NIS 2 Requirements: How the EU Directive Affects Your Company

The NIS 2 Directive is a piece of EU legislation designed to improve IT security in essential services, prevent cyberattacks and avoid disruptions to public life and the economy. Compared to the original NIS Directive from 2016, NIS2 includes stricter security requirements and addresses a wider range of businesses and sectors. Experts estimate that roughly 150,000 entities across the EU are affected by NIS 2.

Aside from cybersecurity in essential services, NIS 2 also covers national cybersecurity agencies, the coordination of computer security incident response teams (CSIRTs) and EU-wide initiatives like the creation of a vulnerability database based on the CVE system.

NIS 2 was passed in December of 2022 and officially went into effect on January 16 2023. However, before the directive is applied to regulated entities, the European member states first have to pass their own laws to incorporate NIS 2 into their national legislation. EU countries have until October 17 2024 to pass their national laws implementing NIS 2.

This also means that starting from October 18 2024, businesses affected by NIS2 will be required to register with their national agency, report significant incidents and comply with the obligations of the directive. This also means proving your compliance through official certification or periodic audits.

EU directives like NIS 2 are based on the concept of minimum harmonisation. This means that all member states are required to pass laws that are at least as strict as the EU directive.

However, while countries cannot go below the minimum requirements, they can pass laws that are stricter than NIS 2, for example by including additional sectors or setting harsher cybersecurity requirements. Because of this flexibility, businesses won’t know the exact details of NIS2 in their country until the law governing them is passed.

NIS 2 targets important and essential entities in areas that are critical to the public. Whether a company is considered an important or essential entity depends on its industry and size: Businesses are considered essential if they operate in one of the sectors of high criticality listed in Annex 1 and have more than 250 employees or an annual revenue of over 50 million Euro.

Companies that are not considered essential, but still belong to one of the sectors listed in Annex 1 or Annex 2 AND have more than 50 employees or an annual revenue of over 10 million Euro are considered important entities. The easiest way to describe the split between essential and important entities is this:

In general, NIS 2 lays out the same security requirements for both essential and important entities. However, the directive also notes that appropriate risk management measures need to take into account the business’ size, the likelihood of an attack and the potential impact for the economy and society. Given this, essential entities will need to demonstrate a higher level of cybersecurity compared to important entities.

Additionally, there are differences between essential and important entities when it comes to supervision and enforcement: Essential entities are more strongly supervised with regular, targeted and ad-hoc audits, while important entities are only audited after security incidents. Additionally, many essential entities also fall under the EU RCE Directive for the resilience of critical infrastructure.

Companies affected by NIS 2 are required to register with relevant authorities, provide contact information and report significant incidents. However, the biggest hurdle for regulated entities are the security requirements NIS2 brings with it.

NIS 2 requires essential and important entities to “take appropriate and proportional technical, operational and organisational measures to manage risks posed to the security of network and information systems […] and to prevent or minimise the impact of incidents […]” – Article 21

In choosing appropriate and proportional safeguards, companies must take into account the state-of-the-art, relevant European and international standards as well as the likelihood and potential impact of an attack. Safety measures need to follow an all-hazards approach that covers digital as well as physical threats.

While NIS 2 does not detail every safety measure regulated companies must implement, it does specify that risk management programs must cover at least the following:

Aside from strengthening their own cybersecurity, businesses affected by NIS2 also need to manage risks across third-party providers and services. With these new obligations, the EU intends to prevent supply chain attacks, a devastating strategy that can allow hackers to breach multiple businesses at once by compromising a supplier or business partner.

Under NIS 2, companies are required to include security provisions in contracts with suppliers and service providers. Additionally, IT products and services used by important or essential entities may require cybersecurity certification under a European scheme. A list of affected products and services will be provided through an implementing act. ENISA has published a guideline on good practices for supply chain cybersecurity as a reference point for suppliers and regulated entities.

While some NIS2 requirements, like the use of encryption and secure authentication, are relatively clear, other parts of the directive are kept vague. This includes the requirement to implement basic cyber hygiene practices. While article 21 does not specify a list of these practices, the directive gives some examples of basic cyber hygiene in its preamble:

Protecting information systems is a complex task that involves all sorts of precautions and safety measures. As NIS 2 clearly states, secure user management and permission management are a fundamental part of basic cybersecurity. Protecting against unauthorized access reduces the risk of cyber attacks, data breaches and insider threats. On top of that, user and permission management is also central to proving your compliance through detailed records and audit trails.

Many details around NIS 2 still need to cleared up by implementing acts and national laws, but businesses affected by the directive shouldn’t waste any time in preparing for the EU’s new cybersecurity requirements. Especially since the law provides no transition period: Regulated entities need to implement all required safety measures by October 17 2024, no matter when their country of operation passed its NIS 2 law.

Performing risk analyses, establishing security policies, reviewing your supply chain and choosing appropriate IT solutions: All of this takes time. The sooner you start to prepare for the new NIS2 requirements, the better.

Our IAM software tenfold allows you to manage users and permissions across your entire IT through one central, automated platform: from Windows services to Microsoft 365 apps and third party software. With tenfold, you got the identity and access management part of NIS 2’s basic cyber hygiene requirement covered. What’s more, our detailed permission reporting and automated access reviews help you demonstrate your compliance during audits and cybersecurity certifications.

Thanks to a suite of standardized plugins and no code configuration, tenfold is a breeze to set up. While other IAM solutions can take months or years to implement, tenfold is fully operational in just a few weeks. You’ll benefit from increased security and compliance while saving valuable time to focus on more important tasks. Sign up today for a free trial to see just how easy, flexible and powerful tenfold is.