What is NIS2?

NIS2, the newest draft of the Network and Information Security Directive, is a European directive that aims to ensure a high common level of cybersecurity in the EU. The directive entered into force on Monday, January 16, 2023. However, each EU member state has until October 18, 2024 to integrate it into their own national laws. Consequently, businesses and organisations still have some time to become familiar with the directive and plan for compliance.

To start with, let’s talk about what is new in NIS2. Then, we’ll discuss who must comply. Finally, we’ll consider why it is so important to prepare for NIS2, and how to do so.

NIS stands for Network and Information Security Directive, and the first edition NIS – NIS1 if you will – was adopted in 2016. It was the first cross-sector cybersecurity law in the EU. Both NIS and NIS2 have the goal of contributing to the Union’s security and to the effective functioning of its economy and society.

However, the first NIS was limited in its scope and rather conservative with its penalties. It also allowed member states great freedom to set their own requirements. This led to inconsistencies from one country to another as far as who had to comply, the requirements themselves, their level of detail, and the country’s method of supervision. These discrepancies between countries’ cyber security standards make it more complicated and expensive to offer goods or services across borders. Even if one country has a high level of security, when they do business with a more vulnerable country, it can create a spill-over effect and greater risk for the entire EU. Ultimately, NIS was not enforced in most countries.

In addition, the first NIS also quickly proved to be insufficient in relation to answering questions regarding new technologies and circumstances such as artificial intelligence, deep fake, cyber warfare and the fast spread of remote workplaces after COVID19.

For these reasons, NIS2 was created.

While NIS2 is an initiative to strengthen European cyber security, GDPR focuses on the protection of European data. The GDPR sets the requirements for how EU member states handle personal data. The purpose of NIS2, on the other hand, is to ensure that all European companies and organisations maintain an adequate level of cyber security. The two sets of rules thus have several areas where they overlap.

The text of NIS2 acknowledges the shortcomings of the original NIS. Further, it points to the intensification and increased sophistication of cyber threats as a reason for updating the regulation.

Compared to NIS, NIS2 will:

• Apply to a greater number of sectors and industries.
• Have larger fines for non-compliance with requirements.
• Be more specific when outlining cybersecurity and risk management measures.
• Include stricter incident reporting rules.
• Encourage more cybersecurity collaboration between EU member states.

Overall, the NIS2 directive focuses on four areas with a view to strengthening cyber and information security for companies across EU member states:

1. Risk management: NIS2 prescribes a risk-based approach to cyber and information security. The approach involves performing thorough risk assessments and GAP analyses to identify vulnerabilities, security threats and the potential consequences of a data breach. It is also crucial that you also carry out a risk assessment of your supply chain and suppliers.
2. Responsibility: NIS2 places increased responsibility on C-level managers. The directive requires management to actively monitor, approve, educate and manage risks related to the organisation’s cyber security. If they fail to meet these requirements, they may be held personally liable, which may result in sanctions such as suspension from management positions.
3. Reporting: The Directive contains detailed requirements regarding security breach reporting, which will be elaborated on later in this blog post. It is critical for organisations to establish effective processes that enable rapid reporting of security breaches.
4. Business continuity: Providers of essential services must develop plans to maintain services during major security incidents, including system recovery, emergency procedures and the establishment of crisis response teams.

NIS2 applies to all organisations and companies within the European Union (EU) member states. The directive divides the specific categories of organisations that must comply with into essential entities and important entities. If your business (whether public or private) belongs to one of these 11 sectors, you may be an essential entity:

• Energy
• Transport
• Banking
• Financial
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• ICT service management
• Public administration
• Space

On the other hand, important entities are public or private organisations in these 9 sectors:

• Postal and shipping services
• Waste management
• Manufacture
• Production and distribution of chemical products
• Production, processing and distribution of foodstuff
• Manufacture (manufacture of medical devices
• IT, electronic and optical products, electrical equipment, machines and equipment, automotive vehicles and other transport equipment), digital suppliers and research.

Essential entities can be investigated at any time through audits and inspections, whereas important entities will only be investigated after an incident. All medium and large companies in the selected sectors must comply with NIS2. Additionally, member states can require smaller organisations that have a high-security risk profile to comply, and ensure that even entities that are excluded from the scope achieve a high level of cybersecurity.

According to the organisation Dansk Standard, ISO27001 is an apropriate standard to follow in order to comply with the requirements of NIS2. ISO27001 provides the necessary tools and procedures to meet requirements for a company’s cyber and information security, which are relevant in relation to meeting the NIS2 directive. It must be said that you do not need to use ISO27001 as a reference. The key to complying with NIS2 is that you work in a structured manner with your information security.

In ISO27001, there are a number of minimum requirements for a company’s information security that must be implemented. These include:

1. Policies for risk analysis and information system security
2. Incident handling and reporting policies
3. A business continuity plan (backup management, disaster recovery, and crisis management)
4. Supply chain security (include security in your contracts with suppliers and service providers)
5. Security in network and information systems acquisition, development and maintenance
6. Policies and procedures to assess the effectiveness of your risk-management measures
7. Training for your employees in basic cyber hygiene practices and cybersecurity
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
9. Access control and rules for sensitive and other important data
10. Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems internally, where appropriate.

The measures are of course aimed at reducing the risk and preventing or minimising their impact on the consumer. Since these are minimum requirements, the individual countries can supplement them when they adopt the regulation. As a starting point, a company that intends to comply with NIS2 must implement these safeguards, but the requirements for the company will vary depending on the company’s size, societal role and level of exposure. This helps to ensure that smaller businesses are not disproportionately affected and that the requirements for larger businesses reflect their role in society.

Preparing for the NIS2 directive is a time-consuming task. Many companies find it overwhelming and resource-intensive. However, not complying with the rules can cost even more. A breach of data security can disrupt your business, cost you fines and undermine customers’ trust in you. If you are looking for a way to prepare for the entire NIS2 directive, get hold of a consulting company such as BDO Danmark. When it specifically concerns the handling of sensitive information that falls under NIS2, however, we are specialists. Read here how we can help.