Last Updated on January 17, 2024
With organizations becoming more digitally interconnected and dispersed while cyber threats increase in sophistication and frequency, the European Union (EU) recognizes the urgency of fortifying its cybersecurity guidance. The Network and Information Systems 2 (NIS2) Directive is a crucial piece of legislation intended to bolster the EU’s “common level of cybersecurity,” especially among its most vital organizations.
This article explores the NIS2 Directive, its key requirements, and its implications for business in the US and elsewhere.
What is the NIS2 Directive?
The NIS2 Directive is the EU’s second round of regulation aimed at enhancing the cybersecurity of critical infrastructure and digital service providers. NIS2 builds on the first NIS Directive, which was adopted in 2016.
This new “political agreement” addresses the evolving threat landscape and incorporates new provisions to strengthen the resilience of digital infrastructure. It directly addresses supply chain security, streamlines reporting, and adds stricter control requirements.
NIS2 was adopted in November 2022 and entered into force on January 16, 2023. EU member states have until October 17, 2024 to implement parallel legal measures at the national level.
Why is NIS2 important?
NIS2 is globally important in that it will help drive a higher standard for cybersecurity not just for EU companies but also for their suppliers inside and outside the EU.
Specific impacts of NIS2 will include:
- Enhanced cyber resilience
NIS2 sets clear and elevated cybersecurity and cyber incident reporting standards to ensure critical organizations are universally better equipped to withstand and respond to cyberattacks. - Uniform standards
NIS2 establishes a uniform set of cybersecurity standards across the EU, which reduces regulatory overhead and simplifies the compliance picture for entities operating across national borders. - Improved data privacy
The inclusion of online platforms within NIS2’s purview will enhance data protection and privacy for EU consumers. - Reduced economic impacts from breaches
Data breaches and other cyberattacks on critical organizations can have severe economic consequences, from goods shortages to disaster level outages. NIS2 will help protect EU economies from these negative impacts and reduce their severity.
5 Key NIS2 changes
Here are 5 of the most important new guidelines that NIS2 mandates for covered entities:
- Wider scope
NIS2 extends coverage to a broader range of entities. Going beyond just essential services organizations and digital service providers, NIS2 also covers online platforms. This means that social media sites, cloud service platforms, and search engines will now have to comply with stringent cybersecurity requirements. - Elevated cybersecurity requirements
NIS2 requires covered organizations to implement appropriate cybersecurity measures in line with the cyber risks they face and the nature of the data they handle. - Mandatory incident reporting
Under NIS2, all covered entities are required to report significant cyber incidents to the appropriate national authorities. The goal here is to bolster and accelerate the EU’s collective response to emerging cyber threats. - Cross-border cooperation
To further promote a collective and accelerated incident response to cyber threats and, NIS2 encourages cooperation and information sharing among EU member states. - Painful penalties for non-compliance
Failure to comply with NIS2 guidelines could result in significant penalties, including major fines. This powerfully incentivizes organizations to take their cybersecurity responsibilities seriously.
What does NIS2 mean for companies that need to comply?
Compliance with the NIS2 Directive will be a legal obligation for many EU businesses. But it will also be a strategic imperative for thousands of other firms—including US companies—that serve or partner with those covered entities.
To ensure compliance and reduce their cybersecurity risk sooner, organizations should:
- Conduct a comprehensive risk assessment to identify vulnerabilities and evaluate the potential impacts of cyber threats
- Implement robust cybersecurity measures to mitigate identified risks
- Develop incident response plans to prepare for quick and effective action to minimize downtime and other impacts from manifesting cyber threats
- Stay informed about EU and national regulatory updates and collaborate with national authorities to make sure you meet reporting requirements
What companies does NIS2 apply to?
NIS2 defines two categories of covered entities:
- Essential entities—public and private sector organizations in critical infrastructure industries like finance, energy, water, transportation, healthcare, aerospace, public governance, and digital infrastructure (social sites, online marketplaces, public cloud platforms, data centers)
- Important entities—public and private sector organizations in food production, postal operations, waste management, manufacturing, digital services, chemicals, and research
NIS2 affects all businesses that provide essential or important services to the European economy, as well as their vendors and other supply chain partners.
Size thresholds for covered entities may vary within or between categories. For essential entities, the general size threshold is 250 employees and/or € 50 million in annual gross income. For important entities, the general size threshold is 50 employees and/or € 10 million in annual gross income.
An organization may also be designated as essential or important even if it falls below the size criteria. For example, NIS2 can be applied to a small manufacturer that is the sole provider of a critical service for “societal or economic activity in a Member State.”
What are the penalties for NIS2 noncompliance?
NIS2 outlines remedial, financial, and legal consequences for noncompliance violations, especially where data breaches and/or reporting failures are involved. Exact penalties may differ by member state.
Remedial or nonfinancial noncompliance penalties may include orders to comply, direct mandatory remediation instructions, a mandate to perform a cybersecurity audit, and/or alerts to a company’s customers and supply chain about potential cyber risks it presents.
Financial penalties vary by category:
- Member states can fine essential entities up to €10,000,000 or 2% of the global yearly revenue, whichever is greater.
- Member states can fine important entities up to €7,000,000 or 1.4% of the global yearly revenue, whichever is greater.
To ensure top management’s commitment to addressing cybersecurity risks, NIS2 also defines managerial accountability and liability penalties for cyber incidents where significant negligence leading to a data breach has been established. These provisions include:
- Forcing organizations to publicly disclose noncompliance issues
- Issuing public announcements that call out both the business and the specific executive(s) accountable for an incident, and describe incident details
- Temporarily prohibiting specific individuals from assuming managerial roles within essential entities if violations recur
What’s next?
The NIS2 Directive is a significant step forward in the EU’s efforts to safeguard critical organizations and their supply chains from cyber threats and foster a more resilient and secure digital environment.
Organizations that do business in the EU or partner with EU entities should view NIS2 as yet another vector driving them toward provably robust cybersecurity—to protect both user data and their own operations in an increasingly perilous and dynamic digital landscape.
To speak with an expert about the NIS2 Directive and its strategic and operational implications for your business, contact CBIZ Pivot Point Security.