NIS2: The Network & Information Security Directive

Cybercrime is a real headache for businesses and governments alike. Hardly a day goes by without news of about another major cyberattack — hackers stealing customer data or organizations shutting down critical services due to severe risk. 

One thing is clear: some system to secure sensitive data is needed. That’s why the European Union (EU) introduced the Network and Information Security 2.0 (NIS2) regulations. NIS1, the initial regulations, were introduced in 2016. Improving upon these, the NIS2 Directive came into action in 2023.

Its main purpose is for organizations deemed critical to the EU economy to implement proper cybersecurity obligations.

In this article, we will see what are these NIS2 regulations and what they hold for entities.

Defining the NIS2 regulations

NIS2 regulations were previously known as Directive (EU) 2022/2555. The EU introduced them to implement cybersecurity across its member states. They were officially published on December 14, 2022, to fill the gaps in the previous version (NIS1) and support the changing cybersecurity challenges.

The EU has given member states until October 17, 2024, to adopt NIS2. Those who fail to meet the set standards may face severe penalties.

However, before proceeding, ask yourself the following questions:

• Is your company based outside but offering services in the EU?
• Is your company operating in a sector that the NIS2 Directive covers?

If so, your company must implement the NIS2 Regulations.

Note: If your organization uses AI for cybersecurity measures, it should comply with the AI Act — a must-follow act for organizations implementing NIS2. 

Sectors to which NIS2 regulations apply

The NIS2 directive applies to public and private organizations in the social and economic sectors that have at least 50 workers and make at least €10 million a year. Minor businesses may also be incorporated if they:

• Are deemed high risk
• Are the sole providers of essential services.

The following are a few essential sectors for our society and economy, including critical infrastructure, so they should be safe from cyber threats under NIS2 regulations. 

Minimum security requirements

Organizations that are covered by NIS2 must adopt the following security practices:

• Risk analysis and information security policies
• Incident response and reporting
• Access control and authentication
• Data protection and encryption
• Vulnerability management
• Backup and business continuity
• Supply chain security
• Security monitoring and logging
• Cybersecurity awareness and training
• Governance and accountability

Main objectives of NIS2 regulations

Since the main purpose of NIS2 is to ensure a high level of cybersecurity across the EU, it has applied stricter requirements to important entities. 

The directive now covers 15 sectors instead of those 7 that were initially included in the NIS1 directive. These sectors are classified as essential or important entities and must follow the outlined security measures to protect their systems and data. 

Let’s look at some of the main objectives of NIS2 regulations:

Risk management

To manage risks, NIS2 helps organizations take preventive steps to avoid cybersecurity problems. Additionally, the AI Act, which provides rules for using artificial intelligence, requires organizations to manage risks appropriately. This means they must secure AI systems, test them, keep records of their use, and fix potential problems. 

(Related reading: risk management frameworks.)

Incident reporting and response

Under NIS2, organizations must report severe cybersecurity incidents to their relevant national authorities or designated cybersecurity agencies within 24 hours. It has also specified specific rules for tracking and reporting issues related to AI systems.

Governance and accountability

Under NIS2, senior management is responsible for following cybersecurity rules and reporting incidents. At the same time, the AI Act emphasizes the need for solid management practices to ensure compliance with regulations related to AI systems.

Together, these rules show how important it is for leaders to manage cybersecurity and AI risks properly.

Data protection and security

Organizations should have secure networks and information systems to prevent data from being lost, altered, or accessed without permission. 

(See how Splunk can help you comply with NIS2.)

Implementation timeline and deadlines for NIS2

So, if you operate in the EU, it’s important to adopt the NIS2 regulations within the timeline because strict actions will be taken if any sector fails to do so. Here are some important dates issued by the EU:  

• By July 17, 2024, the European Union Cyber Crisis Liaison Organisation Network (EU-CyCLONe) must submit a report to the European Parliament and the Council to show its work throughout the time. They must also provide this report every 18 months.
• By October 17, 2024, EU countries must publish their strategies for achieving the goals of the NIS2 directive. The old NIS1 Directive from 2016 will no longer be in effect on the following day, October 18, 2024.
• By April 17, 2025, each member state must list essential entities in different sectors. This list should be reviewed at least once every two years and sent to the Commission and the Cooperation Group, with updates required every two years.
• By October 17, 2027, the Commission will review how the NIS2 directive works and provide a clear report on its performance to the European Parliament and Council. They will do this review every three years to ensure the directive is effective and up-to-date.

Penalties for non-compliance

The NIS2 directive has also introduced strict penalties for companies that don't follow its rules. It allows authorities to impose non-monetary penalties, such as compliance orders, security audits, and customer notifications about potential threats.

Alongside these measures, it has also set high fines for non-compliance. According to the European Commission:

Essential entities could face fines of up to €10 million or 2% of their global annual revenue, whichever is higher. For important entities, the fines can go up to €7 million or 1.4% of global revenue, whichever is greater.

So, every entity must understand these risks and take steps to follow the directive's rules. They must have strong security measures and procedures to detect and report cyber incidents to avoid penalties and protect their reputation.

How NIS2 improves upon NIS1

Here’s how NIS2 is stronger than NIS1: 

Broader coverage: It covers more sectors than the original NIS1, such as energy, transport, healthcare, and digital services. 

Stricter security measures: Compared to NIS1, it has established stronger cybersecurity practices. So, organizations must now follow advanced security guidelines to have effective risk management processes. 

Clear penalties for non-compliance: NIS2 introduces specific penalties for not following the rules. Companies can now be fined up to €10 million or 2% of their global annual revenue, whichever is higher. 

More consistency across countries: Its primary focus is to reduce differences in how EU countries apply cybersecurity rules. That’s why the upgraded NIS2 regulations have created a more uniform approach across all member states by setting clearer definitions and standards.

Better cooperation between countries: NIS2 requires the formation of a Cooperation Group and Computer Security Incident Response Teams (CSIRTs) in each country to improve information sharing and help countries respond together to cyber threats.

Time to act on NIS2 compliance

As cyber threats continue to evolve, implementing NIS2 regulations is an important step toward creating a more secure online environment across the EU. While compliance may seem daunting, it's an investment in your organization's future and will protect your assets and reputation.