A man and a woman sit in front of a wall full of screens

Cyber security in the EU is drawing attention with NIS2

The expanded NIS Directive is the biggest thing since the GDPR. What's new, and what organizations does it apply to?

May 19 2023Dheeraj Rawal

The shaping up of Network and Information Security

Cybercrime poses huge risks, and its impact is directly felt by companies and citizens. Many services need to function without interruption or downtime - successful cyberattacks on critical infrastructure cause disruption and economic loss. To manage such threats, the European Union (EU) has enacted a framework to help member states improve information security. It includes directives to help them identify and mitigate cyber risks and report security incidents to the authorities.

Where the NIS2 Directive started

A man holds a luminous globe with network structure

As the world becomes more digital and connected, information systems must be secured from threats by strengthening network security. Public and private companies’ use of computer networks to store and transmit data makes them vulnerable to cyberattacks. The consequences of an attack could be dire. For example, in December 2015, parts of western Ukraine faced a major power outage that left 230,000 citizens in darkness and freezing temperatures. The reason? A group of cyber criminals hacked a substation’s control systems, leading to a power outage. There have been similar attacks on digital infrastructure. For example, the infamous NotPetya malware attack in 2017 affected many nations across the European Union. In Germany, the attack disrupted countless organizations across different industries. Pharmaceutical giant Merck and logistics company Maersk were among those who suffered operational setbacks due to IT malfunctioning. As attacks rose,  a serious question loomed over EU authorities about preventing attacks on critical infrastructure.

The goal was to place strong defenses around that infrastructure. Cue the Network and Information Security (NIS) Directive, introduced in 2016. We’ve got  the next version of the legislation today. 

How is NIS2 different?

NIS wasn’t enough. NIS2 is getting more attention because the original NIS directive applied to fewer industries, so the noise around it was limited. Also, non-compliance did not attract heavy penalties as most of the organizations it applied to did not have 100% clarity on implementing the NIS directives. Furthermore, EU member states were not on the same page, as there was considerable room for individual interpretation. With such ambiguity, there was a need to revisit the framework, add more clarity, and redefine the scope. Without all these measures, compliance wasn’t realistic. 

The goal is still the same, to protect the critical infrastructure and increase resilience among organizations. But NIS2 applies to a larger spectrum of industries in the EU than the original version. It also contains updates to new technologies and stakeholder feedback.

Different categories and criteria

NIS2 applies to businesses in the EU region that fall under “Essential Entities” and “Important Entities”. Companies located outside the EU but offering digital infrastructure services in Europe may also need to comply with the directive.  

Applicable sectors within Essential Entities include: 

  • Transportation (air, rail, water, and road) 
  • Banking and Finance 
  • Aerospace 
  • Health 
  • Manufacturers of pharmaceutical products, like vaccines 
  • Public Administration 
  • Energy (Electric, District Heating and Cooling, Oil and Gas) 
  • Drinking water and Wastewater infrastructure 
  • Digital Infrastructure and Information Communication & Technology  
  • (ICT) Service Management, including Cloud Computing Service Providers, Data Centre Service Providers, Content Delivery Networks, Trust Service Providers, Public Electronic Communication Networks, Electronic Communication Services         

 List of Important Entities

Applicable sectors within Important Entities include:   

  • Chemical Manufacturing, Production, and Distribution 
  • Digital Providers (Online Market Places, Online Search Engines, and 
  • Social Networking Service Platforms) 
  • The Food Industry  
  • Postal and Courier Services 
  • Research Organizations 
  • Manufacturers of Medical Devices, Computers, Electronics, Machinery 
  • Equipment and Motor Vehicles 
  • Waste Management  
  • All essential entities but with the ‘Important Entities’ size threshold 

The penalties of non-compliance 

There are various thresholds and fines defined for both categories of organizations. 

Essential entities include organizations with 250 employees or more and a turnover of 50 million Euros or a balance sheet of 43 million Euros. 

  • For non-compliance, fines of up to 10 million Euros or 2% of global turnover (whichever is higher) 
  • These organizations will be proactively supervised 

Important entities include organizations with 50 employees or more and a yearly turnover/balance sheet of 10 million Euros.  

  • For non-compliance, fines of up to 7 million Euros or 1.4% of global turnover (whichever is higher) 
  • These organizations will be monitored after any security incident or reported breach  

 NIS2 is more powerful

Companies falling under the ambit of the regulations will be subject to actions like on-site inspections, audits, and cybersecurity scanning. The level of monitoring will also increase. Other data and evidence relating to their security posture and policies may also be requested from those organizations to assess their security maturity and readiness. 

The authorities have put more focus on ‘enforcement’ with NIS2. Grey areas have been reduced, leaving less room for ambiguity. For example, NIS2 states that regardless of whether an attack has implications for an organization, it must be reported. A basic report must be sent within 24 hours of the incident, and a detailed report must be provided within a month of the incident. Knowledge-sharing and cooperation between the member states are also expected to improve with the new directive. 

NIS2 entered into force on January 16th, 2023. The member states have roughly 20 months to enforce the directives into their national laws. All organizations under the categories must meet NIS2 compliance by October 18th, 2024. 

How to go about the NIS2 Directive

Firstly, determine whether your business falls under the requirements of NIS2, and under which category, if so: 

  • Conduct a cybersecurity assessment to identify potential gaps in your organization’s security posture and cybersecurity measures. Identify vulnerabilities and chalk out a roadmap to bridge these gaps. 
  • Formulate robust security policies that outline the cybersecurity requirements to be implemented and protocols to be followed – including reporting security incidents and breaches. 
  • Conduct audits to check the readiness of security systems and prepare for crisis management. 
  • Check whether vendors and third-party stakeholders are security-aware and compliant with supply chain security. 

Complying with NIS2 doesn’t mean you must undergo a major overhaul. If you already have good security measures in place, there is a high chance your company will only have to worry about a few things. 

Get ready for October 2024 

For organizations who want to understand how NIS2 applies to them and what steps they need to take to improve their network security and defend their information systems, we can demystify the framework for you in three steps:  

  1. Assess your cybersecurity levels concerning your  IT architecture, cloud security, Secure Access Service Edge (SASE) architecture, etc. 
  2. Chalk out a roadmap to achieve higher levels of security maturity 
  3. Improve your cyber resilience and compliance

We look forward to your opinion

Do you have any ideas, suggestions, or questions on this topic? We cordially invite you to exchange ideas with us. Get in touch with us!
About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles

You might also be interested in

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.