NIS2: Security Requirements for Businesses

With the NIS2 Directive, the EU is establishing cybersecurity requirements for critical sectors like food, energy, healthcare and digital services. Regulated entities have to implement a wide range of IT controls to protect against both digital and physical threats. Everything you need to know about the security requirements of NIS2!

NIS2: Security Requirements

NIS2 requires entities that operate in the EU, fall into one of the regulated sectors and are bigger than the size cap for their industry, to:

  • take appropriate technical, operational and organizational measures to

  • manage risks to the security of their IT systems and

  • prevent or minimize the impact of security incidents on their services

The NIS2 Directive itself does not go into detail on what appropriate technical, operational and organizational measures look like. However, it does specify that risk management should follow an all-hazards approach and cover both digital and physical threats to IT security.

In addition, NIS2 names a few topics that organizations must address as part of their risk mitigation efforts: supply chain security, business continuity, incident handling, security awareness, encryption, access control and multi-factor authentication, among others.

NIS2 Security Requirements: Full List

On June 27 2024, the EU published a draft of a NIS2 Implementing Act which contains a detailed list of security requirements. This implementing act only applies to IT services like cloud computing providers, data centers or managed service providers, which are regulated directly by the EU instead of member states.

However, the act also serves as an effective preview of NIS2 security requirements. It is reasonable to assume that the final requirements for other industries will look quite similar, both in terms of which topics entities need to address and how strict the necessary safety measures need to be.

White paper

NIS2 Compliant Access Governance

NIS2 sets cybersecurity requirements for critical infrastructures across the EU. Discover how tenfold helps you effortlessly meet NIS2’s IAM requirements.

1

Information Security Policy

To comply with NIS2, organizations need to create an information security policy that outlines their approach for securing their network and IT systems. The security policy must establish security objectives and risk tolerance levels, as well as staff roles and responsibilities. It must also be appropriate to the overall business goals and provide the necessary resources for implementation.

The information security policy must be reviewed regularly and after significant incidents or changes to the IT infrastructure.

2

Risk Management Framework

Regulated entities must also establish a risk management framework that identifies and addresses risks to IT systems. It must be based on a risk assessment and the management body must accept the results, residual risks and mitigation efforts.

Entities must communicate to their staff procedures for identifying, assessing and treating cybersecurity risks. This cybersecurity risk management process must be based on relevant criteria and follow an all-hazards approach. Where appropriate, it should also follow established European and international standards.

In addition, the risk management process must establish who is responsible for implementing risk management measures. Like the security policy, the risk management framework must be reviewed regularly and following major incidents or changes.

Organizations must also monitor their compliance with their own security policy (and smaller, topic-specific policies) through a compliance reporting system. Their security measures must be subjected to impartial internal reviews, avoiding conflicts of interest.

3

Incident Handling

As part of their risk management process, entities must create an incident handling policy, which lays out the correct procedure for detecting and responding to potential security incidents.

The incident handling policy must:

  • Create a categorization system for incidents

  • Create a communication plan for escalation and reporting

  • Assign competent employees to detect and appropriately respond to incidents

  • Include relevant documents like response manuals, escalation charts or contact lists

  • Integrate with the organizations business continuity policy

Incident handling takes place in three stages: Containment, which prevents the incident from spreading further. Eradication, to stop the incident from continuing or reappearing. And finally recovery, to re-establish normal operations.

While handling an incident, response activities must be logged and relevant forensic evidence must be recorded. Following an incident, organizations must carry out a post-incident review to identify the root cause and apply lessons learned to reduce the likelihood of similar incidents. Emergency response plans must likewise be regularly tested and reviewed.

NIS2 requires regulated entities to report significant incidents within 24 hours to their competent authority or CSIRT. Organizations must also submit a more detailed report within 72 hours and a final report one month after the incident (unless it persists).

4

Monitoring and Logging

NIS2 requires organizations to monitor and log activities on their network and IT systems through suitable tools in order to detect possible incidents, respond quickly and mitigate their impact. Monitoring should be automated as much as possible, though the organization remains responsible for reviewing and classifying events.

Entities must maintain and review an event log that tracks things like:

  • In- and outbound network traffic

  • Creation, deletion or modification of accounts, changes to permissions

  • Access to systems and applications

  • Authentication-related events

  • Activities of privileged accounts

  • Access to backup or config files

  • Firewall, antivirus or intrusion detection logs

  • Usage and performance of system resources

  • Physical access to facilities

  • Access to network devices

  • Starting, stopping and pausing of logs

  • Environmental events like fire alarms

The event log must be centrally stored, protected against unauthorized access and regularly backed up to prevent loss. In addition, entities must create a process that allows employees, suppliers or customers to report suspicious events.

5

Business Continuity

As part of their NIS2 compliance, regulated entities must establish a business continuity and disaster recovery plan. This plan must be based on a risk and business impact analysis. It should include:

  • Staff roles and responsibilities

  • Conditions for activating and deactivating the emergency plan

  • Key contacts and emergency communication channels

  • A prioritized order of recovery for operations

  • Recovery plans and objectives for specific operations

  • Information on the required resources, like backups and redundant systems

  • Temporary measures for restoring activities

  • Information on the incident handling policy

In addition, organizations must maintain backup copies of important information. These backups must be stored securely off-site and subjected to regular integrity checks. Companies must also ensure sufficient redundancies in terms of staff, facilities and IT systems. Backup copies and redundancies must be tested regularly to ensure they can be relied upon in a recovery scenario.

6

Supply Chain Security

Supply chain security is one of the main areas of interest for the NIS2 directive. Businesses affected by NIS2 must create a supply chain security policy that governs their relationship with direct suppliers and service providers. Organizations must also maintain a directory of all direct suppliers and service providers, including a list of ICT products, services or processes provided by them.

As part of their supply chain security policy, organizations must set criteria for selecting suppliers, which must include:

  • The cybersecurity practices of the supplier or service provider

  • Their ability to meet cybersecurity specifications set by the organization

  • The quality and resilience of IT products, services and risk management measures

  • The ability of the organization to diversify suppliers and limit vendor lock-in

In addition to these criteria, NIS2 establishes requirements for contracts and service level agreements (SLAs) with their suppliers. Organizations must specify:

  • Cybersecurity requirements for suppliers, including secure acquisition of IT products

  • Requirements regarding staff skills, training or certifications

  • Requirements regarding staff background checks

  • Provisions for repair times

  • The right to audit suppliers or receive independent audit reports from them

  • Obligations for suppliers to notify entities of any incidents that present a risk to their IT systems

  • Obligations for suppliers to handle vulnerabilities that present a risk to the entity’s IT systems

  • Details on subcontracting, including cybersecurity requirements for subcontractors

  • Requirements relating to contract termination, such as secure disposal of information

7

Secure IT Acquisition, Development & Maintenance

Organizations affected by NIS2 have to minimize risks related to the acquisition of IT services and products critical to the security of their network and information systems. Businesses must:

  • Define security requirements for the acquisition of IT services and products

  • Replace IT products that no longer receive security updates (end of life)

  • Document the hardware and software components of IT services and products

  • Document the cybersecurity features of IT products and ensure they are configured correctly

When it comes to developing your own software, entities must ensure secure development processes for all development phases, from design to development, implementation, testing and maintenance. Development must also follow best practices like zero trust and security by design.

To ensure the safe usage of IT systems, regulated entities must ensure they are correctly configured, use malware protection and receive security updates in a timely fashion. Organizations must also follow procedures for change management and patch management, perform regular vulnerability scans and identify other issues through security testing.

Member states can require essential or important entities to use only IT products and services that have achieved European cybersecurity certification. To this end, ENISA has developed the certification scheme EU Common Criteria (EUCC), an adaptation of the existing Common Criteria standard.

Flag of the European Union with a cybersecurity logo.
What are the cybersecurity requirements laid out by NIS 2? Adobe Stock, (c) Goodpics
8

Network Security

Entities regulated by NIS2 must take appropriate measures to protect their network from threats. This requires up-to-date documentation on their network architecture, access controls within their own network, closing unneeded ports and access points, procedures for secure remote access and the usage of secure protocols.

On top of that, entities must use network segmentation to divide their network into different areas based on the security needs and risk analysis for different devices and processes.

9

Assessing Effectiveness

Based on their risk assessments and prior incidents, organizations must establish a policy and procedures to assess whether their information security policy is effectively implemented. For this assessment, organizations need to define:

  • Who is responsible for measuring effectiveness?

  • Who is responsible for evaluating the results?

  • Which risk management measures need to be evaluated (including specific controls)?

  • Which methods should be uses for evaluating effectiveness?

  • When and how often does measuring need to take place?

10

Security Awareness

Businesses affected by NIS2 must educate their staff on security risks, the importance of cybersecurity and basic cyber hygiene practices. This requires regular training for both new and existing employees. Staff training must cover all relevant aspects of the information security policy and topic-specific policies.

For employees whose role requires additional skills and expertise related to cybersecurity, businesses must provide advanced training to cover the necessary information.

11

Encryption

Depending on information sensitivity and asset classification, organizations must implement appropriate procedures for encryption, including the secure management of cryptographic keys where necessary.

12

Human Resources Security

Regulated entities must ensure that all employees, as well as direct suppliers and service suppliers, know, understand and follow security policies that apply to them, from the information security policy to topic-specific policies. Management bodies and users with privileged access likewise need to understand and follow their roles and responsibilities.

Obligations that remain valid after leaving the organization, such as confidentiality, must be explicitly stated in the terms and conditions of employment. Organizations must also put in place access control policies to ensure that access for former employees and suppliers is automatically revoked.

Organizations can require background checks before allowing employees to carry out certain roles and responsibilities. It is left up to organizations to determine which roles (if any) require background checks. Checks must be carried out in accordance with national and international laws and labor regulations.

13

Access Control

NIS2 requires businesses to implement an access control policy in order to manage the access to IT systems for employees, guests, external accounts, apps and devices.

Through this policy, organizations need to manage the entire lifecycle of their digital identities. Accounts and their activities must be linked to a single person. Shared accounts can be used only when strictly necessary for business operations. Shared accounts also require explicit management approval.

Identities must be protected through secure authentication methods, especially multi-factor authentication. After repeated failed logins, accounts must be blocked and new credentials must be set. Admins must use separate accounts for system administration and normal activities.

Access rights must be assigned, managed and revoked based on best practices like the principle of least privilege and separation of duties. When an employee’s role changes or they leave the organization, access rights must be modified accordingly.

Access to network and information systems must be authorized by their owner. Access rights must be logged and regularly reviewed through so-called re-certifications or user access reviews. Access rights that are no longer needed must be removed.

To fulfill the NIS2 access control requirements, organizations need a dedicated solution for identity & access management. These automated tools are the only way to effectively implement controls like least privilege access, lifecycle automation & access reviews.

For the small to mid-sized organizations targeted by NIS2, this can be a problem: Typical IAM solutions are designed for large enterprises and require a lot of staff and dedicated resources to operate. But there’s good news: tenfold‘s no-code IAM platform helps you automate your identity & access governance with minimal effort!

14

Asset Management

As part of their NIS2 compliance, organizations need to securely manage information and other assets. To this end, companies need to establish an up-to-date inventory of all assets that support normal business operations. Changes to this inventory must be recorded in a traceable way.

In addition to inventorying assets, organizations need to establish a classification system and apply classification levels to all assets based on their required level of protection. Organizations also need to create a policy for handling assets that covers their entire lifecycle and includes instructions for safe use, storage, transport and destruction. Regulated organizations also need to ensure that exiting employees return all assets.

Moreover, regulated entities must create a policy for the usage of removable storage media. The use of removable media should be blocked on a device level, unless there is an explicit reason for their use. In this case, the automatic execution of files should be blocked and storage media should be scanned for malicious code prior to their use. Removable media must be controlled while in storage or transit and their contents must be protected through encryption where possible.

15

Physical Security

NIS2 follows an all-hazards approach, meaning that organizations need to protect against physical threats to their IT systems as well as digital ones. This includes preventing unauthorized access to facilities through access controls and physical security.

Companies must also protect against disruptions caused by utilities such as a loss of power, water, gas or internet supply. To ensure the continuous effectiveness of information systems, businesses need to monitor any controls necessary for the operation of the service, such as power, temperature and humidity control.

Finally, organizations must implement protections against environmental threats such as fire, flooding or lightning strikes.

NIS2 vs. ISO 27001: What Are the Differences?

The requirements of NIS2 are largely identical to the security norm ISO 27001. Given that both standards aim to provide comprehensive risk management measures to defend against both digital and physical threats, it shouldn’t come as a surprise that they end up addressing the same topics.

However, there are some important differences between NIS2 and ISO 27001:

  • Fixed scope: As a voluntary security standard, ISO 27001 gives companies some freedom to define their own scope and choose which controls are applicable to their IT. By comparison, NIS2 requires entities to protect their entire IT. However, even NIS2 allows for some adjustments or compensating controls, since the implementation effort must be proportional to the entity’s risk level.

  • Cybersecurity training for managers: In order to assess IT risks and oversee the implementation of risk management measures, the management bodies of regulated entities must take part in regular dedicated trainings.

  • Reporting obligations: Businesses covered by NIS2 must report significant incidents within 24 hours. They must also submit a more detailed notice within 72 hours and a final report within one month of the incident.

The biggest difference between NIS2 and ISO 27001 is that NIS2 is a binding EU directive enforced through considerable fines. The penalty for non-compliance can be as high as 10 million Euro or two percent of annual revenue.

What Is NIS2?

NIS2 is an EU directive designed to improve IT security in essential services. It regulates entities with more than 50 employees in 16 different sectors. Experts estimate that roughly 150,000 businesses across the EU are affected by NIS2.

Aside from cybersecurity risk management, NIS2 also covers national cybersecurity agencies, the coordination of computer security incident response teams (CSIRTs) and EU-wide initiatives like the creation of cybersecurity certification schemes and a vulnerability database based on the CVE model.

When Does NIS2 Take Effect?

NIS2 was already passed into law by the European parliament at the end of 2022. However, before NIS2 takes effect, member states first have to pass their own laws to enforce the directive on the national level. EU countries have until October 17 2024 to do so.

This means that on October 18 2024, compliance with the NIS2 Directive will become mandatory for regulated entities. That includes registering as an important or essential entity, implementing the required risk control measures and reporting significant incidents to the relevant authorities.

If you want to track the status of NIS2 legislation in your country, check out the NIS2 Implementation Tracker by Bird&Bird.

Who Does NIS2 Apply To?

NIS2 creates cybersecurity requirements for important and essential entities, i.e. businesses and other organizations that are critical to the public and where a disruption of service would have significant impact on public life and the economy.

Whether businesses are considered important or essential depends on their size and the sector they operate in. Here’s a quick explainer:

Essential Entities

More than 250 employees or annual revenue of over 50 million Euro

  • Energy

  • Transport

  • Banking

  • Healthcare

  • Water

  • IT Infrastructure

  • IT Services

  • Government

  • Space

Important Entities

More than 50 employees or annual revenue of over 10 million Euro

  • Energy

  • Transport

  • Banking

  • Healthcare

  • Mail & Couriers

  • Food

  • Chemicals

  • Waste Mgmt.

  • Water

  • IT Infrastructure

  • IT Services

  • Online Services

  • Government

  • Space

  • Manufacturing

  • Research

Note: NIS2 can also apply to companies with fewer than 50 employees if they are the only provider within a member state or if a disruption of their service would have significant impact on public safety, security or health. Public administration and certain digital services are covered by NIS2 regardless of their size.

NIS2: Sector-Specific Exceptions

To prevent businesses from having to fulfill multiple, overlapping regulations, NIS2 contains an exception for entities covered by sector-specific EU laws, such as the DORA Act in the financial sector.

For this exception to work, the law in question must cover all entities that NIS2 would apply to in the given sector, and it must contain security requirements and reporting obligations that are at least equal to NIS2.

NIS2: Essential vs. Important Entities

NIS2 covers two different types of entities: essential and important. In general, the same security requirements, reporting obligations and fines apply to both essential and important entities. However, safety measures can be tailored to the scope of the organizations, since NIS2 follows the principle of proportionality. This means that the cost of implementation for risk management measures must be proportional to the entity’s size, exposure to risk and the likelihood of incidents.

An important difference between essential and important entities is in the NIS2 enforcement: Essential entities can be subjected to random checks and ad-hoc audits. Meanwhile, important entities are only audited when there is reason to suspect non-compliance.

About the Author: Joe Kรถller

Joe Kรถller is tenfoldโ€™s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.