NIS 2 Cybersecurity Directive
New Enhanced Cybersecurity Rules in the European Union
The new directive on cybersecurity, NIS 2, which came into effect in January 2023, introduces mandatory information security measures and reporting requirements for cybersecurity incidents. Failure to comply with these requirements may result in substantial fines for many companies in specific sectors.
What are NIS and NIS 2 directives?
NIS refers to the security of Network and Information Systems. Currently, the NIS directive from 2016 is in effect. The existing rules primarily apply to critical infrastructure companies and providers of digital services (online marketplaces, online search engines, and cloud computing services).
The sectoral scope of the previous NIS Directive has been expanded through NIS2 to encompass a much larger portion of the economy, ensuring comprehensive coverage of sectors and services critical to the fundamental social and economic activities within the internal market.
The cybersecurity directive aims to enhance cyber resilience and improve response to security incidents in both the public and private sectors in the EU.
When does NIS 2 come into force?
The NIS Directive is the first legislative act on cybersecurity at the EU level. By May 9, 2018, all EU member countries were required to incorporate this act into their national legislation. NIS2 came into effect on January 16, 2023, and fully replaces the existing Directive on the security of network and information systems (NIS) on October 17, 2024.
Who does NIS 2 apply to?
NIS2 applies to organizations in the following sectors:
Critical industries | Important industries |
Energy | Postal and courier services |
Transportation | Waste management |
Banking | Chemical industry |
Financial market infrastructure | Food industry |
Healthcare | Industrial production |
Water supply | Digital service providers |
Sewerage systems | Research (optional) |
Digital infrastructure | |
Management of B2B information technology services | |
Public administration | |
Space research |
Thus, the directive establishes requirements for organizations providing essential services in the fields of energy, logistics, finance, healthcare, utilities, digital infrastructure, industry, government administration, and research.
Does the NIS 2 directive apply to small businesses?
Companies with fewer than 50 employees and an annual turnover or annual balance not exceeding 10 million euros are considered small and therefore are not subject to the NIS 2 directive.
However, there are exceptions, and the following companies fall under the directive’s scope regardless of their size:
- Trust service providers;
- Operators of public telecommunications networks or providers of public electronic communications services;
- TLD registry operators and DNS service providers, excluding operators of root name servers;
- Companies that are the sole providers of services in an EU member state necessary for maintaining critical social or economic activities.
In this way, NIS 2 applies not only to large organizations but also to certain small businesses. These small businesses must comply with the directive’s requirements to ensure a high overall level of cybersecurity throughout the EU and avoid penalties for non-compliance.
REQUEST A QUOTERequirements of NIS 2
Measures and scope
The NIS 2 directive, which came into effect on January 16, 2023, aims to improve the existing state of cybersecurity in the EU by establishing the necessary cyber crisis management structure, enhancing the level of harmonization of security requirements and reporting obligations, and setting a baseline for cybersecurity risk management measures and reporting obligations across all sectors covered by the directive.
Cybersecurity strategy and management
NIS 2 directive requires organizations to have a cybersecurity strategy and management in place to counter emerging cyber threats. This includes measures such as risk management, incident management, and collaboration.
Information security management
The NIS 2 directive mandates that organizations have an information security management system in place to ensure the confidentiality, integrity, and availability of information. This includes measures such as access control, encryption, and incident response.
Reporting obligations
The NIS 2 directive requires organizations to report cybersecurity incidents to the competent national authority within 24 hours of becoming aware of the incident. Within 72 hours, a full incident report must be submitted, including an assessment of the incident, its severity, consequences, and indicators.
Training and awareness
NIS 2 directive requires organizations to provide training to their management and employees to deepen their knowledge in cybersecurity. This includes measures such as awareness campaigns, training programs, and simulations.
Penalties for Non-Compliance with NIS 2 Requirements
The NIS 2 directive includes penalty provisions for non-compliance with its requirements. The imposed measure of responsibility depends on the severity of the violation and the size of the organization.
Fines
For large organizations, member states must establish a maximum fine of no less than 7,000,000 euros or no less than 1.4% of the organization’s total worldwide annual turnover.
Sanctions
Member states can impose sanctions on organizations that fail to comply with the NIS 2 directive. These sanctions may include the suspension or revocation of licenses, permits, and authorizations.
Reputational damage
Non-compliance with the NIS 2 directive can result in reputational damage to the organization. This can lead to the loss of customers, partners, and investors.
It is important to note that the sanctions for non-compliance can vary depending on the country and the specific circumstances of the violation. Furthermore, it is crucial for organizations to ensure compliance with the NIS 2 directive to avoid reputational damage, which can be even more significant than the fines imposed.
Implementation of the NIS 2 Directive
We strive to give top priority to system safety, the protection of confidential data, and the preservation of our clients’ trust. Implementing compliance with NIS 2 Directive will enhance your cybersecurity level, and demonstrate commitment to maintaining a high overall cybersecurity standard. As a result, you will receive:
Don’t wait until the last moment or face legal action; take proactive measures to ensure compliance now. The unfortunate experiences of GDPR implementation show that companies that were negligent paid a high price. Conversely, companies that approached us in advance were able to ensure compliance with EU directives quickly and seamlessly.
Our experts are well-versed not only in technical and organizational cybersecurity matters but also in the nuances of EU legislation. Do you want to meet all the requirements of NIS 2 and reduce the risks of hefty fines starting today? Then request a free consultation here!