Everything about the NIS2 Directive

What is NIS2 and when does the Directive apply?

The NIS2 Directive, also known as the Network and Information Security Directive, deals with measures to ensure a high common level of security of network and information systems in the European Union.

The NIS2 Directive is a revision of the original NIS Directive (NIS1) and was developed in response to the changing threat landscape and new cybersecurity challenges.

It aims to further strengthen cybersecurity in Europe by imposing stricter requirements on companies and organizations, particularly with regard to security incident reporting and security compliance.

What are the main objectives of the NIS2 Directive?

  • Improving the cooperation between Member States

  • Promoting a coherent approach to cyber security across the EU

  • Ensuring an adequate level of protection for critical infrastructure and digital service providers

By when must the NIS2 Directive be transposed into national law?

The NIS2 Directive came into force on January 16, 2023. EU member states have until October 17, 2024 to transpose it into national law.

Which companies are affected by NIS2?

Large and medium-sized companies from sectors with high criticality

  • Energy: companies that provide electricity and gas, including electricity grids and gas pipelines

  • Transportation: Companies that operate air, rail, road, sea, and inland waterway transportation.

  • Banking: Financial institutions, including banks, stock exchanges, and payment service providers

  • Healthcare: Hospitals, medical facilities and healthcare providers

  • Water: Water utilities and water treatment companies

  • Digital Services: Platforms, marketplaces, cloud service providers, and other digital service providers

  • Management of information and communication technology (ICT) services in the B2B sector

  • Public administration

  • Outer space

Large and medium-sized enterprises from other critical sectors

  • Postal and courier services

  • Waste management

  • Chemicals

  • Food industry

  • Processing/manufacturing industry

  • Digital service providers and research

Which companies are considered large and medium-sized enterprises?

Size class

Employees (FTE)

Annual turnover

Annual balance sheet total

Small company (SE)

< 50 and

≤ 10 million euros or

≤ 10 million euros

Medium company (ME)

< 250 and

≤ 50 million euros or

≤ 43 million euros

Large company (LE)

≥ 250 and

> 50 million euros and

> 43 million euros

Are small companies also affected?

Small companies are generally not affected by NIS2. However, there are the following exceptions:

  • Trust service providers

  • Providers of public electronic communication networks

  • TLD name registries and DNS service providers

How do essential and important facilities differ?

Essential facilities

Important facilities

Large companies from sectors with high criticality

Medium-sized companies from sectors with high criticality

Large and medium-sized enterprises from other critical sectors

Effects for the companies

From a safety perspective, there are no major differences in the implementation of the NIS2 Directive. There are only deviations in terms of monitoring and sanctions. These are as follows:

Essential facilities

Important facilities

Regular and targeted safety checks ("ex-ante")

Checks only in the event of reasonable suspicion ("ex-post")

Random inspections

On-site inspections and external ex-post supervisory measures

Fines of 10 million euros or 2% of global turnover (whichever is higher)

Fine of 7 million euros or 1.4% of global turnover

What requirements does NIS2 place on companies?

If a company is affected by NIS2, in addition to registering with the relevant authority, the following areas are required in which cybersecurity improvement measures must be implemented:

  • Implementation of comprehensive risk management

  • Security in the supply chain, i.e. in dealing with business partners, suppliers, etc.

  • Incident and crisis management

  • Basic cyber hygiene

  • Notification and reporting obligations

What security objectives must be met under the NIS2 Directive?

The NIS2 Directive requires affected companies to take "appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems [...] and to prevent or minimize the impact of security incidents [...]".

Official Journal of the European Union L, 2022/2555, December 14, 2022

According to NIS2, companies are obliged to adapt their security measures to the current state of technology and individual threat scenarios. These protective measures must take a holistic approach that considers not only cyber-attacks, but also other potential incidents that could affect the company's own IT infrastructure and thus the provision of essential services.

The following safety objectives should be met as a minimum:

Concepts of risk analysis and security for information systems

Description

Solved with lywand

Regular checks of the IT infrastructure for vulnerabilities

Yes

Assessment of the vulnerabilities

Yes

Security incident response and crisis management

Description

Solved with lywand

Remediation of the incident

Partial

Maintenance of operations

No

Recovery after an incident

No

Backup management

No

Supply Chain Security

Description

Solved with lywand

Cross-partner information systems

No

Dealing with business partners

No

Interfaces with partners

Partial

Vulnerability management and disclosure

Description

Solved with lywand

Monitoring vulnerabilities

Yes

Addressing vulnerabilities

Yes

Check for vulnerabilities

Yes

Effectiveness assessment of cybersecurity risk management activities

Description

Solved with lywand

Permanent assessment of cyber security

Yes

Checking the implementation and effectiveness of measures

Yes

General cyber hygiene and awareness training

Description

Solved with lywand

Zero Trust Principles

No

Software updates

Yes

Device configurations

Yes

Network segmentation

No

Concepts and procedures for using cryptography and encryption

Description

Solved with lywand

Verification that communication channels are encrypted

Yes

Verification of encryption algorithms and technologies used

No

Encryption of business-critical data

No

Employee security and access management

Description

Solved with lywand

Least privilege approach

No

Monitoring access

No

Secure communication and multi-factor authentication

Description

Solved with lywand

Reporting Obligations to Governmental Institutions - CERT/CSIRT

No

Check if multi-factor authentication is enabled

Partial

Further information can be found in the Official Journal of the European Union.

Thomas Haak

March 8, 2024

Category

Guide

Might be also interesting

Feature

Whitelabeling

Whitelabeling allows you to customize the Security Audit Platform with your own look and feel. To complete the new feature, we have added another "treat": Read-only Access.

March 21, 2024

Feature

Assessment of IT security

In this article, you will find out why we have introduced probability of occurrence as a new factor in vulnerability risk assessment, and how IT security assessment works in our Security Audit Platform.

February 28, 2024

Company

Recap 2023

In this article, we look back on the past year and have summarised the most important things for you: newly developed features, updates on our partner network and technical insights into the security audit platform. Finally, you will find a summary of our management and an outlook for 2024.

January 24, 2024