NIS 2: Security Requirements for Businesses

With the NIS 2 Directive, Europe is establishing cybersecurity requirements for essential and important entities in sectors like food, energy, healthcare and digital services. NIS 2 affects far more businesses than the original directive. Learn what companies need to do to comply with NIS 2 and how you can prepare for the upcoming changes.

What Is NIS 2?

The NIS 2 Directive is a piece of EU legislation designed to improve IT security in essential services, prevent cyberattacks and avoid disruptions to public life and the economy. Compared to the original NIS Directive from 2016, NIS2 includes stricter security requirements and addresses a wider range of businesses and sectors. Experts estimate that roughly 150,000 entities across the EU are affected by NIS 2.

Aside from cybersecurity in essential services, NIS 2 also covers national cybersecurity agencies, the coordination of computer security incident response teams (CSIRTs) and EU-wide initiatives like the creation of a vulnerability database based on the CVE system.

When Does NIS 2 Take Effect?

NIS 2 was passed in December of 2022 and officially went into effect on January 16 2023. However, before the directive is applied to regulated entities, the European member states first have to pass their own laws to incorporate NIS 2 into their national legislation. EU countries have until October 17 2024 to pass their national laws implementing NIS 2.

This also means that starting from October 18 2024, businesses affected by NIS2 will be required to register with their national agency, report significant incidents and comply with the obligations of the directive. This also means proving your compliance through official certification or periodic audits.

How Do NIS 2 Laws Differ From the Directive?

EU directives like NIS 2 are based on the concept of minimum harmonization. This means that all member states are required to pass laws that are at least as strict as the EU directive.

However, while countries cannot go below the minimum requirements, they can pass laws that are stricter than NIS 2, for example by including additional sectors or setting harsher cybersecurity requirements. Because of this flexibility, businesses won’t know the exact details of NIS2 in their country until the law governing them is passed.

Interior of a factory producing heavy machinery.
NIS 2 governs cybersecurity in critical sectors like energy, healthcare and manufacturing. Adobe Stock, (c) THINK b

Who Is Affected by NIS 2?

NIS 2 targets important and essential entities in areas that are critical to the public. Whether a company is considered an important or essential entity depends on its industry and size: Businesses are considered essential if they operate in one of the sectors of high criticality listed in Annex 1 and have more than 250 employees or an annual revenue of over 50 million Euro.

Sectors of High Criticality (Annex 1)

  • Energy: Electricity, oil, gas, hydrogen, heating and cooling

  • Transport: Road, rail, air and water

  • Banking: Banks, stock markets, financial institutions

  • Healthcare: Hospitals, labs, research centers, pharmacies and medical devices

  • Water: Waste water and drinking water

  • Digital infrastructure: Data centers, cloud computing, DNS providers etc.

  • ICT services: Managed services and managed security services

  • Public administration: Central and regional government entities

  • Space: Operators of ground infrastructure

Other Critical Sectors (Annex 2)

  • Post and couriers: Mail and package shipping

  • Waste management: Waste collection, processing and recycling

  • Chemicals: Production and distribution of chemicals

  • Food: Production, processing and distribution of foodstuffs

  • Manufacturing: Manufacturers of medical devices, machinery, vehicles and electric/electronic devices

  • Digital services: Search engines, online marketplaces and social networks

  • Research: Research organizations

Companies that are not considered essential, but still belong to one of the sectors listed in Annex 1 or Annex 2 AND have more than 50 employees or an annual revenue of over 10 million Euro are considered important entities. The easiest way to describe the split between essential and important entities is this:

  • Essential entities: Large companies (>250 employees) in an industry from Annex 1.

  • Important entities: Medium-sized companies (>50 employees) from Annex 1 PLUS large and medium-sized companies from Annex 2.

Note: Companies with fewer than 50 employees can still be affected by NIS 2 if they are the only provider of an essential service within a member state or disruption of their service would have significant impact on public safety, security or health. Public administration and certain digital services fall under NIS 2 regardless of their size.

What Is the Difference Between Essential and Important Entities?

In general, NIS 2 lays out the same security requirements for both essential and important entities. However, the directive also notes that appropriate risk management measures need to take into account the business’ size, the likelihood of an attack and the potential impact for the economy and society. Given this, essential entities will need to demonstrate a higher level of cybersecurity compared to important entities.

Additionally, there are differences between essential and important entities when it comes to supervision and enforcement: Essential entities are more strongly supervised with regular, targeted and ad-hoc audits, while important entities are only audited after security incidents. Additionally, many essential entities also fall under the EU RCE Directive for the resilience of critical infrastructure.

Flag of the European Union with a cybersecurity logo.
What are the cybersecurity requirements laid out by NIS 2? Adobe Stock, (c) Goodpics

NIS 2 Cybersecurity Requirements

NIS 2 requires essential and important entities to “take appropriate and proportional technical, operational and organisational measures to manage risks posed to the security of network and information systems […] and to prevent or minimise the impact of incidents […]” Article 21

So, what does that mean for your organization? Right now, we do not know the exact requirements of NIS 2, which will be specified by member states when they pass their own laws and regulations ito implement the directive. Because of this, there may be minor differences between different countries in terms of which safety measures they require.

However, we already know which areas must be covered by a risk management program in order to comply with NIS 2, since the directive specifies topics that must be addressed regardless of how countries decide to phrase their own laws. Additionally, we know that NIS 2 is probably going to follow existing best practices and established standards, which organizations can therefore look to for guidance.

NIS 2: IT Risk Management

A NIS 2 compliant risk management program must include:

  • Risk assessments and analysis

  • Information security policies

  • Incident handling

  • Business continuity management

  • Supply chain security

  • Secure software acquisition

While we don’t currently know the exact requirements businesses need to meet in each of these areas, NIS 2 specifies that risk management programs should take into account “relevant European and international standards”, so the requirements of NIS 2 are likely to mirror existing cybersecurity frameworks such as ISO 27001 or the CIS Controls.

NIS 2: What You Can Do to Prepare

Even though many details surrounding NIS 2 still need to be cleared up implementing acts and national laws, it’s important that affected businesses do not wait around until everything has been finalized. If you delay your NIS 2 implementation until we know every detail, there simply would be not enough time to prepare.

So, what can you do to prepare for NIS 2? The answer is simple: Look to existing cybersecurity standards and follow their recommendations on the topics NIS 2 requires you to address. There may be minor differences, but NIS 2 is unlikely to stray far from the expert advice of frameworks like ISO 27001 or NIST CSF.

After all, cyber hygiene, staff trainings, data encryption, multi-factor authentication and strict access control are all considered best practices for a reason. Cybersecurity experts generally agree that these safety measures are essential, regardless of whether or not you need them for compliance reasons.

The important part is that you get started as soon as possible. Performing risk analyses, establishing security policies, reviewing your supply chain, updating service provider agreements and choosing appropriate security solutions – all of this takes time! The sooner you start to prepare for NIS2, the better.

NIS 2: Supply Chain Security

Aside from strengthening their own cybersecurity, businesses affected by NIS2 also need to manage risks across third-party providers and services. With these new obligations, the EU intends to prevent supply chain attacks, a devastating strategy that can allow hackers to breach multiple businesses at once by compromising a supplier or business partner.

Under NIS 2, companies are required to include security provisions in contracts with suppliers and service providers. Additionally, IT products and services used by important or essential entities may require cybersecurity certification under a European scheme. A list of affected products and services will be provided through an implementing act. ENISA has published a guideline on good practices for supply chain cybersecurity as a reference point for suppliers and regulated entities.

NIS 2: Basic Cyber Hygiene Practices

While some NIS2 requirements, like the use of encryption and secure authentication, are relatively clear, other parts of the directive are kept vague. This includes the requirement to implement basic cyber hygiene practices. While article 21 does not specify a list of these practices, the directive gives some examples of basic cyber hygiene in its preamble:

Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness […] – NIS2 Preamble Point 89

Protecting information systems is a complex task that involves all sorts of precautions and safety measures. As NIS 2 clearly states, secure user management and permission management are a fundamental part of basic cybersecurity. Protecting against unauthorized access reduces the risk of cyber attacks, data breaches and insider threats. On top of that, user and permission management is also central to proving your compliance through detailed records and audit trails.

NIS 2 Compliant Identity and Access Management

Our IAM software tenfold allows you to manage users and permissions across your entire IT through one central, automated platform: from Windows services to Microsoft 365 apps and third party software. With tenfold, you got the identity and access management part of NIS 2’s basic cyber hygiene requirement covered. What’s more, our detailed permission reporting and automated access reviews help you demonstrate your compliance during audits and cybersecurity certifications.

Thanks to a suite of standardized plugins and no code configuration, tenfold is a breeze to set up. While other IAM solutions can take months or years to implement, tenfold is fully operational in just a few weeks. You’ll benefit from increased security and compliance while saving valuable time to focus on more important tasks. Sign up today for a free trial to see just how easy, flexible and powerful tenfold is.

Tenfold Demo Video

Access Management
Is an Essential Part of
IT Compliance

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.