The NIS2 Directive: Why it is important for Europe

In 2016, the EU introduced the “Network and Information Security” (NIS) directive as a means to protect the European infrastructure, economy, and society against the rising level of cybersecurity incidents. 

The EU understood that some companies supplied services that were incredibly important to European organizations and citizens (such as energy, transport, finance, etc.). Any security incidents on these suppliers could have a detrimental impact on society. As a result, it was time to improve the supplier’s cybersecurity resilience. NIS was born, and it became the first attempt at introducing EU-wide cybersecurity legislation for all critical suppliers. 

NIS was a great initiative; however, many EU member states interpreted the directive differently. It became clear that the EU needed to be more specific on its requirements if suppliers were to live up to Europe’s need for better cybersecurity. This led to the expansion of NIS2.   

What is NIS2? 

NIS2 is an EU cybersecurity directive that mandates what cybersecurity practices important and essential suppliers must have in place by 2024, as well as how breaches must be reported to the European authorities. Failure to comply will result in fines of a least €10 million or 2% of the organization’s total revenue (whichever is higher). 

To who does the NIS2 apply 

NIS2 applies to all companies, suppliers, and organizations (referred to as “entities”) that deliver essential or important services for the European economy and society. If you fit within one of the categories listed below, then NIS2 applies to you. 

Examples of “Essential Entities” (EE) include:

  • transport
  • energy
  • banking
  • health 
  • water
  • public administration

Examples of “Important Entities” (IE) include:

  • postal and courier services
  • waste management
  • chemical production and processing
  • food
  • manufacturing of medical devices
  • digital providers (search engines, social networking platforms, etc.) 

NIS2 also applies to suppliers outside the EU if they provide essential or important services to the European economy and society. 

NIS2 will most likely not apply to entities with less than 50 employees or €10 million in annual revenue unless they have a critical role in the EU’s economy or society.  

Essential Entities (EE) vs. Important Entities (IE)

The difference between EE and IE is how much a cyber incident would impact society. That is, incidents on EE will have a more detrimental impact than IE. That’s why EE can expect more supervision by the national authorities. 

Reporting NIS2 breaches 

Non-EU entities must report breaches to the Member State representing their largest risk, whereas EU-based suppliers must report breaches to their National Authorities. 

NIS2 requirements for management and cybersecurity

NIS2 doesn’t specify precisely what cybersecurity tools and technologies must be implemented. However, it does suggest a framework for how management should go about risk and cybersecurity, namely:  

01
Risk management
02
Security policies
03
Incident handling
(prevention, detection, and response to incidents)
04
Business continuity and crisis management
05
Supply chain security
06
Vulnerability handling and disclosures
07
Regular assessments to determine the effectiveness of cybersecurity risk management measures
08
The use of cryptography and encryption where warranted

You can use traditional information security management systems (ISMS), such as ISO 27001 or equivalent, to address the risk and cybersecurity requirements of NIS2. 

In addition, NIS2 holds management accountable for the following: 

  1. ensuring that cybersecurity risk assessments are carried out;
  2. implementing technical and organizational security measures; 
  3. staying on top of cybersecurity through training and risk management programs, and ultimately
  4. managing risks appropriately

Failure to demonstrate that risk and cybersecurity practices have been addressed could result in fines of at least €10 million or 2% of the supplier's yearly revenue. 

NIS2 and the National Supervisory Authorities

Like GDPR, there’ll be an equivalent national supervisory authority for NIS2 that’ll be responsible for the following: 

  • Approving the cybersecurity risk management measures taken by the entity
  • Supervise the implementation of the risk management measures by the entity
  • Follow specific, regular training to gain the requisite knowledge and skills to understand and assess the cybersecurity risks to their essential or important entity; 
  • Holding entities accountable for the non-compliance

From a cybersecurity perspective, one could argue that NIS2 makes it easier for your organization to justify extra resources and budget for risk management, security technologies, staff training, etc. 

When will NIS2 be released? 

NIS2 was released on 13 May 2022. However, the EU Member States have been granted 21 months to enforce NIS2 into national law. As a result, NIS2 will be in full effect by 2024. 

NIS2 vs. GDPR

Although GDPR and NIS2 are both EU-based legislations that deal with security and data protection, there are differences.

GDPR demands that every organization - whether EU or non-EU-based - respect and protect the personal data of European citizens (names, emails, social security, etc.). NIS2, on the other hand, demands organizations that supply important or essential services for the EU infrastructure must have the right cybersecurity measures in place to minimize possible incidents. This deals not only with personal data but everything security-wise that could impact society. 

NIS2 vs. NIS

NIS2 is the updated version of NIS that offers better guidance and clarity of the EU’s cybersecurity requirements. NIS2 has expanded the scope of essential and important entities, specified management liabilities, outlined how controls must be carried out, and addressed how breaches must be reported. 

Implications

Even if you’re not on the list of important or essential suppliers, but you supply services deemed essential to them, then you’re likely to be subject to the same or similar obligations.

What is Tricent, and how can we help? 

Tricent is a security and compliance tool for Microsoft 365 and Google Workspace that mitigates the risk of sharing files - especially externally. 

Tricent helps you: 

  • Understand how many files are shared outside your organization
  • Respond to any file-sharing risk (hacked domains, insider threats, malicious stakeholders, etc.) 
  • Enforce automated data protection policies for all employees

Get 100% control of your shared files - start a 30-day trial