In January 2023, the European Commission (EC) released the second version of the European Union (EU) Network and Information Security Directive (NIS2) to enhance cybersecurity risk management across Europe. NIS2 builds upon the original NIS directive and emphasizes regulations on cloud infrastructure, internet exchanges, domain service providers, and digital service providers. Organizations offering goods or services in any EU Member State have until October 17, 2024, to comply with NIS2.
This article provides a comprehensive overview of NIS2, outlining critical enhancements from its predecessor, highlighting core components, and providing practical compliance tips.
Learn how Vendor Risk helps European industries manage third-party security risks >
What is the NIS2 Directive?
NIS2 is an updated version of the original NIS Directive (NIS1), which the EC introduced in July 2016 to improve the overall cybersecurity measures of organizations across EU Member States. The NIS2 Directive builds directly upon the foundation of the original directive, expanding its scope to address emerging cyber attacks and cover additional sectors and organizations.
Key differences between NIS1 and NIS2 include:
- Expanded scope: NIS2 covers additional sectors, including cloud computing, digital providers, manufacturing, and research.
- Risk-based approach: NIS2 emphasizes the importance of risk management, assessment, and mitigation strategies.
- Incident reporting: NIS2 imposes advanced reporting obligations on applicable organizations, requiring entities to report cybersecurity incidents to all relevant stakeholders.
- Enhanced cooperation: NIS2 encourages collaboration among EU member states, prompting cross-border information sharing to prevent and mitigate cyber threats.
- Stricter penalties: NIS2 introduces strict penalties for non-compliance, including fines of up to 10% of an organization’s annual turnover.
Overall, NIS2 provides a comprehensive framework organizations must follow to improve their cybersecurity and cyber resilience, address emerging cyber threats, and safeguard critical information systems and personal data.
Who must comply with the NIS2 Directive?
NIS1 applied to eight activity sectors: healthcare, energy, transport, drinking water, banking, digital infrastructure (online marketplaces), and digital service providers (social networking platforms, search engines, etc.). NIS2 expands this scope to cover 10 additional industries:
- Public administration
- Wastewater
- Space
- ICT service management
- Research
- Food production
- Postal services
- Waste management
- Manufacturing
- Chemicals production
NIS2 expands the scope of critical sectors it covers and introduces new classification rules for determining organizations' criticality.
Essential vs. important organizations
The original NIS Directive distinguished between operators of essential services and digital service providers. However, NIS2 replaces this distinction and categorizes organizations within its scope as either important or essential. While both categories must meet the same compliance requirements, the directive applies different supervisory measures, sanctions, and penalties to each category.
NIS2 classifies organizations as either essential or important based on their size, annual revenue, and the sector they operate within (Chart 1). The directive also outlines that member states can deem organizations of any size as essential or important based on their risk profile and criticality level.
After NIS2 becomes a national law, member states will proactively monitor essential organizations, while national authorities will only monitor important organizations after an incident of non-compliance occurs.
Penalties for non-compliance
Compared to NIS1, NIS2 introduces stricter penalties for non-compliance, including fines of up to 10% of an organization’s annual revenue. Penalties and fines vary depending on an organization’s classification:
- Penalties for essential entities: Administrative fines of up to EUR 10 million (GDP x) or at least 2% of the organization’s total annual revenue from the previous fiscal year (whichever amount is higher).
- Penalties for important entities: Administrative fines of up to EUR 7 million (GDP x) or at least 1.4% of the organization’s total annual revenue from the previous fiscal year (whichever amount is higher).
These increased penalties underscore the EU’s mission to improve cybersecurity and cyber awareness across Europe. Regulatory authorities can hold compliant organizations accountable for non-compliance with any of the directive’s regulatory components.
Core components of NIS2
The NIS2 Directive introduces a comprehensive cybersecurity framework that comprises several core components and aims to improve the cybersecurity practices and programs of organizations across the EU. These core components outline the foundational pillars upon which the EU expects organizations to develop cybersecurity strategies and processes to mitigate cyber threats and achieve holistic compliance.
From incident reporting to advanced cross-border collaboration, each component of NIS2 is critical in helping organizations enhance their security posture and galvanize their critical infrastructure. By understanding and adhering to these core components, organizations can prevent severe data breaches, mitigate security incidents, and collectively enhance Europe's digital security.
Incident reporting
Thorough incident handling and reporting are fundamental requirements of NIS2, introducing new timelines that organizations must follow when notifying relevant authorities of cybersecurity incidents. NIS1 required each EU member state to establish a Computer Security Incident Response Team (CSIRT) or other competent authority for incident reporting. NIS2 organizations must deliver a preliminary report to their corresponding CSIRT within 24 hours of an incident, follow up with a full notification report within 72 hours, and complete a final report after the incident is contained and remediated. The CSIRT is then required to deliver significant reports to the European Union Agency for Cybersecurity (ENISA).
Here’s what each report should contain:
- Preliminary report: Early warning that includes presumptions about the type of incident and the impact this incident could have on the organization, other organizations, or national security
- Full notification report: Detailed report that includes an assessment of the incident, its severity and impact, and indicators of compromised infrastructure, data, or sensitive information
- Final incident report: Comprehensive incident report that expands upon the information presented in the previous two reports and details the remediation process and incident management initiatives installed to ensure a similar incident doesn’t occur in the future
The NIS2 Directive encourages Member States to educate organizations on incident reporting requirements to streamline procedures and reduce administrative burden. As the directive's cybersecurity training component suggests, organizations should train relevant stakeholders to report incidents efficiently.
Cybersecurity training
NIS2 holds senior management and executive leadership accountable for their organization's cybersecurity maturity, and the Directive makes it obligatory that these stakeholders play a critical role in developing cybersecurity initiatives and programs throughout the organization. These responsibilities include overseeing risk assessment, risk treatment, and other cybersecurity tasks, requiring management to follow cybersecurity training.
In addition to enrolling themselves in cybersecurity training programs, the NIS2 Directive suggests senior management make these programs available to all employees to foster the growth of the organization’s cybersecurity awareness.
Risk management
Building upon the foundation of NIS1, NIS2 requires organizations to establish robust risk management programs to mitigate security incidents across their attack surface and third-party ecosystem. Under NIS2, organizations are responsible for addressing their internal cybersecurity risks and risks throughout their vendor and supplier relationships.
These risk management and supply chain security requirements indirectly expand the scope of NIS2 by encouraging organizations to ensure suppliers comply with all of the Directive’s requirements. In other words, individual suppliers that fall outside the scope of NIS2 may still need to achieve a minimum level of cybersecurity to conduct business with supervised organizations committed to ensuring comprehensive compliance and mitigating compliance risk.
Cross-border collaboration
The NIS2 directive encourages cross-border collaboration through information sharing, joint response mechanisms, and standardized reporting protocols. These initiatives empower organizations in all EU member states to effectively respond to international and domestic cyber threats.
After understanding the core components of NIS2, organizations must take proactive steps to ensure compliance with the directive. Preparation is critical to navigating the complexities of NIS2 and effectively implementing the necessary measures to enhance cybersecurity resilience. By aligning their strategies with the core components of NIS2, organizations can construct a strong foundation for compliance and resilience.
How to prepare your organization to comply with NIS2
Identify compliance gaps and start planning
The first steps to preparing for NIS2 are conducting a thorough audit to identify gaps in your organization’s cybersecurity regimen and developing a comprehensive plan to address these gaps and achieve compliance with NIS2 requirements. Prioritize critical areas for immediate improvement and establish clear timelines for each implementation stage.
Develop robust ASM and TPRM programs
The next step in achieving NIS2 compliance is designing robust attack surface management (ASM) and third-party risk management (TPRM) programs to mitigate internal and external cybersecurity threats. When constructing your programs, clearly define roles, responsibilities, security policies, and procedures, enabling personnel to efficiently identify, assess, and mitigate cyber threats.
Watch this video to learn how UpGuard could support the vendor risk assessment workflow of your TPRM program.
Cultivate a culture of risk awareness
While appraising your organization’s cybersecurity regimen and installing robust ASM and TPRM programs, you should also simultaneously be cultivating a culture of risk awareness. There are many ways to improve your organization's risk awareness, including offering cybersecurity training programs, installing channels for open communication, and encouraging collaboration among departments.
Reassess organizational compliance
After preparing for NIS2, the final step is to address your cybersecurity program again to identify any compliance gaps. Conducting a second formal audit will allow you to see your progress and identify areas where your organization still needs to improve its cybersecurity program to achieve comprehensive compliance.
Leverage a cybersecurity solution to help
Compliance with any cybersecurity regulation can be challenging, especially when your organization starts from scratch. Most organizations leverage a comprehensive cybersecurity software solution, like UpGuard, to help them with everything from vulnerability detection to vendor due diligence and compliance reporting.
Achieve NIS2 compliance with UpGuard
UpGuard offers organizations all the tools they need to comply with the NIS2 Directive’s cybersecurity requirements. UpGuard provides security teams with a centralized platform to identify, assess, and mitigate significant risks across their organization’s internal systems and third-party partnerships.
By using UpGuard to understand their risk profile, identify operational risks and vulnerabilities, automate workflows, and gain real-time insights, organizations can facilitate collaboration among stakeholders and achieve comprehensive compliance with NIS2 and other critical regulations (GDPR, EU Cybersecurity Act, etc.).
Here’s how UpGuard can help your organization strengthen its cybersecurity and compliance management programs:
- Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture
- Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene
- Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
- Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders
- Risk mitigation workflows: Comprehensive workflows to streamline risk management measures and improve overall security posture
- Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls
- Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- 24/7 continuous monitoring: Real-time notifications and new risk updates using accurate supplier data
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Trust Page: Eliminate having to answer security questionnaires by creating an UpGuard's Trust Page
- Intuitive design: Easy-to-use first-party dashboards
- World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard