NIS2 Directive – What Is It and Who Does It Apply To? Key Information

The NIS2 Directive, which updates and expands the original NIS regulation, is a document created to ensure a high, common level of cybersecurity across the European Union. NIS2 obligates member states to implement laws aimed at protecting critical digital infrastructure.

NIS2 Directive – What Is It?

The NIS2 Directive is an extension of the NIS Directive designed to maintain a high common level of cybersecurity within the European Union.

NIS2 introduces stricter cybersecurity requirements related to risk management and the security of networks and information systems. The regulation obligates operators of essential services and digital service providers to conduct thorough analyses of potential threats and apply appropriate cybersecurity risk management measures. These requirements apply to both technical and organizational aspects.

When Does the NIS2 Directive Come Into Effect?

The NIS2 Directive was adopted on 14 December 2022 and entered into force on 17 January 2023. Its purpose is to strengthen the protection of critical digital infrastructure and ensure a high level of cybersecurity in EU member states. The main objective is to increase the ability of essential and important entities—operating in sectors most exposed to cyberattacks—to respond to cybersecurity incidents and minimize potential consequences that could affect vital sectors of the economy and public life.

Under NIS2, entities are required to introduce measures ensuring a high level of cybersecurity, including risk management mechanisms and procedures for reporting cybersecurity incidents.

What Is the Deadline for Implementing the New NIS2 Requirements?

Implementation of NIS2 significantly transforms the approach to risk management. The new requirements must be met by mid-October 2024.

The directive obligates member states to implement extensive changes in their national cybersecurity systems and designate authorities responsible for overseeing compliance. Introducing NIS2 into national law poses a challenge, as countries must adjust their internal cybersecurity frameworks to the new requirements. This may require legislative changes and reinforcement of technical and human resources.

Who Does the NIS2 Directive Apply To?

The NIS2 Directive is intended to protect critical digital infrastructure. The new regulations apply to essential and important entities operating in sectors vital to national and economic security.

Essential Entities

Organizations employing at least 250 people with annual turnover or balance sheet total of at least €50 million, operating in the following sectors:

• energy
• transport
• banking
• financial market infrastructure
• healthcare
• drinking water
• wastewater
• digital infrastructure
• ICT service management
• public administration
• space

Important Entities

Organizations employing at least 50 people with annual turnover or balance sheet total of at least €10 million, operating in sectors such as:

• postal and courier services
• waste management
• production, processing and distribution of chemicals
• food production, processing and distribution
• manufacturing (broadly defined)
• digital services
• scientific research

What Does the NIS2 Directive Change?

NIS2 covers not only the technical aspects of cybersecurity but also requires organizations to increase awareness and train personnel on potential cyber threats.

Security Measures Required by NIS2:

• Business continuity, including backup management and recovery after extraordinary events, crisis management
• Security in the acquisition, development and maintenance of networks and IT systems, including vulnerability handling and disclosure
• Cybersecurity training
• Cryptography procedures and, where applicable, encryption
• Human resource security and asset management
• Use of multi-factor or continuous authentication, secure voice, text and video communications, and secure internal communication systems during emergencies

Implementation of NIS2 places new incident management obligations on essential entities. NIS2-compliant incident management requires organizations to detect, report and respond to cybersecurity incidents promptly.

Incident Reporting

One of the most important obligations under NIS2 is the requirement to report cybersecurity incidents without undue delay to CERT.

Criteria Requiring Incident Reporting to CERT:

• It caused or may cause significant disruptions in services or financial losses for the entity
• It affected or may affect other individuals or organizations, causing significant material or non-material damage

Incident Reporting Process:

• Initial notification – indicate whether a major incident was caused by unlawful or malicious activity or may have had cross-border impact. Must be submitted without undue delay, and no later than 24 hours after becoming aware of the major incident.
• Final incident report – must be submitted without undue delay, and no later than 72 hours after becoming aware of the incident.
• Exception – trust service providers must submit the final report within 24 hours of becoming aware of a major incident.

Penalties for Non-Compliance with NIS2

Failure to comply with NIS2 may result in various sanctions. One of the key enforcement tools is financial penalties:

• Up to €10 million or 2% of global annual turnover for essential entities
• Up to €7 million or 1.4% of global annual turnover for important entities

What Security Policies Will Be Required?

Organizations will need to implement the following policies:

• Risk management policy – covering identification, analysis, assessment and mitigation of cybersecurity risks
• Incident handling policy – covering detection, response, reporting, lessons learned and follow-up actions; includes incident reporting requirements
• Supply chain security policy – specifying requirements for external partners
• Cyber hygiene policy – defining general cybersecurity rules for employees
• Access control policy – regulating physical and logical access

What Actions Must Your Company Take in Relation to NIS2?

Operators of essential and important services must take appropriate steps to meet NIS2 requirements. To increase cybersecurity levels, it is necessary to conduct an audit of existing protections and develop a new risk management plan aligned with the directive. Professional systems for constant monitoring and supervision of the entire IT infrastructure also provide valuable support.

Monitoring IT Infrastructure as a Way to Meet NIS2 Requirements

OXARI Asset Management ensures efficient inventory of hardware and software, secure data storage and the ability to create and manage NIS2 policies. Rapid problem identification enables quick responses to security incidents. Implementing the system helps essential service operators ensure the highest level of cybersecurity within the organization.