A complete guide for the NIS 2 Directive

2024 01 02 · 10 min read

In 2024, European organisations will intensify their focus on cyber security as the NIS 2 Directive becomes law in Europe. With the compliance deadline set for Q4 2024, we are here to provide a thorough understanding of the NIS 2 Directive, so your organisation gets ready on time.

In this blog post, we go through the key aspects of the NIS 2 Directive, its significance, compliance requirements, impacted sectors and entities, and what actions every organisation can take.

What is the NIS 2 Directive?

The NIS 2 Directive, short for “Network and Information Security Directive,” is a legislative framework introduced by the European Union to bolster cyber security measures across member states.

It became a law in 2024. Therefore, entities that fall under the NIS 2 purview need to align with its requirements until Q4 2024, as each member state transposes it into national law by October 17, 2024.

Why was the NIS 2 Directive initiated?

The NIS Directive was adopted on July 6, 2016, with official approval by the European Parliament and the Council of the European Union on that date. The directive aimed to establish a standard level of cyber security preparedness across European Union member states.

Originating from the challenges faced by the initial NIS Directive, the NIS 2 Directive was proposed in 2020 and enacted on January 16, 2023. It serves as a continuation and expansion of its predecessor, aiming to rectify deficiencies. NIS 2 focuses on enhancing the security of networks and information systems by obligating operators of critical infrastructure and essential services to implement security measures and report incidents to relevant authorities. Compared to NIS, NIS 2 widens its scope, covering more organisations and sectors EU-wide. It emphasises improved supply chain security, simplified reporting obligations, and the enforcement of stringent measures and sanctions throughout Europe.

How do you prepare for the NIS 2 Directive?

As the NIS 2 Directive deadline approaches, applicable organisations must take steps to prepare for compliance. This includes:

Check if your organisation comes under the directive and identify the affected units;
Review current security measures, update security policies, and strategise for NIS 2 compliance;
Integrate new security measures and ensure incident reporting obligations extend to the supply chain;
Collaborate with an IT partner who can help you prepare for NIS 2 Directive compliance by adopting needed security measures.

Unsure where to begin with NIS 2 Directive compliance? Book a consultation with our cyber security experts for guidance.

What aspects of organisations does the NIS 2 Directive cover?

Aiming to strengthen the EU’s ability to tackle existing and future cyber threats, the NIS 2 Directive brings new rules for organisations in several key areas. The main requirement areas include:

Risk management. Organisations need to take steps to follow the new rules by minimising cyber risks. This includes handling incidents, strengthening supply chain security, improving network security, controlling access better, and using encryption;
Corporate accountability. Organisations’ management must oversee, approve, and get training on cyber security measures while dealing with cyber risks. If there are breaches, leaders might face penalties, including potential liability and a temporary ban from leadership roles;
Reporting obligations. Essential entities must set up processes to quickly report security incidents significantly affecting services or recipients. NIS 2 sets specific deadlines for notifications;
Business continuity. NIS 2 requires entities to plan how to keep things going during major cyber incidents. This plan should include recovery systems, emergency procedures, and forming a crisis response team.

Need advice on NIS 2 Directive compliance? Contact our IT consultants today.

In what sectors does the NIS 2 Directive apply?

In 2018, the NIS Directive marked seven essential sectors vital for the EU’s stability. Later, in 2023, the NIS 2 Directive expanded to eight more important sectors. Let us explore the impacted sectors below.

7 original sectors of essential entities:

Energy. With its critical infrastructure status, the energy sector is highly vulnerable to cyberattacks under the NIS 2 Directive. Specific requirements are imposed to safeguard networks and information systems;
Health. This sector, comprising public and private healthcare providers, medical equipment manufacturers, and insurance services, plays a pivotal role in EU society and the economy;
Transport. The transport sector, covering urban public transportation, rural roads, and inter-regional air travel, is foundational to modern society. The NIS 2 Directive mandates measures to protect against potential cyber threats;
Finance. The finance sector, including banks, investment firms, and insurance companies, is crucial to the EU economy. Specific requirements under the NIS 2 Directive aim to enhance cyber security resilience;
Water supply. This sector’s disruption could have severe consequences, leading to its categorisation under the NIS 2 Directive. Protective measures are emphasised to ensure uninterrupted services;
Digital infrastructure. Encompassing telecom, DNS, TLD, data centres, trust services, and cloud services, this sector faces increasing cyber threats. The NIS 2 Directive addresses the vulnerability of digital technologies, particularly data centres;
Public administration. The public administration sector is crucial to EU society, providing critical services such as social services and public safety. The NIS 2 Directive emphasises securing systems against potential cyber threats.

8 added sectors of important entities:

Digital providers. Search engines, online markets, and social networks are vital in the digital age. Aligned with the NIS 2 Directive’s cyber security focus, these platforms play a crucial role in secure online interactions;
Postal services. The postal sector faces growing cyber threats due to increased reliance on digital systems. Protective actions are essential for directive-compliant cyber security resilience;
Waste management. As an essential entity under the NIS 2 Directive, the waste management sector encounters cyber threats, necessitating protective measures for critical operations and directive-aligned cyber security;
Space. This sector requires safeguarding against cyber threats to protect sensitive data and critical systems, aligning with the directive’s cyber security objectives;
Foods. The food sector faces growing vulnerability to cyber threats in a digitised environment. The directive emphasises the need for protective measures to ensure cyber security;
Manufacturing. The manufacturing sector faces heightened cyber security risks. Directive-aligned protective measures are crucial to address potential consequences and enhance security, in line with the NIS 2 Directive;
Chemicals. This sector must implement protective measures to mitigate cyber threats, emphasising the directive’s commitment to sector-specific cyber security;
Research. The NIS 2 Directive highlights protective measures to safeguard valuable data and critical systems in the research sector, contributing to directive-aligned security practices.

What about the entities outside the EU?

According to Article 26 (Jurisdiction and Territoriality), if a non-EU entity provides services within the EU but is not based in the EU, it must appoint a representative within the EU. This representative should be located in one of the Member States where the services are offered.

The entity will be subject to the jurisdiction of the Member State where the representative is established. If there is no representative, any Member State where the entity offers services can take legal actions against it for violating the NIS 2 Directive.

What is common between NIS 2 Directive and DORA?

The relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA) lies in their collective efforts to enhance cyber security within the European Union, albeit with different focal points. NIS 2 aims to standardise cyber security across sectors critical to societal functioning, emphasising supply chain security. On the other hand, DORA specifically targets the financial sector, focusing on bolstering the operational resilience of digital systems. While the NIS 2 Directive outlines predefined financial penalties for non-compliance, DORA delegates the assessment of sanctions to member states.

Additionally, compliance requirements differ. NIS 2 mandates a security audit every two years, while DORA has more strict demands, including a threat-based test every three years and an annual resilience testing program. Despite their unique goals, both directives contribute to making digital systems more secure in the EU.

Timeline for the NIS 2 Directive compliance

The NIS 2 Directive sets several crucial deadlines for compliance. These deadlines, ranging from adoption and application to periodic reviews, outline the timeline for implementing and assessing the directive’s measures.

Key NIS 2 Directive deadlines:

October 17, 2024. Member States must adopt and publish measures for NIS 2 Directive compliance. Moreover, the Commission adopts implementing acts, specifying technical requirements for various service providers;
October 18, 2024. Application of the adopted measures begins. Also, the Repeal of Directive (EU) 2016/1148 (the NIS Directive) becomes effective;
July 17, 2024, and every 18 months after that. EU-CyCLONe submits reports assessing its work to the European Parliament and the Council.
January 17, 2025. The Cooperation Group establishes the methodology and organisational aspects of peer reviews;
April 17, 2025. Member States establish a list of essential and important entities, including domain name registration service providers;
April 17, 2025, and every 2 years thereafter. Competent authorities notify the Commission and the Cooperation Group of essential and important entities for each sector;
October 17, 2027, and every 36 months after that. The Commission reviews the functioning of the Directive, reporting to the European Parliament and the Council.

Have additional questions about the NIS 2 Directive? Do not hesitate to contact our IT consultants today.

What are the penalties for not complying with NIS 2?

The NIS 2 Directive outlines clear penalties for essential and important entities that do not comply. Penalties can be imposed for things like not meeting security requirements or failing to report incidents. These penalties include:

Non-monetary remedies;
Administrative fines;
Criminal sanctions.

The fines will differ based on the Member State. Still, the NIS 2 Directive sets a minimum list of administrative sanctions for violating cyber security risk management and reporting obligations.

Non-monetary penalties

As the NIS 2 Directive becomes law, national supervisory authorities can enforce non-monetary measures. These include issuing compliance orders, providing binding instructions, ordering the implementation of security audits, and issuing threat notifications to entities’ customers.

Administrative fines

For the essential entities, encompassing public and private companies in sectors like transport, finance, energy, water, space, health, public administration, and digital infrastructure, authorities can levy a maximum administrative fine of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.

For important entities, which cover public and private companies in sectors such as foods, digital providers, chemicals, postal services, waste management, research, and manufacturing, authorities can impose a maximum fine of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

Criminal sanctions

Easing the burden on IT departments and redefining the landscape of cyber security responsibility, the NIS 2 Directive presents measures (criminal sanctions) that make top management directly accountable for significant lapses in security.

Particularly, if proven negligence occurs after a cyber incident, NIS 2 empowers Member State authorities to hold organisation managers personally responsible. This involves publicising compliance breaches, issuing statements pinpointing the individuals responsible and the nature of the violation, and, for essential entities, potentially imposing a temporary ban on an individual holding a management role for repeated violations. These measures ensure that C-level management faces responsibility and deter negligence in managing cyber risks.

While organisations tackle NIS 2 Directive compliance, having actionable guidance can ease the process. Let us handle your compliance so you can focus on your business.

Reserve your consultation today, and we will take care of the rest.

Let’s work together

Want to discuss potential opportunities? Pick the most suitable way to contact us.

Book a call

+370 5 2 780 400
info@ba.lt