Cybercrime poses huge risks, and its impact is directly felt by companies and citizens. Many services need to function without interruption or downtime - successful cyberattacks on critical infrastructure cause disruption and economic loss. To manage such threats, the European Union (EU) has enacted a framework to help member states improve information security. It includes directives to help them identify and mitigate cyber risks and report security incidents to the authorities.
As the world becomes more digital and connected, information systems must be secured from threats by strengthening network security. Public and private companies’ use of computer networks to store and transmit data makes them vulnerable to cyberattacks. The consequences of an attack could be dire. For example, in December 2015, parts of western Ukraine faced a major power outage that left 230,000 citizens in darkness and freezing temperatures. The reason? A group of cyber criminals hacked a substation’s control systems, leading to a power outage. There have been similar attacks on digital infrastructure. For example, the infamous NotPetya malware attack in 2017 affected many nations across the European Union. In Germany, the attack disrupted countless organizations across different industries. Pharmaceutical giant Merck and logistics company Maersk were among those who suffered operational setbacks due to IT malfunctioning. As attacks rose, a serious question loomed over EU authorities about preventing attacks on critical infrastructure.
The goal was to place strong defenses around that infrastructure. Cue the Network and Information Security (NIS) Directive, introduced in 2016. We’ve got the next version of the legislation today.
NIS wasn’t enough. NIS2 is getting more attention because the original NIS directive applied to fewer industries, so the noise around it was limited. Also, non-compliance did not attract heavy penalties as most of the organizations it applied to did not have 100% clarity on implementing the NIS directives. Furthermore, EU member states were not on the same page, as there was considerable room for individual interpretation. With such ambiguity, there was a need to revisit the framework, add more clarity, and redefine the scope. Without all these measures, compliance wasn’t realistic.
The goal is still the same, to protect the critical infrastructure and increase resilience among organizations. But NIS2 applies to a larger spectrum of industries in the EU than the original version. It also contains updates to new technologies and stakeholder feedback.
NIS2 applies to businesses in the EU region that fall under “Essential Entities” and “Important Entities”. Companies located outside the EU but offering digital infrastructure services in Europe may also need to comply with the directive.
Applicable sectors within Essential Entities include:
Applicable sectors within Important Entities include:
There are various thresholds and fines defined for both categories of organizations.
Essential entities include organizations with 250 employees or more and a turnover of 50 million Euros or a balance sheet of 43 million Euros.
Important entities include organizations with 50 employees or more and a yearly turnover/balance sheet of 10 million Euros.
Companies falling under the ambit of the regulations will be subject to actions like on-site inspections, audits, and cybersecurity scanning. The level of monitoring will also increase. Other data and evidence relating to their security posture and policies may also be requested from those organizations to assess their security maturity and readiness.
The authorities have put more focus on ‘enforcement’ with NIS2. Grey areas have been reduced, leaving less room for ambiguity. For example, NIS2 states that regardless of whether an attack has implications for an organization, it must be reported. A basic report must be sent within 24 hours of the incident, and a detailed report must be provided within a month of the incident. Knowledge-sharing and cooperation between the member states are also expected to improve with the new directive.
NIS2 entered into force on January 16th, 2023. The member states have roughly 20 months to enforce the directives into their national laws. All organizations under the categories must meet NIS2 compliance by October 18th, 2024.
Firstly, determine whether your business falls under the requirements of NIS2, and under which category, if so:
Complying with NIS2 doesn’t mean you must undergo a major overhaul. If you already have good security measures in place, there is a high chance your company will only have to worry about a few things.
For organizations who want to understand how NIS2 applies to them and what steps they need to take to improve their network security and defend their information systems, we can demystify the framework for you in three steps: