Everything about the NIS2 Directive

Find out everything you need to know about the NIS2 Directive in our article: When did it come into force, which organizations does it affect and what are the specific requirements?

What is NIS2 and when does the Directive apply?

The NIS2 Directive, also known as the Network and Information Security Directive, deals with measures to ensure a high common level of security of network and information systems in the European Union.

The NIS2 Directive is a revision of the original NIS Directive (NIS1) and was developed in response to the changing threat landscape and new cybersecurity challenges.

It aims to further strengthen cybersecurity in Europe by imposing stricter requirements on companies and organizations, particularly with regard to security incident reporting and security compliance.

What are the main objectives of the NIS2 Directive?

  • Improving the cooperation between Member States

  • Promoting a coherent approach to cyber security across the EU

  • Ensuring an adequate level of protection for critical infrastructure and digital service providers

By when must the NIS2 Directive be transposed into national law?

The NIS2 Directive came into force on January 16, 2023. EU member states have until October 17, 2024 to transpose it into national law.

Which companies are affected by NIS2?

Large and medium-sized companies from sectors with high criticality

  • Energy: companies that provide electricity and gas, including electricity grids and gas pipelines

  • Transportation: Companies that operate air, rail, road, sea, and inland waterway transportation.

  • Banking: Financial institutions, including banks, stock exchanges, and payment service providers

  • Healthcare: Hospitals, medical facilities and healthcare providers

  • Water: Water utilities and water treatment companies

  • Digital Services: Platforms, marketplaces, cloud service providers, and other digital service providers

  • Management of information and communication technology (ICT) services in the B2B sector

  • Public administration

  • Outer space

Large and medium-sized enterprises from other critical sectors

  • Postal and courier services

  • Waste management

  • Chemicals

  • Food industry

  • Processing/manufacturing industry

  • Digital service providers and research

Which companies are considered large and medium-sized enterprises?

Size class

Employees (FTE)

Annual turnover

Annual balance sheet total

Small company (SE)

< 50 and

≤ 10 million euros or

≤ 10 million euros

Medium company (ME)

< 250 and

≤ 50 million euros or

≤ 43 million euros

Large company (LE)

≥ 250 and

> 50 million euros and

> 43 million euros

Are small companies also affected?

Small companies are generally not affected by NIS2. However, there are the following exceptions:

  • Trust service providers

  • Providers of public electronic communication networks

  • TLD name registries and DNS service providers

How do essential and important facilities differ?

Essential facilities

Important facilities

Large companies from sectors with high criticality

Medium-sized companies from sectors with high criticality

Large and medium-sized enterprises from other critical sectors

Effects for the companies

From a safety perspective, there are no major differences in the implementation of the NIS2 Directive. There are only deviations in terms of monitoring and sanctions. These are as follows:

Essential facilities

Important facilities

Regular and targeted safety checks ("ex-ante")

Checks only in the event of reasonable suspicion ("ex-post")

Random inspections

On-site inspections and external ex-post supervisory measures

Fines of 10 million euros or 2% of global turnover (whichever is higher)

Fine of 7 million euros or 1.4% of global turnover

What requirements does NIS2 place on companies?

If a company is affected by NIS2, in addition to registering with the relevant authority, the following areas are required in which cybersecurity improvement measures must be implemented:

  • Implementation of comprehensive risk management

  • Security in the supply chain, i.e. in dealing with business partners, suppliers, etc.

  • Incident and crisis management

  • Basic cyber hygiene

  • Notification and reporting obligations

What security objectives must be met under the NIS2 Directive?

The NIS2 Directive requires affected companies to take "appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems [...] and to prevent or minimize the impact of security incidents [...]".

Official Journal of the European Union L, 2022/2555, December 14, 2022

According to NIS2, companies are obliged to adapt their security measures to the current state of technology and individual threat scenarios. These protective measures must take a holistic approach that considers not only cyber-attacks, but also other potential incidents that could affect the company's own IT infrastructure and thus the provision of essential services.

The following safety objectives should be met as a minimum:

Concepts of risk analysis and security for information systems

Description

Solved with lywand

Regular checks of the IT infrastructure for vulnerabilities

Yes

Assessment of the vulnerabilities

Yes

Security incident response and crisis management

Description

Solved with lywand

Remediation of the incident

Partial

Maintenance of operations

No

Recovery after an incident

No

Backup management

No

Supply Chain Security

Description

Solved with lywand

Cross-partner information systems

No

Dealing with business partners

No

Interfaces with partners

Partial

Vulnerability management and disclosure

Description

Solved with lywand

Monitoring vulnerabilities

Yes

Addressing vulnerabilities

Yes

Check for vulnerabilities

Yes

Effectiveness assessment of cybersecurity risk management activities

Description

Solved with lywand

Permanent assessment of cyber security

Yes

Checking the implementation and effectiveness of measures

Yes

General cyber hygiene and awareness training

Description

Solved with lywand

Zero Trust Principles

No

Software updates

Yes

Device configurations

Yes

Network segmentation

No

Concepts and procedures for using cryptography and encryption

Description

Solved with lywand

Verification that communication channels are encrypted

Yes

Verification of encryption algorithms and technologies used

No

Encryption of business-critical data

No

Employee security and access management

Description

Solved with lywand

Least privilege approach

No

Monitoring access

No

Secure communication and multi-factor authentication

Description

Solved with lywand

Reporting Obligations to Governmental Institutions - CERT/CSIRT

No

Check if multi-factor authentication is enabled

Partial

Further information can be found in the Official Journal of the European Union.

Thomas Haak

March 8, 2024

Category

Guide

Might be also Interesting

Guide

Asset Discovery Uncovers Shadow IT: A Must-Have for MSPs

In this article, you will learn how shadow IT can become an invisible but significant security risk for companies. Find out how Asset Discovery helps IT service providers to uncover hidden devices and applications on the network. We also present proven measures for controlling shadow IT and improving network security.

November 6, 2024

Guide

Traditional Vulnerability Scanner vs. Security Audit Platform

Find out how lywand's security audit platform differs from traditional vulnerability scanners and which solution is best suited to your MSP business.

October 7, 2024

Guide

IT Security Through System Hardening: What You Need to Know as an MSP

System hardening is an essential process for protecting your customers' IT infrastructure. But what exactly is system hardening and why is it so important?

September 2, 2024