Overview of the NIS2 Directive
We have spoken to law firms and even they are sometimes confused as to which companies must comply with the NIS2 Directive. Does it apply only to companies in the EU? Does it apply to global companies operating in the EU? As always, the devil is in the details. Let’s try to untangle this topic.
The NIS2 Directive is an update to the original EU Network and Information Security (NIS) Directive, which was originally released in 2016.
It is aimed at improving the cybersecurity and resilience of key sectors across the European Union. The idea is, if all companies that should comply, do – their sector would be more secure as a whole. We have our doubts about the audit and enforcement capabilities of the EU – after all, most other cybersecurity directives and regulations released by the EU legislative powers have failed. This one is the most publicized and there is sense in at least attempting to comply with it. It benefits your company and your clients, after all.
The directive applies to a wide range of industries critical to societal and economic function, and it’s a legally binding requirement for affected businesses.
What NIS2 Compliance Means for Companies
Risk Management measures required by NIS2
NIS2 mandates a comprehensive approach to risk management. Your organization should regularly assess vulnerabilities across both digital and physical systems. It’s not enough to have a basic firewall or antivirus solution; you’ll need:
-
Advanced Risk Assessments: This involves continuous monitoring of your network, identifying potential vulnerabilities, and understanding how external threats could impact your critical services. The question you should be asking yourself is, do you have a risk manager on staff? Should you outsource?
-
Security Policies and Controls: NIS2 requires that you create and maintain detailed cybersecurity policies, addressing data confidentiality, integrity, and availability. This includes access controls to ensure that only authorized personnel has access to sensitive systems and data. Please do not buy policy packs – if you do, your policies will be “toothless” and an auditor might fail you for not using them in practice.
-
Incident Handling Procedures: Beyond just preparing for attacks, you’ll need documented procedures to handle incidents in real-time. How will you contain an attack? How will you mitigate its impact? And if you do have the policies, do you practice them?
How Fast Do We Need to Report Cybersecurity Incidents?
One of the more challenging requirements of NIS2 is the incident reporting timeline. Companies must report significant cybersecurity incidents to their national Computer Security Incident Response Teams (CSIRTs) within 24 hours of detection.
After the initial report, your team needs to submit a more detailed follow-up report within 72 hours, outlining the extent of the breach, how it was handled, and what remediation steps were taken. Failing to comply with these reporting deadlines can lead to penalties, so having an incident response plan in place is crucial.
Does NIS2 Affect Our Third-Party Suppliers?
Yes, and this is where it gets interesting. NIS2 puts a big emphasis on supply chain security. If your suppliers or service providers are part of critical infrastructure or handle sensitive data for you, they also need to meet NIS2 standards.
Here are some questions to ask yourself:
- Are our vendors compliant? You’ll need to ensure your third-party vendors adhere to security practices that match your own.
- Do our contracts enforce security requirements? Review your contracts with third parties. Do they outline security expectations, incident reporting, and risk management protocols?
It’s not enough to protect your own network if you’re allowing third-party vulnerabilities into your ecosystem. Consider requiring compliance checks and audits for your partners.
What About Business Continuity and Disaster Recovery Plans?
A strong focus of NIS2 is operational resilience. It’s not just about defending against attacks; it’s about ensuring continuity when something inevitably goes wrong. This includes having:
-
Business Continuity Plans (BCP): How will your organization maintain critical operations during a cybersecurity incident? NIS2 requires that you have a robust BCP in place to ensure minimal disruption.
-
Disaster Recovery (DR): You’ll need a DR strategy that includes regular system backups, redundancies, and tested recovery procedures to get operations back up and running after an incident.
Ask yourself: Have we tested our disaster recovery plan recently? NIS2 compliance means you can’t just create these plans; you must regularly test them to ensure they work under pressure.
How Can We Stay Ahead of Vulnerabilities?
Finally, NIS2 is clear about the need for vulnerability management. This isn’t a one-off activity. You must actively monitor and patch vulnerabilities as soon as they are identified. This applies to both software and hardware.
Consider these questions:
- How fast do we patch vulnerabilities? A delayed patch could be a window for attackers. Under NIS2, you’ll need a streamlined process for identifying and fixing vulnerabilities.
- Do we monitor all endpoints? From laptops to IoT devices, every endpoint needs to be secure. This is particularly critical in industries where operational technology (OT) and information technology (IT) overlap, such as energy or manufacturing.
- Wider Scope of NIS2:
- NIS2 expands the scope of companies compared to NIS1, covering both essential and important entities. The directive now includes more industries and organizations, making it more relevant to a broader group of companies.
Companies and Sectors Required to Comply with NIS2
- Essential Entities:
- Energy:
- Power generation, transmission, and distribution companies are covered by NIS2 due to their critical role in infrastructure. Еnergy companies must maintain the security and availability of services, because during a conflict or in general, energy companies are the most targeted by foreign states and hackers. Disrupting power generation is generally the adversary’s first goal.
- Healthcare:
- Hospitals, medical institutions, and health service providers must comply due to their handling of sensitive personal data and their role in providing life-critical services.
- Transport and Logistics:
- Companies involved in air, rail, water, and road transportation are subject to NIS2 to ensure the uninterrupted flow of goods and people. You might be surprised, but fuel station networks and even individual fuel stations are considered critical infrastructure. Imagine what would happen if the computer network of a major fuelling network fails for a day or two?
- Energy:
- Important Entities:
- Digital Infrastructure:
- Cloud providers, data center operators, and digital service providers must comply, as their services underpin much of the digital economy and other critical sectors.
- Financial Sector:
- Banks, insurance companies, and financial services firms fall under NIS2 because of their handling of vast amounts of financial data and their essential role in maintaining economic stability.
- Public Administration and Government Services:
- Local and national government bodies that deliver essential public services are included due to their role in managing sensitive public data and ensuring service availability.
- Digital Infrastructure:
Why Even Smaller Companies in Affected Sectors Need to Comply
- Thresholds and Criteria:
- While NIS2 applies primarily to medium and large enterprises, certain small businesses within critical sectors must comply if they meet specific criteria, such as providing key services to large enterprises or handling critical infrastructure.
- Importance of Supply Chain Security:
- There is an increased focus on third-party risk management under NIS2. Smaller companies that are part of the supply chain for larger critical organizations will likely face pressure to comply.
- Risk of Non-Compliance:
- There are penalties and fines for non-compliance, which can be significant for companies that fail to adhere to NIS2 standards. Even smaller organizations can face severe financial consequences if they are found to have neglected their security obligations.
Regulatory and Legal Pressures Driving NIS2 Adoption
- Mandatory Legal Framework:
- Unlike voluntary compliance frameworks, NIS2 is a mandatory directive requiring companies in affected sectors to implement specific cybersecurity measures.
- National regulators will enforce the directive, and businesses must be prepared for audits and inspections.
- Cross-Border Impact:
- NIS2 is a harmonized directive across the EU, meaning that companies operating in multiple countries must adhere to a unified set of cybersecurity standards. This helps streamline compliance and increases the complexity for organizations with cross-border operations.
- Alignment with Other Compliance Standards:
- NIS2 aligns with other regulations like the GDPR in terms of security obligations, which may make compliance easier for organizations already familiar with these frameworks. Explain how this intersection means that cybersecurity strategies can often address both NIS2 and other regulatory requirements.
Companies Handling Critical Data or Infrastructure (150-200 words)
- Telecom Providers:
- Companies providing internet and mobile communications services are responsible for maintaining the security and availability of network infrastructure. NIS2 pushes for more robust incident reporting and protection protocols in this sector.
- Cloud Service Providers and Digital Platforms:
- Companies hosting large amounts of data or providing essential online platforms are seen as integral to maintaining the digital economy, requiring enhanced security practices and compliance.
- Critical Manufacturing:
- Manufacturers producing critical infrastructure components, such as microchips or industrial equipment, are covered under NIS2. Failure in their cybersecurity can lead to widespread economic disruption, hence the need for compliance.
Competitive Advantages of NIS2 Compliance
- Building Trust with Customers and Partners:
- Companies that comply with NIS2 can offer a clear advantage by demonstrating to customers and partners that they are serious about cybersecurity and protecting data. This builds long-term trust.
- Improving Cyber Resilience:
- Compliance strengthens internal security processes, making companies more resilient to cyberattacks. This reduces downtime and helps ensure continuity, especially for those providing critical services.
- Entering New Markets and Expanding Globally:
- For companies looking to expand into the European market, NIS2 compliance can serve as a regulatory requirement and competitive edge. Point out that demonstrating compliance in tenders and contracts makes a company more attractive to large clients or public sector opportunities.
- Reduction in Financial Risks:
- Complying with NIS2 reduces the likelihood of facing large fines for cybersecurity breaches, helps mitigate the risk of reputational damage, and limits potential losses due to disruptions from cyber incidents.
Exceptions: Companies That May Not Need to Comply with NIS2
- Non-Essential, Non-Digital Entities:
- Companies that don’t provide critical services or manage significant amounts of digital data are typically exempt from NIS2. Hospitality or retail generally fall outside of the directive’s scope.
- Small and Micro Businesses:
- Very small businesses, especially those outside of critical sectors, may not need to comply. However, this doesn’t absolve them from other cybersecurity responsibilities, especially if they engage with larger organizations that might require them to follow security best practices.
- Companies Not Operating in the EU:
- Non-EU companies that do not provide services or handle data within the European market are not directly affected by NIS2. However, if you partner with EU-based entities or operate cross-border, compliance may still become a factor.
Steps to Prepare for NIS2 Compliance
- Assess Your Organization’s Relevance to NIS2:
- Your company falls under the NIS2 directive, if you work in or with the sectors listed above. The important distinction here is whether you are an essential or important entity. You can clearly see them in the PDF linked here.
- Establish a Cybersecurity Framework:
- You should adopt a risk management approach that includes the identification, assessment, and mitigation of cybersecurity risks as outlined in NIS2. In other words, you should build an information security program plan and start working on it.
- Improve Incident Reporting Mechanisms:
- You need the proper channels and processes for reporting cybersecurity incidents within the mandatory timelines set by NIS2. But to have that, it is not enough to just buy a bunch of documents and “have” them. As in the cybersecurity framework mentioned above: become secure first. Then you will have the capabilities to detect incidents and respond to them. Becoming secure means working on 28 categories of security controls and gradually implementing the relevant ones in your company.
- Ensure Compliance with Third-Party Vendors:
- Scrutinize your third-party suppliers to ensure they are also compliant, as NIS2 places a strong emphasis on supply chain security. If one of your suppliers or service providers (for example, your IT service management company) gets hacked, you can be breached as well and you will be responsible for not asking them about their security, not following up and not requiring them to implement your standards of defense.
- Ongoing Security Audits and Monitoring:
- Your company should perform regular security audits and continuously monitor for vulnerabilities, ensuring you meet the requirements of NIS2.
If your company wants to prepare for SOC2 rapidly, contact us, and let’s see if we can help!