What is NIS2 directive and are you obliged by it?

Published Categorized as Digital, Digital Workplace, Strategy Tagged , ,

The NIS2 Directive is an updated version of the original Network and Information Security (NIS) Directive. It’s the first piece of EU-wide legislation on cybersecurity, aiming to achieve a high common level of cybersecurity across the Member States.

The NIS2 Directive was proposed to address the growing threats posed by digitalisation and the surge in cyber-attacks. It strengthens security requirements, addresses the security of supply chains, streamlines reporting obligations, and introduces more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.

The scope of NIS2 has been expanded to oblige more entities and sectors to take measures, which would assist in increasing the level of cybersecurity in Europe in the longer term. The directive entered into force on 16 January 2023, and Member States now have until 17 October 2024 to transpose its measures into national law.

Which businesses are regulated by NIS2?

In the context of the NIS2 Directive, businesses are classified into two categories: Essential Entities (EE) and Important Entities (IE) including but not limited to:

Essential Entities

  1. Digital Infrastructure (digital service providers such as search engines, ISPs and social networking platforms),
  2. Energy Sector (entities involved in the production, transmission, distribution, and supply of electricity, oil, gas, hydrogen and district heating),
  3. Healthcare Sector (hospitals and private clinics).
  4. Financial Sector (banking and financial market infrastructure).
  5. Transport Sector (traffic management control and other transport services),
  6. Drinking Water Supply and Distribution,
  7. ICT (Information and Communications Technology) Service Management (managed service providers),
  8. Public Administration,

Important Entities

  1. Postal and Courier Services,
  2. Space Sector,
  3. Food Production, Processing, and Distribution,
  4. Manufacturing Sector (includes the manufacturing of certain critical products such as pharmaceuticals, medical devices, and chemicals),
  5. Research Sector,
  6. Waste Management Sector, and
  7. Wastewater Sector.

It’s important to note that the final classification is determined by national supervisory authorities based on the NIS2 Directive’s specific criteria.

Is there a business size requirement for NIS2?

Yes, there certainly is, but there are exceptions for the rule mandated by national security regulations. NIS2 also removes the possibility for Member States to tailor the requirements in certain cases.

All medium-sized and large businesses have to comply to NIS2

According to EU commission’s recommendation about business sizes, any business that has more than 50 employees and 10 million EUR turnover is considered “larger than small business”. These businesses are required to comply with proposed security rules mandated by NIS2.

Some small-sized businesses, too

Any company that is determined to be in the interest of national security needs to comply to NIS2 regulations, irrespective of their size. This is a discretionary decision made by national security authorities and there is no appeal possible.

What penalties are for non-compliance?

The NIS2 Directive sets out specific penalties for non-compliance.

Non-Monetary Remedies

NIS2 gives national supervisory authorities the authority to enforce non-monetary remedies, including compliance orders, binding instructions, security audit implementation orders, and threat notification orders to entities’ customers.

Administrative Fines

The NIS2 directive carefully distinguishes between essential and important entities. For essential entities, it requires Member States to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher. For important entities, NIS2 requires Member States to fine for a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

Criminal Sanctions

NIS2 includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident. Specifically, NIS2 allows Member State authorities to hold organization managers personally liable if gross negligence is proven after a cyber incident. This includes ordering that organizations make compliance violations public, making public statements identifying the natural and legal person(s) responsible for the violation and its nature, and if the organization is an essential entity, temporarily ban an individual from holding management positions in case of repeated violations.

How to comply with NIS2 requirements?

To comply with the NIS2 Directive, businesses need to first determine if they fall under its scope. They should then evaluate their current security measures and plan for NIS2 compliance, which includes implementing measures to minimize cyber risks, such as incident management, stronger supply chain security, enhanced network security, better access control, and encryption. Businesses also need to have processes in place for prompt reporting of security incidents and plan for business continuity in case of major cyber incidents.

In addition, NIS2 requires corporate management to oversee, approve, and be trained on the entity’s cybersecurity measures and to address cyber risks. Other steps include implementing security policies for information systems, boosting security around system procurement, handling and reporting vulnerabilities, implementing access policies for sensitive data, performing training and awareness of management and staff, securing funding of cybersecurity, and performing a risk assessment related to network and information systems. It’s important to start early to avoid delays and consult with national authorities or legal advisors to understand obligations under NIS2.

How can Rein Global assist you?