NIS2 Directive: what is it and how does it affect your company?

The NIS2 Directive comes at a time when European institutions are stepping up their legislative efforts around digital.

In this case, NIS 2 addresses the growing risks linked to cyber threats and lays the groundwork for a European cybersecurity legislation.

This is not the first time that the EU has addressed this issue. Thus, the NIS2 Directive appears as a revision and extension of the 2016 NIS1 Directive (EU 2016/1148), which has ended up becoming obsolete at a time when the impact of cybersecurity incidents has reached record numbers. The NIS Directive1, was the first European Union regulation on cybersecurity and which focused on ensuring a common security framework to guarantee a minimum level of security of networks and information systems across the European Union. A scenario that this legislation seeks to address comprehensively. Its aim: to promote the highest levels of cybersecurity against emerging threats at the European level.

In force since January 2023, it is in October 2024 that the transpositions of the NIS2 Directive arrive in each national legislation, thus making it applicable. In this context, we analyze what exactly the NIS2 directive is, which organizations it affects and what kind of requirements it establishes.

What is the NIS2 Directive?

The NIS2 Directive is a Europe-wide law that sets out a number of cybersecurity obligations with a view to fostering an adequate common level of cybersecurity.

Its full name is Directive (EU) 2022/2555 of the European Parliament and of the Council on measures to ensure a high common level of cybersecurity throughout the Union.

This legislation promotes three key areas of intervention:

• Requiring high levels of security from Member States with measures such as the creation of Computer Security Incident Response Teams (CSIRTs) and the National Competent Authority for Networks and Information Systems (NIS).
• Creation of a Cooperation Group to foster collaboration between member states.
• Boosting cybersecurity levels by establishing cybersecurity obligations for public and private companies in sectors considered “essential” and “important” (as detailed below in this article).

Compared to the previous NIS1 Directive of 2016, some of the key measures introduced by the NIS2 Directive include a broader scope of application; modifications to the categories created by NIS1; expanded security requirements; greater precision in the description of incident reporting; and a more intense focus on the supply chain and suppliers of critical organizations, introducing more demanding conditions regarding risk management in this area.

In short, this is a legislative initiative that seeks to protect digital infrastructure in the Member States and harmonize cybersecurity requirements at the European level. To this end, and accompanying other recent initiatives such as the cyber resilience law or the DORA Regulation, it establishes a series of requirements aimed at increasing cybersecurity efforts in today's highly volatile and threatening environment.

How does the NIS 2 Directive affect companies?

Which companies must comply with the NIS2 Directive

In the text, the enterprises targeted by the law are described as “all public and private entities in the internal market that perform important functions for the economy and society as a whole”.
More schematically, the profile of the companies affected by the NIS 2 Directive is as follows:

• Medium and large companies , public or private.
• Considered of high criticality and as belonging to critical sectors (this classification is detailed in Annexes I and II).
• They carry out their activities in the EU or provide their services in the EU.

More specifically, the law chooses to divide these companies into two groups:

• Essential Entities, subject to stricter requirements, examples being those engaged in transport, energy, banking, health or water.
• Important Entities, examples being postal and courier services, waste management, food production, processing and distribution, digital providers.

It is worth noting that obligations vary according to the size and type of company, noting that there is an important distinction between “essential entities” and “significant entities” in terms of monitoring and compliance requirements.

Cybersecurity measures required by NIS2

Regarding the measures to be taken, the companies identified in the referred Annexes I and II are required to adopt "measures for cybersecurity risk management" in addition to being subject to "notification obligations" in the face of cybersecurity incidents.

Areas of action

The measures that companies must take for compliance are described in Chapter IV of the legislative text. In the text, it is made explicit that entities must implement “appropriate and proportionate technical and organizational measures”, and includes the following areas of action, which we paraphrase:

• Information systems security policies and risk analysis.
• Incident management, such as identification of threats and vulnerabilities; security incident response using predefined protocols; recovery of affected services and data to minimize impact; and post-mortem analysis to learn from incidents and improve future defenses.
• Business continuity, such as backup management and disaster recovery, and crisis management.
• Supply chain security.
• Procurement, development and maintenance of network and information systems security.
• Policies and procedures for assessing the effectiveness of cybersecurity risk management measures.
• Basic cyber-hygiene practices and cybersecurity training.
• Policies and procedures relating to the use of cryptography and encryption.
• Security of human resources, access control policies and asset management.
• Multifactor authentication or continuous authentication solutions.

This is a list of minimums with respect to the different areas of action that companies must address. In turn, the text recognizes the need for each entity to establish measures in proportion to the specific risks to which it is exposed, the size of the organization and the impact and severity of potential incidents.

Notification obligations

The NIS2 Directive takes pains to delineate in detail the cybersecurity incident notification obligations in Article 23. The obligation is triggered by any “significant incident”, i.e. an incident that, as stated in the text:

• Has caused or is likely to cause serious operational disruption of services or economic loss to the affected entity.
• Has affected or is likely to affect other natural or legal persons by causing significant material or immaterial damage.

In these cases, entities are obliged to notify the incident to the CSIRT or the competent authority (to be defined in the transposition of the law in October 2024 depending on the Member State), with the following characteristics, which we paraphrase from the text:

1. An early warning without undue delay and in any case within twenty-four hours of the significant incident becoming known.
2. Notification of the incident with an update of the early warning information without undue delay and, in any case, within seventy-two hours of the significant incident becoming known; an initial assessment of the significant incident, including its severity and impact, as well as indicators of compromise, shall be set out.
3. An interim report with relevant updates at the request of a CSIRT or the competent authority.
4. A final report, at the latest one month after submitting the incident notification.
5. In the event that the incident is still ongoing at the time of submission of the final report, Member States shall ensure that the entities concerned submit a status report at that time and a final report within one month after they have managed the incident.

The role of the management bodies

The text puts the management bodies in charge of ensuring compliance. More specifically, it states that the management bodies of the entities must take an active role in compliance, and are charged with key actions such as approving the adequacy of the measures, supervising their implementation and acquiring sufficient training to be able to assess whether their risk management practices are adequate.

Sanctions for non-compliance

The NIS2 Directive sets out a number of actions aimed at ensuring compliance with security requirements.
Supervisory and enforcement measures relating to critical entities are set out in Article 32, while those relating to significant entities are set out in Article 33.

The measures are stricter in the first case, where entities may be subject to both ex ante and ex postsupervision , on a periodic and ad hoc basis. In the case of significant entities, supervision will be aposteriori and specific. Temporary suspension of activities could be applied in cases of severe risks to national or EU security.

Following these different degrees according to both types of entities (explicit in the legislative text), among the supervisory actions the following stand out:

• On-site inspections
• Security audits
• Safety analysis
• Requests for information necessary to evaluate the risk management measures adopted.
• Requests for access to data and information for supervision.
• Requests for evidence of the implementation of cybersecurity policies, such as audit results.

The text also details a list of the penalties provided for, ranging from a warning or the adoption of specific instructions, to ordering the publication of the non-compliance, the imposition of administrative fines, suspension and temporary bans.

Among the financial penalties, the following are foreseen:

• For essential entities, a maximum of 10,000,000 euros or up to 2% of total annual worldwide turnover (the higher amount).
• For important entities, a maximum of 7,000,000 euros or 1.4% of the total annual worldwide turnover (the highest amount).

It is relevant to mention how these sanctions seek not only to penalize entities, but also to foster a culture of compliance.

When does the NIS2 Directive come into force?

The NIS2 Directive was formally approved in November 2022; its publication in the Official Journal of the EU (OJEU) took place in December 2022; and it entered into force on January 16, 2023.

However, for compliance purposes, it is necessary to await the transposition of the NIS2 Directive into the laws of each Member State. The deadline for this is October 17, 2024. After this date, each Member State must communicate the applicable sanctioning regime by January 17, 2025; while the list of essential and important entities is expected to be drawn up by the Member States by April 17, 2025 at the latest.

S2 Group: your allies for compliance with the NIS2 Directive

As the date on which compliance with the NIS2 Directive becomes mandatory approaches, the onus is on the entities to comply with the measures provided for by this law.

In this regard, the text places a duty on organizations to bring their cybersecurity capabilities to the appropriate level to protect themselves. Thus, although the text details the areas to be addressed, the focus is on the commitment of entities to their own protection, taking into account all the risks, both digital and physical, that could trigger a cybersecurity incident.

This is further reflected in the predominant role that the text gives to the management bodies, responsible for proportionally implementing measures according to the specific risks to which the entity is exposed and their impact. a key point on the part of these management bodies is the need to keep up to date on legislative changes and emerging risks.

Audits, inspections, requests for data, documents and information... The NIS2 Directive requires an effort not only in the implementation of cybersecurity measures, but also at the level of documentation and recording. All this accompanied by an accurate risk calculation, based on training, knowledge and updated skills that enable both management bodies and workers to be in a position to shield the organization against emerging dangers.

In this context, it is essential to have cybersecurity allies that address the needs of the NIS2 Directive in a comprehensive and effective manner. This is where S2 Grupo comes into play.

As a leading company at the forefront of cybersecurity and as part of our portfolio of cybersecurity solutions, we offer the Governance, Risk and Compliance solution, an initiative aimed at accompanying organizations in achieving compliance with cybersecurity legislation, including the NIS2 Directive.

Want to prepare your organization for compliance with the NIS2 Directive? Contact us and talk to our team about how we can help you.