A Step-by-Step Guide for EU's NIS2 Directive

In a nutshell:

• The NIS2 (Network and Information Systems) Directive is a piece of legislation that aims to improve the cybersecurity of networks and information systems across the European Union (EU).
• NIS2 builds on the previous NIS Directive, which was implemented in 2016, and is part of a broader effort to strengthen the EU's cybersecurity capabilities.
• The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term.
• Within the European Parliament, the file was assigned to the Committee on Industry, Research and Energy. The committee adopted its report on 28 October 2021, while the Council agreed on its position on 3 December 2021.
• The co-legislators reached a provisional agreement on the text on 13 May 2022. The political agreement was formally adopted by the Parliament and then the Council in November 2022.
• It entered into force on 16 January 2023, and the Member States had until 17 October 2024 to transpose its measures into national law.
• Some States were able to meet that deadline, while others are still working through legal drafts in 2025. While their final deadlines are still uncertain, one thing is clear: NIS2 compliance is on Europe's radar, and the time to prepare is getting shorter and shorter.

Whether as a business operating in the EU or supplying an affected EU customer, it's important to understand what the NIS2 Directive entails and how it may affect your operations.

This step-by-step guide will provide a comprehensive overview of the NIS2 Directive, including what it covers, who it applies to, and what steps you need to take to comply with its requirements. By the end of this guide, you'll have a clear understanding of what you need to do to ensure NIS2 compliance.

Why is the NIS2 Directive important for businesses in the EU? 

While the first Directive (NIS) made significant strides in improving the cybersecurity capabilities of Member States, its implementation proved challenging and resulted in fragmentation.

To address these challenges, the European Commission proposed the NIS2 Directive, which aims to enhance security requirements further. It addresses supply-chain security, streamlines reporting obligations, and introduces stricter supervisory measures and enforcement requirements, including harmonized sanctions throughout the EU. By broadening the scope of entities and sectors obligated to take measures, NIS2 improves cybersecurity in Europe over the long term.

You might also be interested in reading: Strengthening Cybersecurity through the EU’s NIS2 Directive

NIS to NIS2 Directive: What changed exactly?

The Network and Information Security (NIS) Directive was first introduced in 2016 with the aim of creating a harmonized approach to cybersecurity across the European Union.

The Directive set out a series of security requirements for operators of essential services (OES) and digital service providers (DSP), including incident reporting obligations and risk management requirements. The NIS Directive was the first piece of EU-wide legislation on cybersecurity. It marked a significant step forward in the fight against cybercrime.

However, implementing the NIS Directive proved to be a challenge for many businesses. Some struggled to understand their obligations under the Directive, while others found it difficult to comply with the complex reporting requirements. In addition, the NIS Directive was criticized for not covering a wide enough range of organizations and sectors.

Moving towards increased cybersecurity

To address these issues, the European Commission proposed a new version of the NIS Directive, known as NIS2. NIS2 aims to build on the success of the original directive while addressing some of the shortcomings. One of the main changes in NIS2 is the expansion of its scope to cover more sectors, including smaller businesses and digital platforms. This will ensure that more organizations are taking steps to protect themselves against cyber threats.

NIS2 also places a greater emphasis on risk management, requiring regular risk assessments. These should help businesses better understand the threats they face and take appropriate action to mitigate those risks. NIS2 also introduces new requirements for incident reporting and response, ensuring that businesses are better equipped to handle cyberattacks when they occur.

Another important aspect of NIS2 is the focus on third-party security. The Directive requires organizations to assess the security of their supply chains and take steps to ensure that contracted vendors are also taking appropriate measures to protect against cyber threats. This is particularly important considering recent high-profile supply-chain attacks.

Who’s affected by the NIS2 Directive and who does it apply to?

The NIS2 Directive applies to a range of entities operating across essential and important sectors. Under the Directive, certain entities are required to comply with the regulations to protect their systems from cyberattacks and to ensure that they can quickly recover from any incidents that do occur. The entities that are affected by the NIS2 Directive are as follows:

Operators of Essential Services (OES): These are companies that provide services essential to the functioning of society and the economy. Examples include energy companies, water suppliers, and healthcare providers. OES are required to comply with the NIS2 Directive regardless of their size.

Digital Service Providers (DSPs): These are companies that provide online services such as e-commerce platforms, cloud computing services, and search engines. DSPs are only required to comply with the NIS2 Directive if they meet certain size criteria. Specifically:

• Medium entities: DSPs with 50 or more employees and an annual turnover of at least €10 million.
• Large entities: DSPs with 250 or more employees and an annual turnover of at least €50 million.

It's worth noting that even if a company does not meet these criteria, they may still choose to comply with the NIS2 Directive to improve their cybersecurity measures and protect their systems from cyberattacks.

In summary, the NIS2 Directive affects both Operators of Essential Services and certain Digital Service Providers that meet certain size criteria.

If your business falls into one of these categories, it's important to ensure that you are complying with the regulations in order to protect your systems from cyberattacks and to avoid potential fines for non-compliance.

What are the requirements of the NIS2 Directive?

NIS2 measures are based on “all-hazards approach” aiming to protect both network and information systems and physical environments. The requirements include:

• Security policies
• Incident management
• Business continuity
• Third-party security
• Security training
• Asset management
• Reporting obligations

What are the NIS2 Directive fines? 

Fines for non-compliance with the NIS2 Directive can be substantial. In some cases, fines may be as high as €10 million or 2% of the entity's global turnover, whichever is higher. In the most severe cases, fines can be as high as €20 million or 4% of the entity's global turnover, whichever is higher.

National authorities also have the power to impose other measures, such as orders to suspend or restrict an entity's activities to protect the security of networks and information systems. It is therefore important for OES and DSPs to ensure that they comply with the requirements of the NIS2 Directive.

How can the NIS2 Directive help improve your business operations? 

• Risk management: The NIS2 Directive requires businesses to conduct regular risk assessments of their information systems, identify potential risks and vulnerabilities, and implement measures to mitigate them. By following this requirement, businesses can proactively manage their cybersecurity risks and minimize the likelihood of a cyber-attack.
• Incident management: The Directive requires businesses to have incident management procedures in place, including reporting requirements and response plans. This helps to respond quickly and effectively to cyber incidents, minimize their impact, and prevent similar incidents in the future.
• Technical and organizational measures: Another requirement of NIS2 for businesses is to implement appropriate technical and organizational measures to ensure the security of their networks and information systems. This includes security controls such as access management, encryption, and monitoring systems. By implementing these measures, businesses can significantly reduce the risk of cyberattacks and data breaches.
• Business continuity: By having business continuity plans in place, including backup and recovery procedures, businesses can maintain their operations in the event of a cyber incident, minimizing downtime and ensuring the continuity of critical services.
• Third-party security: Implementing measures to ensure the security of their supply chain, including third-party suppliers and contractors, is also a part of NIS2. By ensuring the security of their supply chain, businesses can reduce the risk of cyberattacks originating from third-party sources.

How can businesses better manage and mitigate cyber risks with the NIS2 Directive?

• Reduced risk of cyberattacks: Implementing NIS2 guidelines can significantly reduce the risk of cyberattacks and data breaches. These incidents can be expensive to remediate, and businesses may also face regulatory fines and legal liabilities. By reducing the likelihood of cyber incidents, businesses can save significant amounts of money.
• Better management of cyber incidents: NIS2 requires businesses to have incident management procedures in place, including reporting requirements and response plans. By having a clear and well-defined incident management plan, businesses can quickly contain and mitigate the impact of cyber incidents. This can minimize the costs associated with downtime, lost productivity, and reputational damage.
• Enhanced business continuity: The NIS2 Directive requires business continuity plans, including backup and recovery procedures. This way, businesses can minimize the costs associated with downtime and ensure the continuity of critical services—something especially important for sectors whose services keep communities safe.
• Improved efficiency and productivity: Implementing NIS2 guidelines can help businesses streamline their cybersecurity processes and reduce the administrative burden associated with managing their information systems. 

How can DataGuard help you comply with NIS2?

In today's world, information security is of utmost importance. With the advent of new technologies and increasing cyber threats, governments are taking steps to ensure that critical infrastructure and information systems are protected. One such step is the introduction of the new NIS2 regulation—a framework we can help you tackle.

With DataGuard, you can leverage AI-powered automation and expert-led guidance to know exactly where to focus, save time, and reduce costs. Here are just some of the reasons why 4000 companies have trusted us with their security and compliance needs: 

• Accelerated compliance: Become compliant faster with automated tools for documentation, evidence collection, and control monitoring 

• Comprehensive risk management: Identify, assess, and mitigate security risks, ensuring your organization meets all NIS2 requirements and builds a resilient cybersecurity framework 

• Continuous compliance monitoring: adapt to regulatory changes with real-time updates and best practices 

Give your company what it needs to face today’s biggest security threats and achieve critical compliance.