NIS 2 Requirements: How the EU Directive Affects Your Company
With the NIS 2 Directive, Europe is establishing cybersecurity requirements for essential and important entities in sectors like food, energy, healthcare and digital services. NIS 2 affects far more businesses than the original directive. Learn what companies need to do to comply with NIS 2 and how you can prepare for the upcoming changes.
What Is NIS 2?
The NIS 2 Directive is a piece of EU legislation designed to improve IT security in essential services, prevent cyberattacks and avoid disruptions to public life and the economy. Compared to the original NIS Directive from 2016, NIS2 includes stricter security requirements and addresses a wider range of businesses and sectors. Experts estimate that roughly 150,000 entities across the EU are affected by NIS 2.
Aside from cybersecurity in essential services, NIS 2 also covers national cybersecurity agencies, the coordination of computer security incident response teams (CSIRTs) and EU-wide initiatives like the creation of a vulnerability database based on the CVE system.
When Does NIS 2 Take Effect?
NIS 2 was passed in December of 2022 and officially went into effect on January 16 2023. However, before the directive is applied to regulated entities, the European member states first have to pass their own laws to incorporate NIS 2 into their national legislation. EU countries have until October 17 2024 to pass their national laws implementing NIS 2.
This also means that starting from October 18 2024, businesses affected by NIS2 will be required to register with their national agency, report significant incidents and comply with the obligations of the directive. This also means proving your compliance through official certification or periodic audits.
How Do NIS 2 Laws Differ From the Directive?
EU directives like NIS 2 are based on the concept of minimum harmonisation. This means that all member states are required to pass laws that are at least as strict as the EU directive.
However, while countries cannot go below the minimum requirements, they can pass laws that are stricter than NIS 2, for example by including additional sectors or setting harsher cybersecurity requirements. Because of this flexibility, businesses won’t know the exact details of NIS2 in their country until the law governing them is passed.
Who Is Affected by NIS 2?
NIS 2 targets important and essential entities in areas that are critical to the public. Whether a company is considered an important or essential entity depends on its industry and size: Businesses are considered essential if they operate in one of the sectors of high criticality listed in Annex 1 and have more than 250 employees or an annual revenue of over 50 million Euro.
Sectors of High Criticality (Annex 1)
Energy: Electricity, oil, gas, hydrogen, heating and cooling
Transport: Road, rail, air and water
Banking: Banks, stock markets, financial institutions
Healthcare: Hospitals, labs, research centers, pharmacies and medical devices
Water: Waste water and drinking water
Digital infrastructure: Data centers, cloud computing, DNS providers etc.
ICT services: Managed services and managed security services
Public administration: Central and regional goverment entities
Space: Operators of ground infrastructure
Other Critical Sectors (Annex 2)
Post and couriers: Mail and package shipping
Waste management: Waste collection, processing and recycling
Chemicals: Production and distribution of chemicals
Food: Production, processing and distribution of foodstuffs
Manufacturing: Manufacturers of medical devices, machinery, vehicles and electric/electronic devices
Digital services: Search engines, online marketplaces and social networks
Research: Research organisations
Companies that are not considered essential, but still belong to one of the sectors listed in Annex 1 or Annex 2 AND have more than 50 employees or an annual revenue of over 10 million Euro are considered important entities. The easiest way to describe the split between essential and important entities is this:
Essential entities: Large companies (>250 employees) in an industry from Annex 1.
Important entities: Medium-sized companies (>50 employees) from Annex 1 PLUS large and medium-sized companies from Annex 2.
Note: Companies with fewer than 50 employees can still be affected by NIS 2 if they are the only provider of an essential service within a member state or disruption of their service would have significant impact on public safety, security or health. Public administration and certain digital services fall under NIS 2 regardless of their size.
What Is the Difference Between Essential and Important Entities?
In general, NIS 2 lays out the same security requirements for both essential and important entities. However, the directive also notes that appropriate risk management measures need to take into account the business’ size, the likelihood of an attack and the potential impact for the economy and society. Given this, essential entities will need to demonstrate a higher level of cybersecurity compared to important entities.
Additionally, there are differences between essential and important entities when it comes to supervision and enforcement: Essential entities are more strongly supervised with regular, targeted and ad-hoc audits, while important entities are only audited after security incidents. Additionally, many essential entities also fall under the EU RCE Directive for the resilience of critical infrastructure.
NIS 2 Requirements for Businesses
Companies affected by NIS 2 are required to register with relevant authorities, provide contact information and report significant incidents. However, the biggest hurdle for regulated entities are the security requirements NIS2 brings with it.
NIS 2 Compliant Risk Management
NIS 2 requires essential and important entities to “take appropriate and proportional technical, operational and organisational measures to manage risks posed to the security of network and information systems […] and to prevent or minimise the impact of incidents […]” – Article 21
In choosing appropriate and proportional safeguards, companies must take into account the state-of-the-art, relevant European and international standards as well as the likelihood and potential impact of an attack. Safety measures need to follow an all-hazards approach that covers digital as well as physical threats.
While NIS 2 does not detail every safety measure regulated companies must implement, it does specify that risk management programs must cover at least the following:
Risk analysis and information security policies
Incident handling (threat response, business continuity and recovery)
Supply chain security (Managing risks across business partners and suppliers, secure IT acquisition, development and maintenance)
Assessing the effectiveness of safety measures
Basic cyber hygiene practices and cybersecurity training
Cryptography and encryption
Human resources security (access control and asset management)
Secure authentication and communication
Note: The security requirements for digital service providers such as data centers, cloud computing services and domain registrars will be established through an implementing act that the European Commission intends to pass before October 17 2024.
NIS 2: Supply Chain Security
Aside from strengthening their own cybersecurity, businesses affected by NIS2 also need to manage risks across third-party providers and services. With these new obligations, the EU intends to prevent supply chain attacks, a devastating strategy that can allow hackers to breach multiple businesses at once by compromising a supplier or business partner.
Under NIS 2, companies are required to include security provisions in contracts with suppliers and service providers. Additionally, IT products and services used by important or essential entities may require cybersecurity certification under a European scheme. A list of affected products and services will be provided through an implementing act. ENISA has published a guideline on good practices for supply chain cybersecurity as a reference point for suppliers and regulated entities.
NIS 2: Basic Cyber Hygiene Practices
While some NIS2 requirements, like the use of encryption and secure authentication, are relatively clear, other parts of the directive are kept vague. This includes the requirement to implement basic cyber hygiene practices. While article 21 does not specify a list of these practices, the directive gives some examples of basic cyber hygiene in its preamble:
Protecting information systems is a complex task that involves all sorts of precautions and safety measures. As NIS 2 clearly states, secure user management and permission management are a fundamental part of basic cybersecurity. Protecting against unauthorized access reduces the risk of cyber attacks, data breaches and insider threats. On top of that, user and permission management is also central to proving your compliance through detailed records and audit trails.
Preparing for NIS 2: Time is Running Out
Many details around NIS 2 still need to cleared up by implementing acts and national laws, but businesses affected by the directive shouldn’t waste any time in preparing for the EU’s new cybersecurity requirements. Especially since the law provides no transition period: Regulated entities need to implement all required safety measures by October 17 2024, no matter when their country of operation passed its NIS 2 law.
Performing risk analyses, establishing security policies, reviewing your supply chain and choosing appropriate IT solutions: All of this takes time. The sooner you start to prepare for the new NIS2 requirements, the better.
NIS 2 Compliant Identity and Access Management
Our IAM software tenfold allows you to manage users and permissions across your entire IT through one central, automated platform: from Windows services to Microsoft 365 apps and third party software. With tenfold, you got the identity and access management part of NIS 2’s basic cyber hygiene requirement covered. What’s more, our detailed permission reporting and automated access reviews help you demonstrate your compliance during audits and cybersecurity certifications.
Thanks to a suite of standardized plugins and no code configuration, tenfold is a breeze to set up. While other IAM solutions can take months or years to implement, tenfold is fully operational in just a few weeks. You’ll benefit from increased security and compliance while saving valuable time to focus on more important tasks. Sign up today for a free trial to see just how easy, flexible and powerful tenfold is.
Access Management Is Essential to IT Compliance