NIS2 Directive and the Future of Cybersecurity in Europe
Understanding Europe's new approach to cyber resilience and its potential impact on your organization.
Your organization might be directly affected. Act now to learn how you can improve your NIS2 compliance.
What Is the NIS2 Directive?
The NIS2 Directive is an EU-wide cybersecurity law that came into effect in 2023. This law tightens cybersecurity requirements and widens the list of industries that must adhere to these regulations.
Get the eBook now
Compliance Measures
NIS2 sets out a list of basic compliance measures in 10 areas that all organizations must make to improve their cybersecurity resilience:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, such as backup management and disaster recovery, as well as crisis management
- Supply chain security
- Security of the acquisition, development, and maintenance of networks and information systems
- Assessment of the effectiveness of cybersecurity risk management measures
- Cyber hygiene and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies, and asset management
- Using multi-factor authentication solutions
High-Level Objectives of the NIS2 Directive
- Improve collaboration between EU Member States in areas of data protection and cybersecurity
- Ensure a wider reach for protective measures, enveloping more organizations and industries
- Deliver a unified system that will allow entities to report cybersecurity incidents and manage crises situations
- Strengthen supply chain security and resilience and improve the ability to confront new cyber threats
Key Changes Between NIS and NIS2
NIS2 expands the original NIS Directive to cover more industry sectors, with additional risk-management measures and incident reporting obligations. It also provides for stronger enforcement. NIS2 adds to NIS in 4 key areas:
- Expanded NIS2 scope: NIS2 extends its reach to more sectors, moving from seven to eighteen. NIS2 has also categorized sectors as essential or important, with different supervision requirements.
- Increased stringent security requirements: The Directive enforces stricter cybersecurity measures. These requirements involve risk management practices, technical and organizational measures, incident response and recovery plans, employee training, and frequent updates and patching.
- Mandatory incident reporting with specific timeframes: NIS2 requires organizations to report significant cybersecurity incidents, which are those that are likely to adversely affect the provision of the organization’s services. Organizations must provide an “early warning” report, using a standardized format and a shortened reporting timeframe of 24 hours, followed by an Incident Notification within 72-hours of first becoming aware of the incident, as well as a Final Report within 30 days.
- Penalties for non-compliance: The NIS2 Directive imposes more severe penalties for non-compliance, including increased financial penalties.
The previous version of NIS identified healthcare, transport, digital infrastructure, water supply, banking, financial market infrastructure, and energy as "essential" sectors.
NIS2 expands this category with:
- Digital service providers
- Waste management
- Pharmaceutical and labs
- Space
- Public administration
NIS2 adds an ‘Important’ sector category:
- Public communications providers
- Chemicals
- Food producers and distributors
- Critical device manufacturers
- Social network and online marketplaces
- Courier services
Essential entities must comply with supervision requirements, while important entities will only be subject to ex-post supervision (action will be taken only if authorities receive evidence of noncompliance).
The goal of Article 21 of NIS2 is to protect network and information systems and the physical environment of those systems from incidents and shall include at least the following:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management, disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in the network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies, and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.
The most significant change is how the NIS2 Directive details the mandatory multi-stage incident reporting process and the content that must be included.
Early Warning
Within 24 hours. An initial report must be submitted to the competent authority or the nationally relevant CSIRT within 24 hours of a cybersecurity incident. The initial report should provide an early warning where there may be cross-border impact or maliciousness involved.
Follow-Up
Within 72 hours. A more detailed notification report must be communicated within 72 hours. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. The impacted entity should also report the incident to law enforcement authorities if it was criminal.
Temporary Update
Submit a temporary report updating the information provided so far, at the request of the CSIRT
Final Report
A final report must be submitted within one month after the initial notification or first report. The report must include:
- A detailed description of the incident
- The severity and consequences
- The type of threat or cause likely to have led to the incident
- All applied and ongoing mitigation measures
Under the NIS2 Directive, entities must report any major cyber threat they identify that could result in a significant incident, leading to:
- Material operational disruption or financial losses for the entity concerned.
- Significant material or immaterial damage affecting natural or legal persons.
Failure to comply with the NIS2 Directive comes with stricter penalties than NIS. Under the NIS2 Directive, penalties for non-compliance differ for essential entities and important entities.
- For essential entities, administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
- For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.
Strengthen NIS2 Compliance with
Arcserve Unified Data Resilience
Efficient and targeted data protection that works in tandem with your business continuity objectives
Data Protection Products With Integrated Cybersecurity for the Always-On Business
From data protection software with integrated cybersecurity and immutable storage options to continuous data protection (CDP), our next-gen business continuity solutions and data security management systems address every use case and are integral to the IT security stack. Ensure data is secure, accessible, and optimized—all the time.
Arcserve UDP
Heterogeneous, complete backup, disaster recovery, and integrated cybersecurity for cloud, virtual, and physical workloads—with built-in deduplication
Arcserve SaaS Backup
Comprehensive data protection and recovery for Microsoft 365, Microsoft Entra ID, Microsoft Dynamics, Salesforce, and Google Workspace data
Arcserve Cloud Hybrid
Fully integrated cloud backup, cybersecurity, and disaster recovery extension to Arcserve data protection software and appliances
Cyber Hygiene, Data Backup, and Business Continuity
Recent IT disasters, whether caused by cyberattacks, human error, or natural events, serve as a reminder of how vulnerable our digital infrastructure is.
Backing up data has an important role to play in the cyber hygiene strategy that NIS2 mandates. NIS2 demonstrates that, throughout Europe, business continuity is a crucial part of cyber hygiene.
Think of it like a lifeline against the loss of critical data, keeping your business activities resilient and sustainable. This makes business continuity plans (BCPs), including data backup and recovery strategies, a priority for businesses of all sizes.
Article 21:
Cybersecurity Risk-Management Measures
Paragraph 2:
The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
Section (c): Business continuity, such as backup management and disaster recovery, and crisis management;
Source: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022