NIS 2 is coming, are you ready?
The NIS2 directive aims to raise the standard of cybersecurity in Europe and brings new obligations and new penalties for organizations operating in the EU.
In December 2022, the European Union (EU) adopted Directive (EU) 2022/2555, or NIS 2, a new set of rules aimed at raising the standard of cybersecurity across Europe. EU member states have until October 17, 2024, to translate NIS2 into their own national laws, and all companies doing business in the European market are required to be compliant from October 18, 2024.
NIS 2 mandates new cybersecurity and business continuity standards for organizations, introduces new reporting obligations, holds company heads responsible for cybersecurity, and introduces stringent sanctions for non-compliance.
Who needs to comply with NIS 2?
NIS 2 affects organizations considered either essential to, or important to, keeping the EU’s society and economy functional. The NIS 2 rules are the same for both important and essential organizations, but the sanctions for non-compliance are different.
Organizations are classified according to both their industry sector and size. For example, large organizations in the energy sector are considered essential, but medium-sized organizations are considered important.
- Large organizations have more than 250 employees and more than €50 million in annual revenue.
- Medium organizations have 50–250 employees and €10-50 million in annual revenue.
- Small organizations have fewer than 50 employees and less than €10 million in annual revenue.
Generally speaking, small organizations are not subject to NIS 2 requirements. However, organizations that fall under a few sub-sectors of NIS 2’s Digital infrastructure and Public administration categories may be considered either essential or important, no matter how small they are.
Sector | Large | Medium | Small |
---|---|---|---|
Energy | Essential | Important | Not affected |
Transport | Essential | Important | Not affected |
Banking | Essential | Important | Not affected |
Financial market infrastructures | Essential | Important | Not affected |
Health | Essential | Important | Not affected |
Drinking water | Essential | Important | Not affected |
Waste water | Essential | Important | Not affected |
Digital infrastructure | Depends on sub-sector | Depends on sub-sector | Depends on sub-sector |
ICT service management (B2B) | Essential | Important | Not affected |
Public administration | Essential | Essential | Essential |
Space | Essential | Important | Not affected |
Postal and courier services | Important | Important | Not affected |
Waste management | Important | Important | Not affected |
Digital providers | Important | Important | Not affected |
Manufacturing | Important | Important | Not affected |
Chemical management | Important | Important | Not affected |
Food management | Important | Important | Not affected |
Research | Important | Important | Not affected |
NIS 2 rules
Governance
NIS2 requires management to receive training about cybersecurity, to approve and oversee the implementation of their organization’s cybersecurity measures, and to be held liable if they don’t implement appropriate risk management measures.
Cybersecurity training for all employees, which should at least include practice of basic computer hygiene. Members of the management bodies are required to follow training and are to offer similar training to their employees on a regular basis.
Risk management
NIS 2 demands organizations adopt “appropriate and proportionate” measures to secure their systems, and to minimise the impact of cybersecurity incidents on the people who use their services. Organizations must also ensure business continuity during a major incident. Their plan should consider system recovery, emergency procedures, and setting up a crisis response team.
At a minimum, those measures must include:
- Policies on risk analysis and information system security.
- Incident handling.
- Business continuity, such as backup management and disaster recovery.
- Supply chain security.
- Security in network and information systems acquisition, development and maintenance.
- Policies and procedures to assess their cybersecurity risk-management measures.
- Basic cyber hygiene practices and cybersecurity training.
- A plan for handling security incidents, including incident response and rollback options.
- Policies and procedures regarding the use of cryptography and encryption.
- Human resources security, access control policies and asset management.
- The security of supply chains between organizations and their peers, suppliers and service providers.
- Multi-factor authentication (MFA) or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems.
Organizations will need to “ensure a level of security of network and information systems appropriate to the risks posed,” based on a triangulation of the what’s considered state-of-the-art, European and international standards, and the costs of implementation.
Reporting
Essential and important organizations must have processes in place for reporting promptly on any “significant” security incidents that impact their services or their customers. Incidents are considered significant if they could cause an organization severe operational disruption or financial loss, or if they could cause considerable damage outside the organization.
NIS2 also sets specific notification deadlines:
- Organizations should issue an “early warning” within 24 hours, which outlines whether an incident was caused maliciously, or if it could have a cross-border impact.
- Within 72 hours, organizations should issue an incident notification, which includes an initial assessment of the severity and impact of the incident, as well as indicators of compromise (IoCs).
- Within a month of an incident notification, organizations should produce a final report of a significant cybersecurity incident that includes its severity and impact, the likely type of threat or root cause involved, any mitigations, and the cross-border impact.
Sanctions
The NIS2 Directive sets out specific penalties for non-compliance—such as failing to meet the directive’s risk management requirements, or failing to report incidents—which include non-monetary remedies, administrative fines, and criminal sanctions.
Non-monetary remedies include compliance orders, binding instructions, security audit implementation orders, and threat notification orders sent to organizations’ customers.
NIS 2’s maximum administrative fines vary for essential and important organizations:
- Essential organizations can be fined the higher of €10 million, or 2% of worldwide annual turnover.
- Important organizations can be fined the higher of €7 million, or 1.4% of worldwide annual turnover.
In an attempt to lower the pressure on IT departments to single-handedly ensure the security of their organizations, and to change the sentiment of who is responsible for cybersecurity, NIS2 includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident.