Infosecurity Europe
4-6 June 2024
ExCeL London

NIS 2 is Coming: What Does It Mean for EU and Non-EU Organisations?

The second version of the EU’s Network and Information Systems Directive (NIS 2) is expected to be transposed into national laws by all 27 member-states by October 17, 2024.

This means that all EU-based organisations who had to comply with the initial NIS directive, as well as many other businesses, will have to spend a significant part of 2024 working towards NIS 2 compliance.

This new 73-page directive on cybersecurity controls introduces many changes, including applying to a broader scope of organisations – with the notable inclusion of all managed service providers (MSPs) – and requiring some of the most critical ones to implement tighter cyber incident reporting timeframes.

The text also imposes higher non-compliance fines than ever seen for cyber legislation.

Here is Infosecurity’s deep dive into the main takeaways of NIS 2.

Where Did NIS 1 Fail?

The initial NIS directive, adopted in all EU member-states – then including the UK – in 2016, was the EU’s first-ever piece of legislation solely dedicated to cybersecurity measures.

Speaking to Infosecurity, Rob Robinson, head of Telstra Purple EMEA, said NIS was “aimed to offer a set of robust security standards to a number of critical verticals.”

Specifically, the initial directive applied to seven verticals (energy, transport, banking, finance, healthcare, drinking water, digital infrastructure) considered to provide essential services.

However, many experts realised that the interpretation of the directive across each of the member-states was slightly different.

“That created some ambiguity across the various EU organisations in terms of how the law was actually applied,” Robinson explained.

Therefore, the decision was made that a new NIS directive would come into force across the EU by the end of 2024.

In December 2020, the Commission proposed its first draft for the future NIS 2.

“Meanwhile, the COVID-19 pandemic we all went through meant that organisations have been sharing much more data with their partners and suppliers and brought a big emphasis on the cloud, let alone the exploding use of the Internet-of-Things (IoT). All this is absolutely a benefit to these organisations, but it is also broadening their attack surface,” Robinson added.

“2016 is a long way away, particularly given the speed in which cyber threats have advanced, and an update is thus required,” he said.  

NIS 2 was voted in November 2022 and adopted on January 16, 2023. 

Read more: Carrot or Stick: is NIS2 the Way Forward?

NIS 2 Vision: 46 articles, Three Objectives, Five Pillars

With 46 articles and 44 preambles, NIS 2 is a heavy text.

In a dedicated webinar, Richard Cassidy, the field CISO for cloud-based data security provider Rubrik, said the new directive addresses three main objectives:

  • Enhance cyber resilience in a growing number of sectors across the EU
  • Reduce inconsistencies in levels of resilience in sectors already covered by NIS 1
  • Enhance trust by further improving information sharing and setting new rules for incident response
Any managed service provider, including hosting and cloud service providers as well as security service providers, will have to comply with NIS 2.

Rob Robinson, head of Telstra Purple EMEA

To achieve this, NIS 2 is structured around five pillars:

  • Security requirements
  • Incident handling
  • Continuity of service
  • Monitoring, auditing & testing
  • Compliance with international standards

According to Cassidy, the most significant changes will be around incident handling, the continuity of service and monitoring, auditing & testing.

NIS 2 Application: Two Tiers, 18 Sectors 

With NIS 2, the number of verticals covered by the directive will be expanded from seven to 17, with over 160,00 businesses estimated to fall under the new text.

These 160,000+ businesses in 18 sectors will be divided into the two following tiers:

    1. Essential entities, comprising the seven verticals covered by NIS 1, including an extended understanding of the energy sector, as well as three additional sectors (public administration, wastewater, space).

    2. Important entities, including post services, food manufacturing and distribution, social media and chemical production.

Verticals covered by NIS 2. Source EY

The inclusion of IT service providers is one of the changes that will have the most impact, Robinson said.

“Any MSP, including hosting and cloud service providers as well as security service providers, will have to comply,” he said. 

Reporting Breaches Under NIS 2

Organisations that fall under the ‘essential entity’ category will have to comply with stricter rules, such as reporting a cyber incident within 24 hours, compared with 72 hours required under the current NIS 1 directive.

Under NIS 2 other important entities will need to report a cyber incident within 72 hours.

In the case of non-compliance, essential entities will pay fines of either 2% of their worldwide annual turnover recorded during the preceding financial year or €10m – whichever is higher.

For important entities, non-compliance fines amount to the highest between 1.4% of annual turnover or €7m.

Other fundamental changes include data security governance, third-party risk management, and information sharing.

“NIS 2 will require organisations to make big progress in how they share information with the three European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) and other organisations,” Cassidy said during the Rubrik webinar.

Alongside NIS 2, the EU institutions introduced the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), a cooperation network for member-states national authorities in charge of cyber crisis management.

The network was launched in 2020 and formalised in January 2023. From October 17, 2024, and every 18 months after that, EU-CyCLONe will submit a report assessing its work to the European Parliament and the Council.

Additionally, a NIS 2 cooperation group will establish a network of vetted computer security incident response team centers (CSIRTs) from January 2025, with the assistance of the Commission and ENISA.

NIS 2 will require organisations to make big progress in how they share information with the EU and each other.

Richard Cassidy, field CISO, Rubrik

How Can Businesses Start Complying with NIS 2? 

Organisations, either EU-based or based elsewhere but with branches in the EU, ought to start the compliance process right now.

Read more: A Third of Organisations Not Ready to Comply with NIS2

Cybersecurity experts have provided the top priorities this process should start with. They are:

1. Find out which of your business units fall under NIS 2

2. Look at the existing projects your teams are going to be involved with over the next 12 months – and relocate some of them if needed

3. Make a gap analysis based on the requirements and your existing security measures

4. Amend your existing security measures and policies to plan your NIS 2 compliance journey

5. Implement those measures, starting with those around incident response and third-party risk

Below is a list of recommendations cybersecurity decision-makers should keep in mind during the compliance process:

  • Set up a working group including the CISO, business services representatives, law experts and C-suite members
  • Get the buy-in from everyone, especially the board, before you start your compliance journey
  • Don't look at each of the requirements in pockets and silos and come up with fragmented solutions to those issues
  • Reach out to external advisors if needed
  • Explore existing standards to help you implement security controls (e.g. NIST and MITRE standards)

Enjoyed this article? Make sure to share it!

Looking for something else?