 

Key changes from the original NIS directive

  • Broader scope of coverage: NIS2 significantly expands the list of sectors and types of entities that must comply with cybersecurity requirements. While the original NIS Directive mainly focused on essential services like energy, transportation, healthcare, and water supply, NIS2 includes additional sectors such as waste management, chemicals, food production, postal services, space, and more. Moreover, digital service providers like cloud computing services, data centers, and content delivery networks (CDNs) are also included.
  • Uniform security requirements: NIS2 introduces stricter and more detailed security requirements for organizations, covering areas such as risk analysis, incident handling, supply chain security, encryption, and vulnerability disclosure. These requirements apply uniformly across all EU member states to eliminate inconsistencies in cybersecurity standards.
  • Clearer accountability: NIS2 places more emphasis on board-level responsibility for cybersecurity. Senior management is now directly accountable for ensuring that their organization complies with NIS2 requirements, with potential fines or penalties for non-compliance. This shift reflects the growing recognition that cybersecurity is a business-wide concern, not just an IT issue.
  • Faster incident reporting: Under NIS2, organizations are required to report cybersecurity incidents much more quickly. The directive establishes a clear timeline for reporting incidents, with initial notifications required within 24 hours of detection and full incident reports within 72 hours. This aims to improve early warning systems and facilitate a faster and coordinated response to major cyberattacks.
  • Increased penalties for non-compliance: One of the more stringent aspects of NIS2 is the introduction of higher fines for organizations that fail to meet their cybersecurity obligations. Penalties can reach up to 10 million euros or 2% of an organization’s total global turnover, whichever is higher. This reflects the EU’s commitment to enforcing compliance and ensuring organizations take cybersecurity seriously.

 

Key sectors covered by NIS2

The NIS2 Directive significantly expands the range of sectors required to comply with stringent cybersecurity measures. Essential sectors include industries critical to national infrastructure, such as energy (electricity, oil, gas), transport, banking, healthcare, water management, and digital infrastructure (cloud services, data centers). Additionally, public administration also falls under this category.

On the other hand, important sectors cover industries like postal and courier services, food production, chemicals, waste management, and manufacturing of critical products like medical devices and pharmaceuticals. This expanded scope ensures comprehensive protection of both essential and important sectors against cyber threats.

 

Steps to comply with NIS2

For organizations operating in any of the sectors covered by NIS2, compliance is not optional. Here’s a brief overview of steps they should take to ensure compliance:

  • Assess current cybersecurity posture: Conduct a thorough assessment of your current cybersecurity measures to identify gaps or areas that need improvement. This includes evaluating both internal systems and third-party suppliers.
  • Implement risk management strategies: Develop and maintain cybersecurity risk management measures that include regular risk assessments, threat detection capabilities, and a response plan for potential incidents.
  • Board-level engagement: Ensure that senior leadership is involved in cybersecurity decisions. Management should be aware of their accountability and take responsibility for the organization’s compliance with NIS2.
  • Incident reporting mechanism: Establish a clear process for reporting cybersecurity incidents. This process should comply with the NIS2 reporting requirements and timelines, ensuring timely communication with national authorities.
  • Supply chain security: Evaluate the cybersecurity practices of third-party vendors and suppliers, as NIS2 emphasizes securing the supply chain from potential threats.
  • Training and awareness: Implement regular cybersecurity training and awareness programs for employees, ensuring that everyone in the organization understands the importance of cybersecurity and their role in maintaining it.

 

Challenges and opportunities

Although the deadline for transposing the directive has arrived, only a few countries, such as Belgium, Croatia, and Hungary, have completed the process. In contrast, countries like Spain, Portugal, and France, along with several other EU member states, have yet to finalize or publish their drafts. This situation can create uncertainty, particularly for entities in Spain that will be classified as essential or important under the NIS2 directive. These organizations face challenges as they must adapt and make investments based on a transposition that is still unknown, leading to potential operational disruptions and increased compliance risks.

The directive requires significant investments in technology, skills, and processes to meet the stringent requirements. Smaller companies, in particular, may find compliance burdensome due to limited resources. However, NIS2 also presents opportunities for organizations to strengthen their overall security posture and build trust with clients, partners, and regulators. By implementing the directive’s requirements, businesses can reduce their risk exposure, improve incident response times, and safeguard sensitive data. In an era of increasing cyberattacks, these measures can also provide a competitive advantage by demonstrating a strong commitment to cybersecurity.

This lack of transposition does not mean that organizations should remain idle while waiting for the national law. The regulator has provided preliminary guidelines and recommendations in public forums to help entities prepare for implementation. These recommendations focus on two key aspects:

  • Alignment with cybersecurity standards: It’s essential for organizations to adapt to recognized certifications, such as ISO 27001, the NIST framework, or a National Security Scheme.
  • Enhancing security: Adhering to these standards does not guarantee complete protection against attacks, but it does help establish procedures that reduce risks and improve response and recovery capabilities in the event of an incident.
What is ISO 27001?

ISO 27001 is an international standard for managing information security. It provides a systematic framework to help organizations protect sensitive information by implementing an Information Security Management System (ISMS). The standard covers all aspects of information security, including people, processes, and IT systems, ensuring a comprehensive approach to managing data security risks.

For organizations operating within the EU, compliance with NIS2 is not just a legal obligation—it is a strategic imperative. By adopting the necessary cybersecurity measures, businesses can not only avoid costly penalties but also strengthen their defenses against increasingly sophisticated cyber threats, ensuring long-term sustainability and security.

Are you looking to enhance your organization’s cybersecurity?

AK3 provides a wide array of specialized services designed to protect your valuable data and systems. Explore how we can help fortify your defenses and ensure your organization’s resilience against cyber threats: