NIS2 Directive

The NIS2 Directive is the European Union’s updated cybersecurity legislation that aims to enhance the overall cybersecurity posture across the EU. NIS2 builds upon the previous 2016 NIS Directive by expanding its scope, introducing stricter requirements, and strengthening enforcement measures.

While the NIS2 Directive focuses on the EU, it also applies to businesses outside and not based in the EU that provide essential services to the European economy. In turn, all affected organisations need to understand NIS2 requirements for compliance.

The NIS2 Directive is a set of cybersecurity regulations and requirements applicable to a wide range of organisations and entities across the European Union, including operators of essential services, digital service providers, suppliers of critical technologies, and public administration entities.

The key objectives of the NIS2 Directive are to:

• Establish a standard set of cybersecurity requirements across all EU member states.
• Expand the scope of the directive to cover more sectors and entities.
• Introduce stricter incident reporting obligations and enforcement measures.
• Promote better collaboration and information sharing between member states.
• Ensure a high level of cybersecurity resilience as a standard across the EU.

The NIS2 Directive replaces the previous NIS Directive and aims to address the shortcomings and fragmentation observed in its implementation across the EU. It introduces a more comprehensive and harmonised approach to cybersecurity to protect the EU’s critical infrastructure, digital services, and citizens from the growing threat of cyber incidents and attacks.

The primary purpose of the NIS2 Directive is to establish a standardised level of cybersecurity resilience across the EU. The core objectives of the NIS2 Directive are:

• Increase cybersecurity posture across essential service providers: The directive aims to bolster the cybersecurity capabilities and incident response preparedness of organisations that provide essential services to the EU.
• Streamline cyber resilience through stricter requirements and enforcement: NIS2 introduces more detailed and harmonised security requirements for in-scope entities, as well as stronger enforcement measures and penalties for non-compliance.
• Improve the EU’s overall preparedness to deal with cyber-attacks: By mandating common security practices, incident reporting, and information sharing, the directive seeks to enhance the EU’s collective ability to prevent, detect, and respond to major cyber threats.
• Address shortcomings of the previous NIS Directive: The NIS2 Directive aims to remedy the fragmentation and inconsistencies observed during the implementation of the original NIS Directive across member states.

The overarching purpose of the NIS2 Directive is to raise the baseline cybersecurity resilience across the EU, protect critical infrastructure and services, and enable a more coordinated, effective response to cyber incidents that could disrupt the European economy and society.

The NIS2 Directive introduces a comprehensive set of cybersecurity requirements and obligations that in-scope organisations must comply with by the October 17, 2024, deadline.

Risk Assessment and Management

Organisations must conduct regular risk assessments of their network and information systems and implement appropriate technical and organisational security measures to manage those risks. This includes:

• Policies and procedures for risk analysis and information system security.
• Vulnerability handling and disclosure processes.
• Effective use of cryptography and encryption.

Incident Response and Reporting

NIS2 mandates strict incident reporting requirements. Organisations must have robust incident handling and crisis management procedures in place, including:

• Incident detection, analysis, and classification.
• Notification to relevant authorities within set timelines.
• Coordinated response and recovery measures.

Business Continuity

Entities must develop and maintain business continuity and disaster recovery plans to ensure the continuity of essential services in the event of a disruptive incident. This includes:

• Backup management and restoration procedures.
• Crisis management and communication protocols.

Supply Chain Security

Organisations are responsible for managing cybersecurity risks across their supply chains. They must implement appropriate security measures for relationships with direct suppliers and service providers.

Governance and Accountability

NIS2 places greater emphasis on the role of management in overseeing cybersecurity. Leadership must be actively involved in:

• Approving security policies and risk management strategies.
• Ensuring the effectiveness of cybersecurity measures.
• Providing cybersecurity training and awareness for staff.

Compliance and Enforcement

Failure to comply with the NIS2 requirements can result in significant penalties, including fines of up to 10 million euros or 2% of global annual turnover for “essential entities” and up to 7 million euros or 1.4% of global annual turnover for “important” entities. Authorities also have the power to impose other sanctions, such as temporary service suspensions. To achieve NIS2 compliance, organisations should take the following steps:

1. Assess whether they are classified as an “essential” or “important” entity under the directive.
2. Conduct a comprehensive gap analysis to identify areas requiring improvement.
3. Develop and implement the necessary security policies, processes, and controls.
4. Ensure effective governance, accountability, and cybersecurity awareness.
5. Establish robust incident response and business continuity capabilities.
6. Assess and manage supply chain security risks.
7. Be prepared for potential audits, inspections, and enforcement actions by authorities.

For more details on NIS2 requirements, visit the official website of NIS2 Directive.

The NIS2 Directive represents a significant evolution from the original NIS Directive, introduced in 2016. Here are the key differences between the two:

• Expanded scope: NIS1 only applied to “operators of essential services” (OES) and “digital service providers” (DSP) in specific sectors. NIS2 expands the scope to cover a much broader range of “essential” and “important” entities across 15 different sectors, including energy, transport, banking, healthcare, digital infrastructure, and more.
• Stricter requirements: NIS2 introduces more detailed and harmonised security requirements that in-scope entities must implement, such as risk assessments, incident response plans, and supply chain security measures. The directive also mandates stricter incident reporting obligations, with shorter timelines for notifying authorities.
• Stronger enforcement: NIS2 empowers national authorities to impose much harsher penalties for non-compliance, including fines of up to 10 million euros or 2% of global annual turnover. Authorities also have the power to issue binding instructions and temporary service suspensions.
• Improved collaboration: NIS2 aims to enhance cross-border cooperation and information sharing between member states by creating a new Cooperation Group. This is intended to strengthen the EU’s collective preparedness and response to major cyber threats.

The fundamental differences are that NIS2 has a significantly broader scope, more stringent security requirements, stronger enforcement mechanisms, and a greater emphasis on cross-border collaboration—all to raise the baseline of cybersecurity resilience across the EU.

The NIS2 Directive outlines mandatory cybersecurity measures that in-scope organisations must implement under Article 21. These cybersecurity requirements include:

• Risk analysis and information security policies: Organisations must establish policies and procedures for conducting regular risk assessments, identifying vulnerabilities, and implementing appropriate security controls to manage identified risks.
• Incident response and reporting: Entities must have robust incident detection, analysis, and response capabilities, including defined roles and responsibilities, as well as processes for timely incident reporting to relevant authorities.
• Access control and authentication: Appropriate access control measures, such as multifactor authentication, must be implemented to prevent unauthorised access to systems and data.
• Data protection and encryption: Organisations must ensure data confidentiality, integrity and availability by leveraging encryption and other data protection techniques.
• Vulnerability management: Entities must have vulnerability handling and disclosure processes in place, including regular vulnerability assessments and the timely patching of known vulnerabilities.
• Backup and business continuity: Robust backup management and disaster recovery capabilities must be established to ensure the continuity of essential services in the event of a disruptive incident.
• Supply chain security: Organisations are responsible for managing cybersecurity risks across their supply chain and must implement appropriate security measures for relationships with direct suppliers and service providers.
• Security monitoring and logging: Comprehensive security monitoring and logging mechanisms must be in place to detect, analyse, and respond to security events.
• Cybersecurity awareness and training: Entities must provide regular security awareness training programmes for their staff to ensure they are equipped to identify and respond to cyber threats.
• Governance and accountability: The organisation’s management must actively oversee and approve the entity’s cybersecurity measures, risk management strategies, and incident response plans.

These measures represent the baseline cybersecurity requirements that in-scope organisations must implement to comply with the NIS2 Directive.

The NIS2 Directive establishes two main categories of entities subject to its cybersecurity requirements: “essential” and “important” entities.

Essential Entities

Essential entities are organisations that are deemed critical to the functioning of the European economy and society. This category includes:

• Operators in the energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, and digital infrastructure sectors.
• Providers of public electronic communications networks and services.
• Qualified trust service providers and TLD (top-level domain) name registries.
• Public administration entities at the central government level.
• Entities designated as “critical entities” under the EU’s Critical Entities Resilience (CER) Directive.

Essential entities are subject to stricter supervisory requirements and higher potential fines for non-compliance than “important” entities.

Important Entities

While not as critical as essential entities, important entities are organisations that still play an important role in the European economy and society. This category includes:

• Postal and courier service providers.
• Waste management entities.
• Manufacturers of chemicals, food, medical devices, electrical equipment, and other products.
• Digital service providers like online marketplaces, search engines, and social media platforms.
• Research organisations (excluding educational institutions).

Important entities are subject to a more flexible, ex-post supervisory approach, where authorities can take action if they receive evidence of non-compliance.

The distinction between essential and important entities is based on factors like the entity’s size, sector, and the potential impact of a disruption. Larger organisations in high-risk sectors are more likely to be classified as essential, while smaller or less critical entities are considered important.

Notably, the NIS2 Directive can also apply to non-EU entities that provide essential or important services to the European market, even if they are not physically located within the EU.

The NIS2 Directive establishes a robust enforcement framework with significant penalties for organisations that fail to comply with its requirements. The directive empowers national authorities to impose both financial and non-financial sanctions on essential and important entities violating the cybersecurity rules.

Financial Penalties

The NIS2 Directive sets clear guidelines for the maximum financial penalties that can be levied:

• For essential entities, the maximum fine is the higher of €10 million or 2% of the organisation’s global annual turnover.
• For important entities, the maximum fine is the higher of €7 million or 1.4% of the organisation’s global annual turnover.

These fines are designed to be severe enough to have a deterrent effect and incentivise organisations to take the necessary steps to ensure compliance.

Non-Financial Sanctions

In addition to financial penalties, national authorities can also impose a range of non-monetary sanctions on non-compliant entities, including:

• Compliance orders requiring the organisation to remedy the violation.
• Binding instructions on specific security measures that must be implemented.
• Mandatory security audits.
• Orders to notify the organisation’s customers of potential risks.
• Temporary bans on providing services or activities.

Personal Liability for Managers

The NIS2 Directive also introduces new measures to hold senior management personally accountable for cybersecurity failures. If gross negligence is found following a cyber incident, authorities can:

• Require the organisation to publicly disclose the compliance breach.
• Issue public statements identifying the individuals responsible.
• For essential entities, impose temporary bans on specific managers from holding executive positions.

These provisions aim to ensure that cybersecurity is treated as a top priority at the highest levels of the organisation rather than just an IT department concern.

The severity of the penalties under NIS2 underscores the European Union’s commitment to driving up cybersecurity standards and resilience across the region. Organisations that fail to take the necessary steps to comply with the directive’s requirements face the risk of significant financial and reputational damage.

We’ve listed essential steps organisations should take to prepare for compliance with the NIS2 Directive:

1. Assess Your Current Cybersecurity Posture

Start by conducting a thorough assessment of your existing IT systems, security controls, and cybersecurity practices. Identify any gaps or weaknesses against the NIS2 requirements.

2. Inform and Engage Leadership

Ensure your organisation’s management team fully understands the NIS2 Directive’s implications and requirements. Present a clear business case outlining the risks of non-compliance and the benefits of proactive cybersecurity measures.

3. Allocate Sufficient Budget and Resources

Work with leadership to secure the necessary budget and resources to implement the required security controls and processes. This may involve investments in new technologies, personnel, training, and ongoing maintenance.

4. Develop a Roadmap and Implementation Plan

Based on your gap assessment, create a detailed roadmap and implementation plan to address the NIS2 requirements. Prioritise the most critical and time-consuming areas to ensure you meet the October 2024 compliance deadline.

5. Enhance Security Policies and Procedures

Review and update your organisation’s security policies, incident response plans, and other relevant procedures to align with the NIS2 Directive’s mandates. This includes measures for risk management, access control, data protection, and supply chain security.

6. Implement Technical Security Controls

Deploy the necessary technical security controls, such as multi-factor authentication, encryption, vulnerability management, and security monitoring and logging capabilities.

7. Provide Cybersecurity Training

Ensure all employees receive regular cybersecurity awareness training to help them identify and respond to potential threats. This is a key requirement under the NIS2 Directive.

8. Assess and Manage Supply Chain Risks

Evaluate the cybersecurity posture of your organisation’s suppliers and service providers and implement appropriate security measures to mitigate risks across the supply chain.

9. Prepare for Incident Reporting and Audits

Establish robust incident detection, analysis, and reporting procedures to meet the NIS2 Directive’s strict notification requirements. Also, be ready for potential audits and inspections by regulatory authorities.

By proactively addressing these key areas, organisations can put themselves in the best position to achieve NIS2 compliance and enhance their overall cybersecurity resilience before the directive takes effect.

Proofpoint offers a range of cybersecurity solutions that can help organisations meet the compliance requirements of the NIS2 Directive:

• Threat Detection and Risk Assessment: Proofpoint Targeted Attack Protection (TAP) provides advanced threat detection and risk assessment capabilities, giving organisations deep visibility into the threats entering their environments. This helps fulfil the NIS2 requirement for receiving and analysing threat and vulnerability information.
• Email Security and Incident Response: Proofpoint Email Protection identifies and blocks email-based fraud and malware, preventing these threats from reaching end-users. This aligns with the NIS2 directive’s incident response and mitigation requirements. Proofpoint Email Encryption also enables secure communication for incident reporting.
• Threat Intelligence and Awareness: Proofpoint Threat Intelligence Service offers detailed threat reports and access to security experts. Proofpoint Phishing Simulation and Security Awareness Training empowers employees to recognise and respond to cyber threats, as required by NIS2.
• Data Protection and Compliance: Proofpoint Email Data Loss Prevention (DLP) and Data Discover solutions can help organisations protect sensitive data and ensure compliance with data protection regulations like GDPR, which are closely tied to the NIS2 directive.

By leveraging Proofpoint’s comprehensive cybersecurity and compliance solutions, organisations can more effectively implement the technical and organisational measures required by the NIS2 Directive and enhance their overall cyber resilience. For more information, contact Proofpoint.