The NIS2 (Network and Information Security 2) Directive (Directive 2022/2555) provides cybersecurity legislation covering all EU states. NIS2 is an update to the NIS1 Directive, which it replaces. The EU’s overarching principle when it comes to cybersecurity and privacy centers on harmonization approaches. The EU’s GDPR is an example of applying a standardized approach to data privacy. The European Parliament describes NIS2 as a “high common level of cybersecurity across the Member States.” Here, AccessOwl explores NIS2 compliance and whom it affects.

A brief history of NIS2

Threats like ransomware and data breaches have a major impact on organizations throughout the EU. The European Parliament designed the NIS Directive to help organizations tackle these threats. In July 2016, the European Parliament put NIS1 into force. As cyber-attacks continued to escalate and increase in sophistication, the EU Parliament voted to adopt an update, NIS2, in May 2022. By November 2022, NIS2 was formally approved. January 16, 2023, saw NIS2 put into force. The NIS2 Directive deadline for transposition into law is set for October 17, 2024. By this time, any covered entity must demonstrate compliance with the NIS2 Directive.

Why is NIS2 needed?

Cyber-threats continue to plague companies worldwide. The NIS2 Directive is a reaction to these threats. ENISA (European Union Agency for Cybersecurity) publishes yearly reports exploring the threat landscape. The most recent report warned of new forms of phishing and zero-day exploits targeting EU organizations. The goal of NIS2 is to improve the cybersecurity posture of organizations deemed “essential and important entities.” This includes organizations in energy, retail, transport, banking, health, and public administration. Notably, NIS2 provides essential guidance for dealing with cyber-threats against supply chain members and service companies.

What is the NIS2 Directive?

NIS2 provides guidelines and best practices for defending against modern cyber-attacks. The EU describes the Directive as the first “horizontal” (that is, cross-sector) cybersecurity law in the EU. The NIS2 requirements, when correctly implemented, provide cyber-resilience in critical infrastructures and OT environments.

NIS2 acts as a framework based on cybersecurity requirements. The framework is built upon a set of principles that act as a baseline for tackling modern cyber threats. The principles include:

• Best practice cybersecurity measures to harmonize the security approach across EU Member States.

• Enforcing the requirements of NIS2 using strict penalties.

• Obligatory incident reporting requirements and intelligence collaboration.

Which organizations does NIS2 apply to?

The NIS2 Directive covers organizations classified as “essential entities” or “important entities.” The difference between the two classes is that essential entities are subject to stricter supervisory and enforcement measures. The NIS2 Directive also classifies organizations by size:

Micro and small organizations: Fewer than 50 employees, with an annual revenue of less than 10 million euros.

Mid-size organizations: 50 to 250 employees, with an annual revenue of 10 to 50 million euros.

Large organizations: More than 250 employees, with an annual revenue of more than 50 million euros.

Organizations are then further split into important and essential. However, specific organizations are “essential” by default. 

Essential entities

Organizations in this category include energy, transport, banks, financial market infrastructures, health, drinking water, wastewater, digital infrastructures, public administration, and space. If an interruption in an entity’s service would have a consequential impact on society, it is deemed essential by default. 

Important entities

Organizations in this category include postal and courier services, waste management, production and distribution of chemical products, production, processing and distribution of food, production of medical equipment, and digital suppliers.

The full range of covered entities and classification of organizations can be found in NIS2 Annex I and II.

Small organizations and NIS2

NIS2 Article Paragraphs 2, 3, and 4 provide details on the scope of the Directive when it comes to smaller organizations. For example, regardless of their size, the Directive applies to organizations that provide public electronic communications networks that could significantly impact public health or security if breached. The Directive includes impacts that could have cross-border effects. Smaller organizations that are involved in public administration are also covered. Generally, regardless of company size, if a cybers-attack could have “significant impact on critical societal or economic activities,” the entity will be covered by NIS2.

Cybersecurity measures in NIS2

The NIS2 Directive requires important and essential entities to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.” This statement covers the entire life cycle of risk mitigation and incident management. The Directive describes this as an “all-hazards approach.” The Directive lists appropriate measures, including the following: 

1. Risk analysis and information system security policies.

2. Incident handling.

3. Business continuity (backup management, disaster recovery, and crisis management).

4. Supply chain security.

5. Network and information systems lifecycle security — that is, the use of processes that cover identifying, assessing, designing, implementing, protecting, and monitoring.

6. Analysis of the effectiveness of cybersecurity risk-management measures.

7. Cybersecurity awareness training.

8. Policies on the use of cryptography and, where appropriate, encryption.

9. Human resources security, access control policies, and asset management.

10. Multi-factor authentication or continuous authentication solutions.

11. Other measures,including secured voice, video and text communications and secured emergency communication systems, where appropriate.

 NIS2 promotes collaboration and vulnerability-sharing, and ENISA is responsible for developing and maintaining a European vulnerability registry.

 NIS2-covered entities are expected to undergo supervision, which includes the following activities:

• Regular audits

• On-site and off-site checks

• Requests for information

• Access to documents and other evidence of compliance

NIS2 and identity access management (IAM)

NIS2 principles focus on the protection of critical infrastructures and digital services. Microsoft’s Digital Defense Report highlights significant increases in cyberattacks targeting critical infrastructures. The report identifies exploitation of employee login credentials or unauthorized access via third-party suppliers and contractors. NIS2 cybersecurity measures mention multi-factor authentication (MFA) and continuous authentication solutions. Both play critical parts in enforcing access controls to protect sensitive resources and network areas. Therefore, compliance with NIS2 must include robust IAM within a framework of a zero-trust architecture.

 Effective identity management provides the rails for managing and monitoring access, helping enforce security policies. The implementation of Identity Governance and Administration (IGA) is pivotal in implementing the principle of least privilege for access rights to information and sensitive areas of a network. A zero-trust identity approach is upheld using identity verification and enforcement of least privilege access rights.

Organizations covered by NIS2 typically have complex hybrid environments. Inclusion of supply chain members, support for remote working, and third-party contractors means that robust access enforcement across a disparate work environment is critical. By enforcing access on a need-to-know basis, and performing verification checks when access is requested, an organization can demonstrate and uphold NIS2 compliance. Unauthorized access must be prevented to stop data breaches and other cyber-attacks, like DDoS and ransomware infection.

How to comply with NIS2

NIS2 compliance is a process that should cover and implement the following:

1. Manage security risk using policies and procedures.

2. Use measures to protect against cyber-attacks — for example, IAM and IGA, security awareness training, and encryption where appropriate.

3. Detect cybersecurity attacks — for example, continuous monitoring and behavioral analysis.

4. Minimize the impact of security incidents — for example, incident handling and business continuity planning.

Penalties for non-compliance with NIS2

According to Article 34 of the NIS2 Directive, the following penalties are imposed for non-compliance:

Essential entities: A minimum of 10 million euros or 2% of the total worldwide annual turnover, whichever is higher.

Important entities: A minimum 7 million euros or 1.4% of the total worldwide annual turnover, whichever is higher.

NIS1 vs. NIS2

NIS2 broadens the scope of organizations that fall under covered entities. NIS2 includes cloud infrastructure, internet exchanges, and domain name system (DNS) service providers. The new directive removes the distinction between operators of essential services (OES) and digital service providers (DSP). Instead, NIS2 classifies entities as essential or important based on the service criticality.

NIS2 has more stringent security measure expectations than NIS1, including updated authentication mechanisms in NIS2. For example, NIS2 requires stronger authentication methods, with Preamble 81-90 saying this about authentication:

“Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness.”

NIS2 and non-EU companies

If a company does business in the EU and is a NIS2-covered entity, it will be required to adhere to NIS2. The jurisdiction requirements reflect the Member State where the non-EU organization provides services. Compliance can get more complicated if an entity provides services in multiple Member States. The service provider then must abide by the jurisdiction of all the Member States within which they provide services.

NIS2 also has cross-border collaboration requirements for multinational companies. NIS2 harmonization and collaboration will help ameliorate the impact of NIS compliance across borders.