NIS2

Everything IT needs to know

NIS2 is certainly receiving a lot of attention these days. The new directive has been mentioned in a great many studies, articles and speeches recently. Are you wondering how to get caught up with it, and how you can easily and quickly find out what is important from an IT perspective? Here you will find everything you need to plan and implement the new regulations in your organisation.

Find out more

What is NIS2?

The NIS2 Directive (Network and Information Systems Directive 2) is the EU-wide legislation that sets general standards for cyber security. The directive covers institutions and companies that are essential to society’s functioning.

NIS2 is an update of the 2016 NIS Directive. The directive was enacted as a response to changes in the digital landscape and increasingly sophisticated cyber-attacks. All European Union countries must transpose the new directive into their national law, and the law interpretation must be published in each member state by October 2024.

NIS2 sets out new security rules for providers of essential services in key sectors. The NIS2 provisions cover both public institutions and private companies. Examples of their business areas include energy, banking, and healthcare.

What key changes are included in NIS2?

NIS2 expands the scope of entities and covers more sectors of the economy.
The directive imposes new obligations on entities, such as:
- implementation of risk analysis and management solutions,
- introduction of a systems security policy,
- securing supply chains,
- developing a Business Continuity Plan.

The NIS2 Directive tightens incident reporting requirements and increases sanctions for non-compliance.
It places responsibility on those in leadership positions, so that managers are also liable for failure to meet NIS2 guidelines.
NIS2 eliminates the distinction between operators of essential services and digital service providers, instead making a distinction between critical and important entities.
The new directive takes into account medium and large companies in selected industries and may also cover entities that are subcontractors or suppliers to these companies.

Who is covered by NIS2?

Predictions indicate that NIS2 will cover some tens of thousands of organisations than its predecessor. The new directive expands the catalogue to include the following entities, which are categorised as medium and large companies*:

Essential Entities

Energy

Transport

Financial Market Infrastructures

Health

Drinking Water

Waste Water

Digital Infrastructure

ICT Service Management (business-to-business)

Space

Important Entities

Postal and courier services

Waste management

Digital providers

Research

Importantly, NIS2 makes risk assessments mandatory

for all direct suppliers and subcontractors.

NIS2 also imposes obligations related to monitoring and checking supply chain security. This category includes:

the process of detecting and responding to security incidents, and supporting technologies
cyclic pentesting and security audits
vulnerability management
security control of the supplier's software development process
vendor risk analysis

Therefore, a company that isn’t directly covered by NIS2, but provides services to an organisation that is covered, may still have to comply with the directive.

Time to prepare

Each UE membered country’s entity shall adopt and publish measures necessary to comply with this directive by 17 October 2024. They shall apply those measures from 18 October 2024.

However, all regulations should be based on the general provisions od the NIS2 Directive and achieve its goals and requirements.

UE countries have some leeway in interpreting the provisions - some countries' proposals include a change in the amount of penalties or even a change in the entities covered.

What penalties are in place for non compliance with NIS2?

NIS2 also contains sanctions that will be imposed on entities that do not comply with the directive.

The directive mentions the heavy financial penalties that can be imposed not only on organisations, but also on managers.

Essential Entities:

The maximum penalty can be EUR 10 million or 2% of the company's total annual worldwide turnover from the previous financial year, whichever is higher.

Important Entities:

The maximum penalty can be EUR 7 million or 1.4% of the company's total annual worldwide turnover from the previous financial year, whichever is higher.

How to prepare for NIS2?

Meet a tool that addresses many of the key challenges of the new directive - the IT management software Axence nVision^®. Find out how we can support you in preparing for the entry into force of the new regulations and learn more about areas in which we are happy to help you.

Watch the webinar

Fill out the form to receive a recording of the webinar, during which the presenters will talk in detail and demonstrate in practice how to prepare for the new directive.

Piotr Adamczyk

Technical Account Manager w Axence

Iva Tasheva

Co-founder and cybersecurity lead at CYEN