The NIS 2 Directive: What You Need to Know
On Oct. 17, the Network and Information Security 2 Directive takes effect. This means that relevant entities in industries such as energy, transport, water, healthcare, and digital infrastructure that carry out activities within the E.U. must comply with the relevant legislation.
NIS 2, which was approved by the European Parliament in November 2022, aims to establish a consistent, minimum cybersecurity baseline across all E.U. member states, involving mandatory security measures and reporting procedures.
Organisations subject to the NIS 2 Directive must adopt “measures to manage the risks posed to the security of network and information systems” they use to provide their services, and must “prevent or minimise the impact of incidents on recipients of their services and on other services.”
According to a survey by data protection software provider Veeam, 66% of businesses operating within the E.U. will miss the compliance deadline. Indeed, 90% have faced security incidents in the last year that compliance with the directive would have prevented.
In light of this, TechRepublic has created the following guide breaking down what liable entities need to know about complying with NIS 2.
What is the NIS 2 Directive?
The NIS 2 Directive is a legislative act that applies to medium to large-sized entities that provide services or infrastructure deemed “critical for the economy and society” within the E.U. It is designed to achieve a high common level of cyber security across the bloc.
NIS 2 builds on NIS 1, which was adopted in the E.U. in 2016. NIS 1 applies to “operators of essential services,” which have been identified by each member state, as well as all major “digital service providers,” such as online marketplaces, search engines, and cloud service providers. Member states also set their own non-compliance penalties.
NIS 1 asks that eligible organisations:
- Secure their network and information systems with measures appropriate to their risk levels.
- Ensure service continuity by taking measures to prevent and minimise the impact of security incidents.
- Notify the regulator of any “significant” or “substantial” incident within 72 hours of becoming aware of it.
Operators of essential services’ compliance with NIS 1 are monitored by audits conducted by authorities, while digital service providers are not audited but could be investigated following an incident that suggests non-compliance.
How is NIS 2 different from NIS 1?
Building on the original directive, NIS 2 expands its scope across critical sectors including energy, healthcare, transport, and digital infrastructure and introduces stricter cybersecurity requirements. It also covers organisations with at least 50 employees, meaning that many who were exempt from NIS 1 must now comply with NIS 2.
Furthermore, the provisions of NIS 2 differ from NIS 1 in several ways:
- Supply chain risks must be covered in risk assessments, as attacks that exploit them are rising.
- Root-cause analysis is now necessary after incidents, rather than just reactive measures.
- Business continuity and disaster recovery plans that minimise disruptions are a primary focus.
- Security audits, including pen-testing and vulnerability assessments, must be conducted regularly to ensure systems meet the updated security standards.
- Regulators have stronger enforcement powers, such as random audits and on-site inspections.
So-called “management bodies” in “essential” and “important” entities must approve and oversee the cybersecurity risk-management measures their companies have implemented, and they can now be held personally liable for infringements. According to Article 20, they must also receive regular cybersecurity training.