What Is the NIS2 Directive?
Compliance Measures
High-Level Objectives of the NIS2 Directive
Improve collaboration between EU Member States in areas of data protection and cybersecurity
Strengthen supply chain security and resilience and improve the ability to confront new cyber threats
Understand NIS2 Compliance Requirements
Key Changes Between NIS and NIS2
Expanded NIS2 Scope
Increased Stringent Security Requirements
Mandatory Incident Reporting with Specific Timeframes
NIS2 requires organizations to report significant cybersecurity incidents, which are those that are likely to adversely affect the provision of the organization’s services. Organizations must provide an “early warning” report, using a standardized format and a shortened reporting timeframe of 24 hours, followed by an Incident Notification within 72-hours of first becoming aware of the incident, as well as a Final Report within 30 days.
Penalties for Non-Compliance
Expanded NIS2 Scope
The previous version of NIS identified healthcare, transport, digital infrastructure, water supply, banking, financial market infrastructure, and energy as "essential" sectors.
|
NIS2 expands this category with:
|
NIS2 adds an ‘Important’ sector category:
|
Essential entities must comply with supervision requirements, while important entities will only be subject to ex-post supervision (action will be taken only if authorities receive evidence of noncompliance).
Increased Stringent Security Requirements
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management, disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in the network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies, and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.
Mandatory Incident Reporting With Specific Timeframes
The most significant change is how the NIS2 Directive details the mandatory multi-stage incident reporting process and the content that must be included.
Early Warning
Within 24 hours. An initial report must be submitted to the competent authority or the nationally relevant CSIRT within 24 hours of a cybersecurity incident. The initial report should provide an early warning where there may be cross-border impact or maliciousness involved.
Follow-Up
Within 72 hours. A more detailed notification report must be communicated within 72 hours. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. The impacted entity should also report the incident to law enforcement authorities if it was criminal.
Temporary Update
Submit a temporary report updating the information provided so far, at the request of the CSIRT
Final Report
A final report must be submitted within one month after the initial notification or first report. The report must include:
- A detailed description of the incident
- The severity and consequences
- The type of threat or cause likely to have led to the incident
- All applied and ongoing mitigation measures
Under the NIS2 Directive, entities must report any major cyber threat they identify that could result in a significant incident, leading to:
- Material operational disruption or financial losses for the entity concerned.
- Significant material or immaterial damage affecting natural or legal persons.
Penalties for Non-Compliance
Failure to comply with the NIS2 Directive comes with stricter penalties than NIS. Under the NIS2 Directive, penalties for non-compliance differ for essential entities and important entities.
- For essential entities, administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
- For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.
Cyber Hygiene, Data Backup, and Business Continuity
Recent IT disasters, whether caused by cyberattacks, human error, or natural events, serve as a reminder of how vulnerable our digital infrastructure is.
Backing up data has an important role to play in the cyber hygiene strategy that NIS2 mandates. NIS2 demonstrates that, throughout Europe, business continuity is a crucial part of cyber hygiene.
Think of it like a lifeline against the loss of critical data, keeping your business activities resilient and sustainable. This makes business continuity plans (BCPs), including data backup and recovery strategies, a priority for businesses of all sizes.
Article 21:
Cybersecurity Risk-Management Measures
Paragraph 2:
The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
Section (c): Business continuity, such as backup management and disaster recovery, and crisis management;
Source: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022