In response to the increasing number of cyber-attacks globally, multiple regulations have been developed in recent years, to improve the cyber security posture of businesses across the EU. We have already discussed the upcoming DORA regulations, which have been implemented recently in the EU, in our previous blog post https://www.dnait.ie/dora-regulations-in-five-key-points/. With so many new regulations coming from the EU, you may ask yourself which regulations apply to your business and what set of actions you need to complete to make sure you are compliant with NIS 2.
First of all, what is NIS 2?
NIS 2 refers to the revised Network and Information Systems Directive, which is a legislative framework by the European Union aimed at improving cybersecurity resilience and incident response capabilities across member states.
The original NIS directive was published in 2016. However, what makes NIS 2 different from NIS 1 is the list of sectors that are covered by it.
So, how do you know if your company is affected under the new directive?
There are 18 sectors listed below, while NIS 1 included only 6 sectors.
SECTORS OF HIGH CRITICALITY | CRITICAL SECTORS |
Energy | Research |
Transport | Digital providers |
Banking | Manufacturing |
Financial market infrastructures | Productions and processing of food |
Health | Production and distribution of chemicals |
Drinking water | Waste management |
Waste water | Courier and postal services |
Digital infrastructure | |
Space | |
Public administration | |
ICT service management |
Of course, not every company that works in these sectors is covered by NIS 2. The directive only extends to companies that have at least 50 employees or achieve an annual turnover or an annual balance sheet total of over EUR 10 million. However, there are certain types of companies, such as public electronic communications networks or publicly available electronic communications services, which regardless of annual turnover and number of employees are also qualified for NIS 2. The NIS 2 Directive links most of its requirements to the classification of an operator as an “essential” or “important” entity. Below is the list of criteria that make entities “essential” or “important”, however, this is only the main criteria not a full list of them.
“Essential Entities” are:
- Entities that exceed the number of 250 employees have an annual turnover of EUR 50 million and an annual balance sheet total of over EUR 43 million.
- Public administration entities of the central government of a member state.
- Qualified trust service providers and top-level domain name registries.
“Important Entities” are:
- Entities in the sectors listed in Annex I or II (of NIS 2) that do not qualify as essential entities.
- Entities explicitly identified by member states as “important entities”.
Right now, when you know if your company is applicable for NIS 2, what actions should you take to become compliant?
NIS 2 Stricter Security Requirements
Organizations that fall under the scope of the NIS 2 Directive must implement stronger cybersecurity measures. This includes:
- Risk management
- Incident response
- Ensuring the security of supply chains and third-party services
The most important change here is that when analysing necessary risk management measures, a tech company should not only include the risk of phishing or hacking scenarios but also consider negative incidents such as theft, fire, or power outages. This is an important factor since NIS 2 includes mostly critical and highly critical sectors.
What makes the requirements even more significant is the fact that even non-European companies can be affected by the cybersecurity action requirements that are passed along throughout the supply chain by a directly obligated entity.
NIS 2 Risk Management and Incident Reporting
The directive mandates more stringent and standardized incident reporting requirements. Organizations must notify relevant authorities of significant incidents within 24 hours of detection, followed by a detailed report within 72 hours.
NIS 2 Enhanced Cooperation and Information Sharing
The NIS 2 Directive aims to improve cooperation and information sharing among EU member states, including the establishment of a new EU Cyber Crisis Liaison Organization Network to facilitate a coordinated response to large-scale cybersecurity incidents.
NIS 2 National Capabilities
Member states are required to strengthen their national cybersecurity capabilities, including setting up competent authorities to oversee compliance, enforce the directive, and provide guidance to companies.
NIS 2 Supply Chain Security
The directive places greater emphasis on the security of supply chains and third-party service providers, ensuring that vulnerabilities in these areas do not compromise the security of essential services.
NIS 2 Continuous Improvement and Adaptation
The directive encourages a culture of continuous improvement and adaptation to evolving cybersecurity threats, ensuring that organizations remain resilient against new and emerging risks.
Penalties for Non-Compliance with NIS 2
The directive introduces tougher penalties for non-compliance. Companies that fail to meet the requirements can face significant fines, similar to those under the General Data Protection Regulation (GDPR). Administrative fines for essential entries could be up to EUR 10 million and fines for important entities are a bit less – EUR 7 million.
Conclusion
The main reason behind the NIS2 regulations being introduced is the fact that only continuous improvement and adaptation to the latest cyber risks can help to reduce them. If your business is covered under NIS 2 it is important to become compliant with all the criteria.
The penalties for non-compliance are not the only reason for this. It is every organisation’s responsibility to ensure that proper cyber security measures are being taken, to minimise risk to your business and protect your customers and supplier’s data.
To help you with understanding NIS 2, you can reach out to DNA IT. We will happily assist you with getting all needed requirements to become compliant with NIS 2.