Exploring NIS 2: Changes, Requirements, and Preparation

NIS 2 is the second iteration of the Network and Information Systems Directive. This landmark cybersecurity legislation aims to establish a higher level of cyber resilience within organizations throughout the European Union (EU), particularly the operators of critical infrastructure and essential services.

Notably, “NIS 2” is the legislation’s correct name. However, you may see references to “NIS2 compliance” or the “NIS2 Directive” in official documents. Both are acceptable, but the former option is what’s published in the Official Journal of the European Union.

As an EU-wide regulation, each Member State must transpose the NIS Directive into its respective national legislature by October 17, 2024 — at which point, all covered entities will be legally obligated to comply with its security requirements. More simply, that means all EU nations will need to make the regulation legally binding in their own countries so that they may enforce it.

At a national level, NIS 2 aims to boost overall cybersecurity by:

1. Requiring each EU member state to be prepared for an eventual cyber threat with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems authority.
2. Increasing collaboration among member states by creating a Cooperation Group to exchange information. 
3. Fostering a cybersecurity culture across critical infrastructure sectors that rely heavily on information and communication technology (ICT).

In short, NIS 2 is designed to ensure relevant entities throughout the EU are prepared to mitigate threats with the appropriate security measures, threat intelligence, and best practices.

Why is NIS 2 important?

NIS 2 represents a marked improvement on the original NIS Directive. Historically speaking, NIS 1 was Europe’s first cybersecurity legislation and also aimed to enhance cyber resilience across the region.

Although it successfully triggered a change in mindset and improved data protection, it nevertheless faced challenges. Soon after implementation, there were varying levels of adoption throughout the European Union. Some companies were considered essential in certain countries, but not in others. These inconsistencies resulted in a confusing and fragmented compliance landscape.

Simultaneously, the risk environment has evolved by leaps and bounds since 2016. Globally, cybercrime is growing so quickly that if it were measured as a country it’d have the world’s third-largest economy. New and increasingly sophisticated attack vectors are challenging organizations in ways previously unseen — including the use of artificial intelligence (AI).

AI-powered phishing scams, for example, are learning how to deceive unsuspecting users and steal their login credentials with ease. And, with the advent of quantum computing, it’s only a matter of time before hackers can decrypt many of the cryptographic algorithms in use today.

Of course, geopolitics only adds to the complexity. Russia’s war in Ukraine has given rise to politically motivated and state-sponsored cyber attacks. According to the European Union Agency for Cybersecurity (ENISA), in 2022, the vast majority of those attacks targeted public administration and governments, digital service providers, and critical infrastructure.

Given these problems, the European Commission decided to revise the NIS Directive. The second iteration not only addresses unified implementation, but also raises the bar for cyber resilience in lockstep with the changing cyber threat landscape.

The updated NIS Directive rectifies the deficiencies of its predecessor and significantly increases the size and scale of its reach. Specifically, compared to NIS 1, it:

• Expands the scope to include more sectors
• Imposes harsher sanctions for noncompliance
• Mandates more stringent cybersecurity requirements

Let’s take a closer look at the key differences between the first and second NIS Directive.

Expanded scope

The original NIS Directive applied to “operators of essential services” (OES) and “digital service providers” (DSP). Now, this distinction is no more. 

Instead, relevant entities are classified by size and type. Generally, NIS 2 impacts all organizations that provide “essential or important services” to the European Union. This increases the number of covered sectors from seven to 15, thereby protecting more vital aspects of EU society.

An essential entity is classified as a large company that operates in a critical sector, such as those seen below. In this case, a large entity is defined as one with at least 250 employees, an annual turnover of at least €50 million, or an annual balance sheet of at least €43 million. Per NIS 2, essential services include:

• Energy
• Transportation
• Finance
• Public administration
• Health
• Space
• Water supply (drinking and wastewater)
• Digital infrastructure

By contrast, an important entity is a medium-sized enterprise operating in sectors of high criticality that don’t fall under the category of essential services. These organizations typically have at least 50 employees, an annual turnover of at least €10 million, or a €10 million balance sheet. Under NIS 2, important entities include:

• Postal services
• Waste management
• Chemicals
• Research
• Foods
• Manufacturing
• Digital providers

Some of the above sectors may seem to overlap, such as digital infrastructure and digital providers. The former refers to cloud services, telecommunications operators, data centers, trust services, and so on. In short, it encompasses any entity that provides a digital service key to the backbone of society.

Digital providers include more specific services, such as search engines, online markets, and social networks. They’re integral to the way people communicate and transact, but may not have drastic implications if a cyber incident renders them inoperable.

But what about operators based outside the EU? Under Article 26 of NIS 2, essential and important entities are deemed under the jurisdiction of the EU Member State where they provide their services. If the entity provides services in more than one Member State, it should fall under the jurisdiction of each one respectively.

Stronger noncompliance

NIS 2 establishes much harsher penalties for noncompliance, including:

1. Non-monetary penalties

NIS 2 gives national supervisory authorities the power to levy:

• Compliance orders
• Binding instructions
• Security audits
• Threat notification orders

2. Administrative fines

Exact fines can vary depending on the Member State, but the NIS Directive establishes a minimum list of sanctions. 

• For essential entities, the Member State must provide a maximum fine of at least €10,000,000 or 2% of global annual revenue, whichever is higher.
• If an important entity violates the Directive, the Member State must fine a maximum of at least €7,000,000 or 1.4% of global annual revenue, whichever is higher.

3. Criminal sanctions on management bodies

Rather than put all the pressure of NIS 2 compliance on IT departments, the Directive includes new sanctions to hold top management bodies personally liable for gross negligence in the event of a cybersecurity incident. For example, a competent authority can temporarily ban executives from holding management positions. It can also order organizations to disclose compliance violations and make a public statement identifying the person(s) responsible for the incident.

Stricter requirements

Lastly, NIS 2 dramatically increases its cybersecurity requirements for relevant entities. Broadly, it mandates early incident reporting, widened risk management, and a series of minimum security measures.

What does all that mean? Let’s dive deeper into NIS 2’s exact requirements.

The new Directive bolsters cyber resilience by introducing obligations across four areas:

Risk management

Organizations must adopt cybersecurity risk management measures to minimize the likelihood and impact of various cyber threat vectors. More specifically, they must implement technical, operational, and organizational precautions to mitigate risks affecting their network and information systems, thereby enhancing data protection. These may include incident management procedures, stronger supply chain security, access control systems, and encryption.

Corporate governance

Management bodies are responsible for overseeing and approving their respective organizations' cybersecurity risk management protocols and must ensure they are implemented effectively.

According to Article 20, Member States should “ensure that the members of the management bodies of essential and important entities are required to follow training,” and should encourage them to offer similar training programs to their employees consistently. The aim is to enable everyone in a given organization to identify risks and minimize exposure to the best of their ability.

Incident reporting

Critical entities must establish procedures to promptly report security incidents that significantly affect their service delivery and/or users. NIS 2 classifies a “significant” security incident as one that:

• Has caused or can lead to serious operational disruption to a critical sector
• Has affected or can affect other natural or legal persons by causing considerable damage

Entities must notify their Member State’s competent authority (including the CSIRT) with an early warning no later than 24 hours after learning of the cyber incident. They must also complete a full report no later than 72 hours after and a final report one month after submitting the initial document.

Business continuity

The revised NIS 2 aims to guarantee business continuity after an attack. Entities are required to create a credible strategy detailing their response to and recovery from such incidents, aiming to minimize disruptions swiftly. Consequently, NIS 2 emphasizes the adoption of cloud backup solutions.

10 baseline cybersecurity measures

Article 21 identifies 10 baseline security measures that organizations should implement to support the four overarching areas. They’re based on an “all-hazards approach” that aims to mitigate the most likely threat vectors. These measures include:

1. Policies on risk analysis and information system security
2. Incident response plans for handling active threats
3. Business continuity plans, such as backup, disaster recovery, and crisis management procedures
4. Supply chain security, including measures that address the relationship between companies and their direct suppliers or service providers
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to evaluate the effectiveness of cybersecurity risk management measures
7. Training for cybersecurity awareness, hygiene, and best practices
8. Policies on the use of cryptography and encryption
9. Access control procedures, especially for employees with access to sensitive data
10. Multi-factor authentication, continuous monitoring, and secure communication systems

Alongside NIS 2, EU operators will have to contend with numerous other regulations, including:

• The Digital Operational Resilience Act (DORA)
• The Critical Entities Resilience (CER) Directive
• The Cyber Resilience Act (CRA)

How do these legislations overlap? Let’s break down the details:

NIS 2 vs DORA

Both NIS 2 and DORA are cybersecurity regulations, but their purposes are slightly different. DORA is specifically focused on the financial sector, whereas NIS 2 covers a broader range of organizations.

According to Article 4(1) and (2) of the NIS Directive, DORA’s provisions related to ICT risk management and reporting, digital operational resilience testing, information sharing, and third-party risk shall apply instead of those outlined in NIS 2. In other words, financial entities should refer to DORA for these areas and NIS 2 for all other requirements.

Bottom line: DORA supersedes NIS 2 for financial entities when it comes to the above security measures.

NIS 2 vs. the CER Directive

The CER Directive applies to critical entities, such as energy and transport providers, guiding their defenses against non-cyber-related risks. While NIS2 focuses on cybersecurity, there may be overlaps in terms of the entities covered. In such cases, organizations will need to ensure compliance with both directives, addressing both cyber and physical resilience.

Critical entities should comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents.

NIS 2 vs. CRA

The Cyber Resilience Act is a proposed piece of legislation that focuses on the cybersecurity of hardware and software products with digital elements, such as Internet-of-Things (IoT) devices. Where NIS 2 focuses on enhancing the security posture of companies themselves, the CRA requires companies to prioritize the security of the products they manufacture or sell. 

Generally, the CRA complements NIS 2, but doesn’t necessarily overlap or supersede it. Therefore, entities may be subject to both regulations.

Worried about NIS 2 compliance? Don’t be — we’re here to help.

At Entrust, we take the pain out of cybersecurity and data protection. Our portfolio includes all the compliance solutions you need, including:

• Hardware Security Modules (HSMs): Entrust's nShield HSMs provide a secure environment for generating, managing, and protecting cryptographic keys, which are essential for securing sensitive data and ensuring the integrity of digital transactions. 
• Cloud Security Posture Management: Our full-stack security tools help organizations manage their security posture in cloud environments with continuous monitoring, automated threat detection, and more.
• Identity and Access Management (IAM): We provide IAM solutions that enable organizations to ensure only authorized users can access sensitive information, providing a firm foundation for Zero Trust security.
• Public Key Infrastructure (PKI): Entrust's PKI solutions provide a framework for securing communications and transactions, managing digital certificates, and ensuring the authenticity of digital identities, all of which are important for NIS 2 compliance.

Overall, Entrust's offerings provide a comprehensive suite of tools to help organizations strengthen their cybersecurity posture, protect against threats, and meet the requirements of the NIS 2 Directive.