What is NIS2?

NIS2, or Directive (EU) 2022/2555, is a new cybersecurity law for the EU designed to boost cybersecurity measures across the region. It became effective on October 18, 2024.

Why is NIS2 necessary?

NIS2 replaces an earlier law, NIS-D, which was introduced in 2016 to improve the resilience of network and information systems. However, with rapid digitalization, NIS-D showed some weaknesses. NIS2 aims to fix these issues by promoting national cybersecurity strategies, better cooperation among EU countries, stricter reporting of incidents, and tougher enforcement measures.

How does NIS2 affect organizations?

Public and private organizations now need to assess how NIS2 impacts their cybersecurity practices. They must ensure compliance, understand the consequences of non-compliance (like fines and increased supervision), and consider the personal responsibility of upper management.

Who does NIS2 affect?

NIS2 applies to both public and private organizations operating within the EU, especially those providing critical services or infrastructure. However, even smaller entities may be impacted, and Member States have the authority to include additional organizations. Additionally, NIS2 indirectly affects supply chains, emphasizing the need for robust security assessments, including third and fourth-party risks.

What are the key changes with NIS2?

NIS2 widens its scope compared to NIS-D, now including more sectors based on their digitalization and importance to society and economies. Medium and large-sized organizations in these sectors, including the public sector, are now covered. Exceptions exist, but organizations need to consider them carefully. If your company has over 50 employees or an annual turnover of €10 million, you might be among the many affected by NIS2.

Personal Responsibility: NIS2 introduces personal responsibility for management members of essential and important entities who fail to comply with cybersecurity risk management requirements. Competent authorities may even temporarily prohibit certain individuals from exercising managerial functions in essential entities.

Enhanced Regulatory Supervision: NIS2 grants competent authorities new powers of supervision, including on-site inspections, off-site supervision, audits, and access to data. This strengthens regulatory oversight to ensure compliance with cybersecurity policies.

Enforcement, Fines, and Offences: NIS2 empowers competent authorities with enforcement measures, including the imposition of administrative fines for breaches. Essential entities face fines of at least €10,000,000 or 2% of total worldwide annual turnover, while important entities face fines of at least €7,000,000 or 1.4% of total worldwide annual turnover.

Actions to Take Now for NIS2 Compliance:

1. Assess Scope and Categorization: Determine if your organization falls under NIS2 regulations, including any exemptions, and understand if you're classified as 'essential' or 'important'. Evaluate how NIS2 impacts your current cybersecurity compliance framework.
2. Understand Jurisdiction Rules: Identify which Member State laws apply to your organization, especially if you're not established in the EU but offer services within it. Consider designating a 'Representative' in relevant Member States.
3. Integrate with EU Cybersecurity Laws: Recognize that NIS2 is part of a broader EU cyber strategy. Ensure compliance frameworks encompass all relevant EU data, cybersecurity, and technology laws.
4. Enhance Incident Response Procedures: Regularly review and update incident response processes to align with evolving threats. Clarify responsibilities, verify communication channels, and conduct drills to enhance preparedness and minimize impacts.
5. Strengthen Cybersecurity Risk Management: Regularly assess and update risk management processes to address evolving threats. Implement measures to safeguard sensitive information and foster a culture of awareness among team members.
6. Thoroughly Assess Third-Party Risk Management: Evaluate vendor relationships, assess vulnerabilities, and ensure robust risk mitigation strategies are in place. Regularly update processes to align with best practices and minimize threats.
7. Address Cultural and Behavioral Changes: Understand organizational culture and ways of working to identify risks to NIS2 compliance. Address behavioral change requirements, particularly among management, to mitigate risks and ensure compliance.