In January 2023, the European Commission (EC) released an updated version of the European Union (EU) Network and Information Security Directive (NIS2) to strengthen cybersecurity risk management across Europe’s essential services. NIS2 updates the original NIS directive and focuses more on regulations for cloud infrastructure, internet exchanges, domain service providers, and digital service providers.
Organizations that offer goods or services in any EU Member State must comply with NIS2 by October 17, 2024. This blog briefly covers NIS2 and includes a free NIS2 compliance checklist that organizations can use to audit their cybersecurity practices and identify areas for improvement.
Enhance your organization’s cybersecurity and vendor management with UpGuard >
What is NIS2?
NIS2 is an updated version of the original NIS Directive (NIS1), introduced by the EC in July 2016. It aims to enhance the overall cybersecurity measures of organizations across EU Member States. The NIS2 Directive builds on the foundation of the original directive and expands its scope to cover additional sectors and organizations while also addressing emerging cyber-attacks.
NIS2 provides a comprehensive framework that organizations must follow to improve their cybersecurity and cyber resilience, safeguard critical information systems and personal data, and tackle emerging cyber threats.
Key differences between NIS2 and NIS
The NIS2 Directive comprises several core components published in the original NIS Directive. Together, these components enhance cybersecurity practices, encourage EU organizations to develop comprehensive cybersecurity programs, and ensure holistic compliance.
There are distinct updates in NIS2, which include:
- Scope of application: Expanded to include medium and large essential entities in critical sectors, including postal and courier services, waste management, and manufacturers of critical products.
- Security requirements: Introduced stricter and more detailed security and access control measures, including encryption and multi-factor authentication (MFA)
- Incident management: Incident handling procedures were updated to require immediate preliminary notification of security incidents within 24 hours and detailed notification within 72 hours
- National frameworks: Updated requirements with enhanced powers for national authorities and mandates for stricter national supervision
- Fines and penalties: Introduced specific penalties up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher
- Regulatory authority: Significantly increased powers, including direct enforcement powers and the ability to conduct audits and impose fines
- Risk management: Broadened risk management, addressing supply chain security and third-party service continuity and integrity
- Sector-specific measures: Expanded sectors and include additional requirements tailored to sector-specific risks
Who must comply with NIS2?
NIS1 applied to eight sectors in the European Union: healthcare, energy, transport, drinking water, banking, digital infrastructure, and digital service providers. NIS2 now includes new classification rules and expands the scope to cover additional important entities, including:
- Public administration
- Wastewater
- Space
- ICT service management
- Research
- Food production
- Postal services
- Waste management
- Manufacturing
- Chemicals production
How to prepare for NIS2 compliance
Organizations preparing for NIS2 compliance can now take various steps to make the compliance process seamless. This preparation includes identifying any compliance gaps to reassess organizational compliance. Organizations can also create a culture of risk awareness while educating stakeholders and employees on compliance requirements in their specific departments.
Leveraging a cybersecurity solution like UpGuard can also help organizations reach NIS2 compliance. A comprehensive cybersecurity solution can help with everything from vulnerability detection to incident reporting and beyond, all aimed at reducing cybersecurity risk and meeting compliance requirements.
NIS2 Compliance Checklist
Compliance checklists are an excellent way for organizations to start auditing and evaluating their current compliance management program and identify areas for improvement.
Below is a free NIS2 compliance checklist that covers updated areas in the Directive, which your organization can customize to fit its unique needs. Be sure to reference the full NIS2 Directive alongside this checklist to ensure your organization complies with the updated components.
Governance and Risk Management
- Define organizational goals and risk appetite, assuring that any NIS2 compliance framework supports strategic objectives and acceptable risk levels.
- Assign clear roles and responsibilities for NIS2 compliance tasks, identifying who is liable in case of non-compliance.
- Identify and document cyber risks in your environment, focusing on internal and external factors that could impact security.
- Regularly review cybersecurity measures and ensure management involvement in the approval and oversight process.
Cybersecurity Policies and Procedures
- Ensure security policies are documented, clearly understood, and assessed periodically.
- Implement formal incident response plans and handling, including a detailed ticketing system for incident detection, triage, and response to meet reporting obligations.
- Secure supply chain interactions and mitigate risks related to suppliers or service providers, ensuring comprehensive security from end to end.
- Establish backup management and disaster recovery plans that align with agreed Recovery Time Objectives (RTOs) to ensure business continuity.
Technical and Operational Measures
- Assess and implement basic cyber hygiene practices and conduct regular cybersecurity training to maintain high-security standards.
- Secure your network and information systems, focusing on robust vulnerability handling and disclosure practices.
- Use strong cryptography and encryption practices for sensitive data, such as encrypting data at rest and in transit to protect sensitive information.
- Deploy robust endpoint protection and network and information security measures to prevent unauthorized access and attacks.
Security Technologies and Solutions
- Employ comprehensive security solutions, including SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), and UEBA (User and Entity Behavior Analytics) tools. Ensure these comply with standards such as Common Criteria EAL3+ and support GDPR, Schrems II, and CCPA regulations.
- Use SaaS solutions that comply with EU data residency regulations (such as GDPR compliance for data protection). Ensure that cloud environments are secured against breaches and unauthorized access.
Technical Compliance and Certifications
- Ensure the use of multi-factor authentication and secured communication systems for critical services, including voice, video, and text communications, especially for remote or privileged access.
- Apply relevant security frameworks and ensure compliance with standards such as ISO 15408 for technology security and ISO 27001 for information security management.
Compliance with Legal and Industry Standards
- Understand and implement the requirements of NIS2, noting key differences from the original NIS Directive.
- Ensure cybersecurity strategies meet specific requirements pertinent to critical infrastructure sectors such as healthcare (HIPAA compliance), energy (NERC CIP standards), and finance (SOX compliance). Implement recognized frameworks to strengthen security postures and standards, such as NIST SP 800 series, ISO/IEC 27001, CIS Controls, and Mitre Att&ck.
Reporting and Communication
- Develop capabilities to swiftly detect, analyze, and report significant incidents to relevant authorities (such as national CSIRTs) and notify affected stakeholders, adhering to stipulated timelines and content requirements.
- Document governance processes and cybersecurity efforts comprehensively. Use benchmarks such as ISO/IEC 27002:2022 for standard compliance and automate reporting processes as much as possible.
Human Resources and Training
- Implement HR policies that rigorously control access based on roles, conduct regular security assessments, and enforce strict security training and awareness programs.
- Provide personnel with comprehensive training on cybersecurity best practices, data handling, and compliance obligations.
Prepare for NIS2 Compliance with UpGuard
Compliance management is an ongoing and difficult challenge, but UpGuard helps your organization stay one step ahead with our all-in-one external attack surface management platform.
UpGuard Breachsight helps protect your organization’s reputation by understanding the risks impacting your external security posture and knowing your assets are constantly monitored and protected. View your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents. Other features include:
- Data Leak Detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- Continuous Monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials
- Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared Security Profile: Eliminate having to answer security questionnaires by creating an UpGuard Trust Page
- Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
- Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface