The first Network and Information Systems (NIS) Directive, introduced in 2016, was a key regulation that enhanced the EU’s cybersecurity posture, laying the foundation for protecting critical infrastructure and essential services from cyber threats. However, as cyber threats have evolved, so too must the regulations that protect against them. Enter NIS2—an updated and more comprehensive directive designed to address the gaps and limitations of its predecessor.
Understanding the transition from NIS to NIS2 is crucial to safeguard your organization in an increasingly digital and interconnected world. This blog covers the key changes introduced in NIS2 and the steps your organization can take to prepare for compliance.
Prepare your organization for NIS2 compliance with UpGuard >
What is the NIS Directive?
The NIS Directive (Directive on Security of Network and Information Systems), or NIS1, is a cybersecurity law enacted by the European Union in 2016. The EU designed the directive to improve the security and resilience of critical infrastructure and digital services across member states. The directive primarily targets operators of essential services (OES), such as those in energy, transport, banking, health, and water supply, as well as digital service providers (DSPs) like online marketplaces, search engines, and cloud computing services.
Under the NIS Directive, OESs and DSPs must implement robust security measures to manage and mitigate risks to their network and information systems. They must also promptly report significant cybersecurity incidents to national authorities, ensuring that potential disruptions are quickly identified and addressed. Additionally, the directive fosters cooperation and information sharing among EU member states, aiming to create a more coordinated and resilient approach to cybersecurity across Europe. This directive marked a significant step in establishing a unified standard for cybersecurity across the EU.
Learn more about the NIS Directive >
When was NIS2 introduced?
The NIS2 Directive (Network and Information Systems Directive 2) is an updated and more comprehensive version of the original NIS Directive, which the European Union adopted in 2022. Since the introduction of the NIS Directive in 2016, cyber threats have grown in sophistication and frequency, with critical infrastructure and essential services becoming increasingly interconnected and reliant on digital technologies. The EU created this new directive in response to the evolving cybersecurity landscape and the limitations identified in its predecessor.
NIS2 will become effective after a transposition period, during which EU member states must incorporate the directive into their national laws. This transposition period (where businesses make necessary changes to comply with the new regulations) typically lasts 21 months. Therefore, NIS2 is expected to be fully effective and enforceable across the EU by October 2024.
Key differences between NIS and NIS2
Below are the key differences between NIS and NIS2, highlighting the major changes in scope, security requirements, incident reporting, governance, and enforcement that organizations must understand and address.
Scope and coverage
The original NIS Directive focused on operators of essential services (OES) in sectors such as energy, transport, banking, healthcare, and water supply. Additionally, NIS1 covered certain digital service providers (DSPs) that rely heavily on information and communication technology (ICT), such as online marketplaces, search engines, and cloud services.
NIS2 significantly expands the directive's scope by including a broader range of sectors and entities, now covering additional critical sectors such as public administration, waste management, space, food production, and the manufacturing of critical products.
Moreover, NIS2 introduces a two-tier system, distinguishing between essential entities (EE) and important entities (IE), with varying levels of obligations based on their classification. Essential Entities (EE) provide critical services like energy and healthcare, facing stricter NIS2 regulations due to their high impact on society. Important Entities (IE) have a lower impact and face slightly less stringent requirements, but still must maintain strong cybersecurity standards.
NIS2 also lowers the size threshold, meaning more small and medium-sized enterprises (SMEs) that play a critical role in these sectors are now included.
Security requirements
The original NIS Directive required entities to implement "appropriate and proportionate" security measures. Still, it left much of the specific implementation to the discretion of member states, leading to varying standards across the EU.
NIS2 introduces more prescriptive and stringent security obligations, mandating entities to adopt comprehensive risk management measures, including incident prevention, detection, response, and recovery processes. These requirements provide more detail to ensure that entities address a wide range of cybersecurity threats. Additionally, NIS2 emphasizes supply chain security more, requiring entities to assess and manage risks from third-party vendors and service providers.
Incident reporting
The original NIS Directive required entities to report significant incidents to national authorities. Still, the criteria for what constituted a "significant" incident were somewhat vague, leading to inconsistencies in reporting.
NIS2 clarifies and tightens incident reporting requirements and crisis management. Entities must report incidents based on a clearer set of criteria, including the impact on service continuity, economic or societal disruption, and the severity of the incident. The reporting timeline is also more stringent; entities must submit an initial notification within 24 hours of becoming aware of an incident, a detailed report within 72 hours, and a final report within one month.
Governance and oversight
The initial NIS Directive mandated member states to appoint national competent authorities (NCAs) to oversee and enforce the directive and a coordinating Computer Security Incident Response Team (CSIRT) for reporting incidents. However, there was significant variation in oversight and governance structures across the EU, resulting in inconsistent implementation and enforcement.
NIS2 strengthens the governance framework by enhancing the role of NCAs and establishing more consistent oversight mechanisms across the EU. It requires member states to adopt a more harmonized approach to supervision and enforcement. NIS2 also introduces the European Cyber Crisis Liaison Organization Network (EU-CyCLONe), which facilitates coordinated response efforts at the EU level during major cyber incidents, improving cross-border cooperation and resilience.
Penalties and enforcement
The original NIS Directive allowed member states to set penalties for non-compliance but provided limited guidance, leading to wide variations in enforcement and penalties across the EU.
NIS2 introduces a more robust and consistent enforcement regime across the EU. It specifies that sanctions for non-compliance should be effective, proportionate, and dissuasive, with more explicit guidelines on their implementation. For essential entities, the penalties can reach up to €10 million or 2% of the global annual turnover, whichever is higher. The fines can be up to €7 million for important entities or 1.4% of their global annual turnover. This increased penalty creates a stronger incentive for entities to comply with the directive's requirements.
How to Comply with NIS2 in 6 Steps
For organizations covered by NIS2, achieving compliance is not just about meeting regulatory obligations—it’s about safeguarding your operations against evolving cyber threats. Below are six essential steps your organization needs to take to comply with NIS2, from assessing your current cyber resilience to establishing robust governance frameworks and engaging with national authorities.
See our full NIS2 compliance checklist >
1. Assess current compliance status
Begin by performing a gap analysis to evaluate how your organization’s current cybersecurity posture aligns with the original NIS Directive. This analysis should cover all aspects of your cybersecurity framework, including risk management, incident response, and governance practices. Understanding these gaps is essential for prioritizing actions and allocating resources effectively.
Additionally, identify and categorize the critical assets within your organization that are essential for the continuity of operations. Critical assets include physical infrastructure, digital infrastructure, and data that could be targeted in a cyber attack. Understanding what assets are critical will help you focus your compliance efforts on the areas that matter most.
2. Update security measures
NIS2 requires organizations to adopt more comprehensive and specific security measures, meaning your organization’s cybersecurity risk management measures may need an upgrade. These security measures include implementing advanced threat detection systems, regular vulnerability assessments, and incident response mechanisms. Ensure that your security controls are aligned with the latest standards and best practices, focusing on both the prevention and mitigation of cyber threats.
Consider leveraging technologies and automated software solutions for threat detection, data protection, and multi-factor authentication (MFA) to ensure access control to critical systems. NIS2 emphasizes the importance of technology in maintaining a robust cybersecurity posture, so adopting these tools is critical for compliance.
3. Revise incident response plans
Update your incident response plans to meet NIS2’s stricter reporting obligations, including that your organization can identify and report significant cybersecurity incidents within the required timelines. Develop a clear internal process for incident notification, including who is responsible for early warning and reporting and how information will be communicated both internally and to relevant authorities.
Regularly test your incident handling through simulated cybersecurity drills. These exercises should cover various scenarios, including data breaches, ransomware attacks, and system outages, to ensure your team is prepared for real-world incidents. Regular drills will help identify weaknesses in your response plan and provide opportunities for improvement to ensure business continuity.
4. Strengthen governance and oversight
Develop or update your organization’s governance framework to ensure clear oversight of cybersecurity strategies. This framework should define roles and responsibilities, establish reporting lines, and outline procedures for decision-making and accountability. Strong governance is essential for maintaining compliance with NIS2 and ensuring that cybersecurity is integrated into your organization’s overall risk management strategy.
Provide ongoing cybersecurity training to employees at all levels on NIS2 compliance requirements and cybersecurity best practices. This training should be tailored to different roles within the organization, ensuring that everyone understands their responsibilities and how to respond to potential cyber threats. A well-trained workforce is a critical component of a robust cybersecurity posture.
5. Engage with authorities
Establish and maintain open lines of communication with your National Competent Authorities (NCAs). These authorities are responsible for overseeing NIS2 compliance and can provide guidance and support in meeting the directive’s requirements. Regular engagement with NCAs will ensure that your organization remains informed about regulatory expectations and any updates to the directive.
Join relevant cybersecurity information-sharing networks and participate in industry-specific forums. Sharing information about threats, vulnerabilities, and best practices with other organizations can enhance your ability to prevent and respond to cyber incidents. NIS2 encourages greater collaboration across sectors, recognizing that cybersecurity is a shared responsibility.
6. Monitor and audit
Implement continuous monitoring tools and practices to detect and respond to cybersecurity threats in real time. This proactive approach allows your organization to conduct risk analyses before they escalate into significant incidents. Continuous monitoring is essential for maintaining a strong security posture and ensuring ongoing compliance with NIS2.
Additionally, conduct regular internal and external audits of your cybersecurity measures to ensure alignment with NIS2 requirements. These audits should evaluate the effectiveness of your security controls, incident response plans, and governance framework. Regular reviews will help identify areas for improvement and ensure that your organization can adapt to evolving threats and regulatory changes.
Achieve NIS2 compliance with UpGuard
UpGuard provides organizations with all the necessary tools to meet the cybersecurity requirements of the NIS2 Directive. It offers security teams a centralized platform to identify, assess, and mitigate significant risks across their internal systems and third-party partnerships.
By using UpGuard, organizations can better understand their risk profile, identify operational risks and vulnerabilities, automate workflows, and gain real-time insights. These features allow for improved collaboration among stakeholders and comprehensive compliance with NIS2 and other critical regulations such as GDPR, EU Cybersecurity Act, etc.
Here’s how UpGuard can help your organization strengthen its cybersecurity and compliance management programs:
- Real-time scanning: Don’t accept an incomplete or lagging picture of your attack surface. Protect your domains, IP, and external assets with real-time scans.
- Instant alerts: Be alerted the moment a vulnerability is detected. Receive notifications where your team works, whether Jira, Service Now, or another platform like Slack.
- Detect stolen credentials: Know when your data or credentials are circulating online or at risk of unauthorized access. UpGuard combines proprietary sources and dark web scanning to spot leaked data faster.
- Constant vendor monitoring: Get alerted whenever the security posture of a third or fourth party changes. Continuous monitoring ensures you’re always the first to know.
- 360° risk assessments: See your vendor risks from all angles. Automated scanning, evidence analysis, and insights from industry questionnaires (NIST, GDPR, ISO 27001) give you the complete picture of your service providers.
- End-to-end workflows: Forget spreadsheets and stale data. Transform your processes with a single platform for identifying and managing risk mitigation.