A ground-breaking new EU regulation. NIS2 will forever change the European cybersecurity landscape for approximately 160.000(!) enterprises from several (very) critical sectors. But what shifts does NIS2 cause exactly? What effect does it have on the functioning of your enterprise and customers and, the key question, are you and your company ready for NIS2?

The Network and Information Systems (NIS) Directive, adopted in 2016, was the first EU-wide legislation on cybersecurity. It aimed to enhance the security of critical infrastructure and essential services across the EU, by setting common standards and requirements for operators and providers. However, since then, the digital landscape has evolved significantly, with new threats, technologies, and opportunities emerging. The COVID-19 pandemic has also highlighted the importance of resilient and secure digital systems, as more people and businesses rely on them for their daily activities.

That’s why the European Commission proposed a revised NIS Directive (NIS2) in December 2020, as part of its wider cybersecurity strategy. The NIS2 Directive, short for Network and Information Security Directive Version 2, is set to replace its predecessor by October 18^th, 2024. This EU directive aims to enhance and harmonize cybersecurity practices across Member States, covering a significantly broader scope than the original NIS Directive.

What is the NIS2 Directive?

The NIS2 Directive is a legislative act of the European Union, setting out goals that all EU countries must achieve to improve cybersecurity. Unlike regulations such as GDPR, directives do not apply directly to Member States. Each country must ratify the directive into its own domestic laws. This approach allows for flexibility in implementation but requires coordinated efforts for consistency.

Expanded scope and sectors

The scope of NIS2 is far-reaching, encompassing over 160,000 organizations. It aims to standardize cybersecurity enforcement across the EU, enhancing resilience on a global scale. The directive now has 18 sectors in scope, of which 11 are seen as very critical:

• Energy
• Transport
• Banking
• Infrastructure for the financial market
• Health Care
• Space travel
• Government
• Drinking water
• Wastewater
• Digital infrastructure
• Management of ICT services (B2B)

7 others are seen as critical

• Postal and Courier services
• Waste management
• Manufacturing, production, and distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing
• Research facilities
• Digital providers like marketplaces and social media platforms

If your organization operates within these sectors and has over 50 employees or revenue above €10 million, you are likely in scope. Small and micro organizations are generally not in scope unless they are part of a larger network or hold critical roles.

Key measures and reporting obligations

NIS2 outlines two main areas of focus:

1. Risk Management: Organizations must adopt basic cybersecurity hygiene practices, including regular assessments, security policy enforcement, incident handling procedures, supply chain security, business continuity planning, and vulnerability handling.
2. Incident Reporting: Incidents with significant impact must be reported within 24 hours of detection, with an initial assessment provided. A detailed report is required within 72 hours, followed by monthly progress reports until the incident is resolved.

Sanctions for non-compliance

Sanctions under NIS2 are designed to ensure high cybersecurity standards across the EU. They include:

• Binding instructions and warnings
• Administrative fines up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities

These sanctions emphasize the importance of compliance and the potential consequences of neglecting cybersecurity obligations.

Preparing for NIS2

To prepare for NIS2 compliance, organizations can choose between adhering to the ISO 27001 standard or the Cyber Fundamentals framework provided by the Centre for Cybersecurity Belgium (CCB). This framework offers tools and resources to assess and enhance cybersecurity measures, ensuring readiness for NIS2 requirements.

The Cyber Fundamentals framework combines globally recognized standards such as the ISO 27001, NIST Cybersecurity Framework, CIS Controls, and IEC 62443 for industrial control systems.

Timeline and Implementation

The timeline for NIS2 implementation is as follows:

1. The directive was published on December 14, 2022.
2. Member States are currently drafting national legislation.
3. The law and royal decree will be published by October 17, 2024, and will take effect the next day.
4. Organizations must be compliant within 18 months of the national law’s enactment.

SecWise as a guide for your NIS2 journey

The NIS2 Directive represents a significant step towards unified cybersecurity across the EU. By expanding the scope and setting stringent compliance requirements, it aims to fortify the cybersecurity landscape. In need of further guidance and support throughout your NIS2 journey? Contact one of our experts!