Back to blog
    Compliance

    Understanding NIS2: What European Organizations Need to Know

    Sectricity Security TeamDecember 22, 2024

    If your organization operates within the EU, or provides services to EU-based companies, understanding NIS2 is no longer optional, it’s a business necessity. Here is what you need to know about the directive and how to prepare for compliance.

    NIS2Compliance

    What is NIS2?

    The NIS2 Directive is the successor to the original 2016 NIS Directive. While the first version laid the groundwork for cybersecurity across the EU, it was often criticised for being inconsistent and too narrow in scope.

    NIS2 aims to harmonise cybersecurity requirements and enforcement across all EU member states. It officially came into force in early 2023, and member states were required to transpose it into national law by October 17, 2024.

    Who Does It Apply To?

    One of the biggest changes in NIS2 is the sheer number of organisations it covers. The directive now applies to a much broader range of sectors, divided into two categories:

    Essential Entities (EE)

    These are sectors critical to the economy and society, such as:

    • Energy (Electricity, oil, gas, hydrogen)
    • Transport (Air, rail, water, road)
    • Banking and Financial Market Infrastructure
    • Health (Including labs and device manufacturing)
    • Drinking water and wastewater
    • Digital Infrastructure (Cloud providers, data centres, DNS)
    • Public Administration

    Important Entities (IE)

    These are sectors that are vital but subject to slightly less stringent oversight:

    • Postal and courier services
    • Waste management
    • Chemicals (Manufacturing and distribution)
    • Food (Production, processing, and distribution)
    • Manufacturing (Medical devices, electronics, machinery)
    • Digital providers (Online marketplaces, search engines)

    The Size Rule: Generally, NIS2 applies to all medium and large enterprises in these sectors (companies with 50+ employees or an annual turnover/balance sheet exceeding €10 million).

    Key Requirements of NIS2

    NIS2 shifts the focus from "checking boxes" to implementing a proactive risk-management culture. Key requirements include:

    Management Accountability

    This is perhaps the most significant change. Under NIS2, top management can be held personally liable for cybersecurity failures. Boards must approve cybersecurity measures and undergo regular training to understand the risks.

    Strict Incident Reporting

    Organisations must follow a strict timeline for reporting "significant" incidents:

    • 24-hour Early Warning: To the national authority or CSIRT.
    • 72-hour Incident Notification: Providing an initial assessment.
    • 1-month Final Report: A detailed analysis of the incident and its impact.

    Supply Chain Security

    Organisations are now responsible for the security of their entire supply chain. You must assess the cybersecurity practices of your third-party providers and suppliers to ensure they meet required standards.

    Robust Security Measures

    Entities must implement "all-hazards" risk management, including:

    • Cryptography and encryption.
    • Multi-factor authentication (MFA).
    • Business continuity and crisis management plans.
    • Vulnerability handling and disclosure.

    The Cost of Non-Compliance

    The EU is taking enforcement seriously. For Essential Entities, fines can reach up to €10 million or 2% of total global annual turnover, whichever is higher. For Important Entities, the cap is €7 million or 1.4% of global turnover.

    Beyond fines, authorities can suspend certifications or temporarily bar individuals from holding management positions.

    How to Prepare Your Organisation

    If you haven't started your NIS2 journey yet, now is the time. Here are four steps to get started:

    1. Determine Your Status: Identify if your organisation falls under the "Essential" or "Important" categories based on your sector and size.
    2. Conduct a Gap Analysis: Compare your current cybersecurity posture against the NIS2 requirements. Where are the vulnerabilities?
    3. Review Your Supply Chain: Start auditing your vendors. Ensure your contracts include cybersecurity requirements that align with NIS2.
    4. Educate the C-Suite: Ensure your leadership understands that cybersecurity is now a legal and personal responsibility, not just an IT issue.

    Conclusion

    The NIS2 Directive represents a turning point for European cybersecurity. While the requirements are demanding, the goal is a safer, more resilient digital economy. By treating NIS2 as an opportunity to strengthen your organisation rather than just a compliance hurdle, you can protect your reputation, your data, and your bottom line.

    Is your organisation ready for NIS2? Contact our team for a consultation on aligning your digital infrastructure with the new EU standards.