Global
Belgium
Denmark
Finland
Germany
Malaysia
Netherlands
Norway
Poland
Sweden
UK
NIS2 in a Nutshell
The NIS2 Directive largely follows the same principles as NIS but with several important additions. NIS2 contains:
- More entities and sectors (industries) covered
- New methods of selection and registration
- New incident notification deadlines
- Greater accountability for management and personal responsibility
- Introduction of sanctions, like those included in GDPR
- Mandatory incident reports, also for so-called “near-misses”
Extension of Scope
NIS2 divides entities into two categories: Essential and Important.
The difference between them lies not in which requirements they must meet, as these remain the same for both entities, but rather in which supervisory measures and penalties will apply. Essential entities will be required to meet supervisory requirements as of the introduction of NIS2 (proactive), while important entities will be subject to ex-post supervision, meaning that action is only taken if and when authorities receive evidence of non-compliance (reactive).
NIS2 has simplified the scoping exercise that competent authorities have to go through to decide which organizations fall under the NIS2 umbrella. The National Cyber Security Centre (NCSC) defined a list of sectors and established a base rule that any large or medium entity from those sectors will be directly included in the scope. This does not necessarily exclude small or micro-organizations; member states can extend these requirements if an entity fulfills specific criteria as a key player in society, the economy, particular sectors or types of service.
Essential entities
These entities are subject to immediate supervision (proactive).
Important entities
These entities are subject to ex-post supervision (reactive).
Large entity
The NCSC defines large entities as those with a headcount of over 250 or more than €50 million in revenue.
Medium entity
The NCSC defines medium entities as those with a headcount of over 50 or more than €10 million in revenue.
Registration of Essential & Important Entities
EU member states must identify the sectors in scope by April 17, 2025. Entities will then have to determine if their services fall within the scope of NIS2, identify the list of member states where they provide “in-scope” services, and register before the deadline in each member state. The registration will, at minimum, require entities to provide the following:
- Name, address and registration number
- NIS2 sector or sub-sector
- Updated contact details
- EU member states in which they operate
- The list of their assigned IP addresses
The final registration process and list of information required will be defined as part of ratification of the Directive into law.
Improved Cooperation
Another important element of the new Directive is improving cooperation among EU member states regarding cyber incidents and threats. The European Union Agency for Cybersecurity (ENISA) will be mandated to establish a European vulnerability disclosure database to facilitate knowledge sharing among member states.
Incident Reporting
24 Hours
Within 24 hours of a significant incident, essential and important entities must issue an early warning and initial presumptions about the threat to their respective compliance authority or CSIRT.
72 Hours
After 72 hours, these entities must submit a full notification report containing an assessment of the incident, including its severity and impact and indicators of compromise.
1 Month
After 1 month, they must provide a final report.
Secure the Supply Chain
Recent incidents worldwide have proven the importance of continuity within critical supply chains, which is why NIS2 has introduced it as one of the key focus points. Entities will be responsible for addressing cyber security risks in their own supply chains as well as within supplier relationships.
This requirement might indirectly influence many suppliers who do not fall directly under the scope of the new NIS2 Directive but might deliver services or products to an in-scope NIS2 entity. Hence, their customer might impose a minimal cyber security maturity on the supplier. The national authorities will not supervise the supplier regarding NIS2, but by their customer. So, even if your organization is not in scope, it might still have an impact depending on the services and sector.
Management Accountability
Management accountability is yet another cornerstone of NIS2, as the new Directive will obligate management to take ownership of their organizations’ cyber security maturity level. This will include conducting risk assessments and approving risk treatment plans, meaning management must partake in cyber security training. The Directive also mandates organizations train their employees on cyber security risk and response.
Failure by management to comply with NIS2 requirements could result in serious consequences, including liability, temporary bans, and administrative fines as provided for in the implementing national legislation.
Management bodies of essential and important entities must:
- Approve the adequacy of the cyber security risk management measures taken by the entity
- Supervise the implementation of risk management measures
- Follow training to gain sufficient knowledge and skills to identify risks and assess cyber security risk management practices and their impact on the services provided by the entity
- Offer similar training to their employees on a regular basis
- Be accountable for non-compliance
Jurisdictional Complexity
Under the NIS2 Directive, essential and important entities fall under the jurisdiction of the EU member state where they provide their services.
If the entity provides services in more than one member state, each of these member states have jurisdiction. For entities where the service is provided or is dependent on operations outside the EU, they should ensure that they can continue operating within the EU should their non-EU operations stop.
Getting You Ready for NIS2 Compliance
What Is NIS2 & How Will It Affect Your Organization?
Under the NIS2 Directive, more entities and sectors will be required to take steps that will aid in improving cyber security in Europe. In addition to addressing supply chain security, NIS2 streamlines reporting obligations introduces stricter supervisory measures, and introduces more enforcement requirements.
How the NIS2 Cyber Security Directive Will Impact You
As part of this webinar, we will be joined by Anders Jonson, a Cyber Security Expert and Senior Advisor at ENISA, who has been involved in the development of NIS2 for the EU.
Lessons on NIS2 Compliance: A Guide to Securing Critical Infrastructure
Discover how to navigate the scope of the NIS 2 directive and comply with the requirements to prevent and respond to cyberattacks.
