NIS2 (or “Network and Information Security Directive 2”), is the evolution of NIS1, established in 2016, and is meant to better address the increased cybersecurity challenges that arise for a more interconnected world.
It came into effect in January 2023, and will be fully adopted by member states into law in October 2024. By April 2025, final lists of Essential and Important Entities will be published by Member States.
It aims to further enhance cybersecurity resilience across the EU, improve the security of network and information systems, strengthen the overall cybersecurity posture of critical sectors, and facilitate a more coordinated incident response.
Who will it affect?
Businesses that were already under scope with NIS1, will be under the scope of the revised regulation.
While Energy, Health, Transport, Banking and Finance, Drinking water, Digital Infrastructure and Providers were already under scope, the revised scope will add:
- ICT Service Management Providers;
- Public Administration
- Waste Water
- Space
- Postal Services
- Food Production and Distribution
- Manufacturing
- Chemical Production and Distribution
- Waste Management
- Research
It also adds the concept of important and essential entities. With the later having more stringent proactive regulatory obligations.
The below picture outlines the list of sectors in scope and their classification.
Figure 1 – Sectors Included in NIS2 and their Classification
It’s also worth mentioning that wit will expand the scope of the size of affected entities, to now include organizations that:
- Have more than 50 employees or,
- Have a turnover above 10 Million Euro
It will also affect entities (such as ICT Service Providers) that provide Services in EU, even if they are not EU Based.
What are the main changes compared to NIS1?
The main changes between NIS1 and NIS2, besides the revised scope of affected entities include:
- Stronger Incident Response and Reporting requirements: Mandatory incident reporting to regulators, with a focus on root cause analysis and incident containment, with requirements for up to 24 and 72 hours, and final report within 30 days.
- Increased Supervisory Requirements, especially for Essential entities;
- Risk Management Approach is key to identify, assess, prevent and mitigate risks – It also adds to this scope, beyond areas like data protection, incident handling, risk monitoring and testing, and business continuity, the new scope of supply-chain security, which will be new for many organizations.
- Organizational and Senior Management Accountability: NIS2 enforces accountability (including personal liability) for Senior Stakeholders. It also enforces stricter penalties that can reach:
- €10,000,000 or 2% of global annual turnover for essential entities
- €7,000,000 or 1.4% of global turnover for important entities
- Strengthened Cooperation: The directive promotes improved cooperation and information-sharing among EU member states, facilitating a more unified defense against cyber threats
What organizations will need to focus on?
Organizations being affected by NIS2, will likely be requiring to review processes tied to the below areas (if already in scope of NIS1) or to create new processes on:
- IT Risk Management – Entities must assess risk, build and implement risk management measures, in a proactive approach, including policies and training.
- Incident Prevention, Detection, Response And Reporting – Entities need to have Incident Management Frameworks in place, including, including reporting requirements.
- Business Continuity – Entities must ensure that they can recover their operations, during and after a cybersecurity incident.
- Supply Chain Security – Supply Chain Security is being added as an additional scope from NIS1.
- Compliance, Liability And Training – Entities will need to be able to demonstrate compliance upon supervisory requests and Management will also be required to follow regular cybersecurity trainings.
How can Stefanini Help?
Stefanini can help organizations tackle their compliance and cybersecurity challenges in a number of ways.
We have detailed here some of the main ones, and we are happy to discuss your specific challenges across all areas of NIS2, including People, Processes and Technology challenges including:
- Building a Cybersecurity Baseline;
- Identify Gaps
- Platform Management
- Incident Response and Business Continuity Services
- Supply Chain Risk
Conclusion:
NIS2 marks a significant step forward in enhancing cybersecurity resilience across the EU. While the directive presents challenges for organizations in terms of compliance, it also should be seen as offering opportunities to strengthen security measures across organizations.
Affected entities are encouraged to proactively engage with NIS2 requirements, ensuring they are well-prepared to protect their operations and contribute to a safer digital environment, and the regulation also provides a new path for cybersecurity teams to engage with senior stakeholders.
Organizations should begin preparations for compliance now and seek guidance if needed, as NIS2 provides a strong foundation to protect against the ongoing cyber threats, and their associated risks.