Dysfunctional gas stations. Paralysis of surgical procedures in hospitals. Inoperable ATMs. Does this sound like a scene from a doomsday movie? Not necessarily. This is what the day after a successful, multi-vector cyberattack on a country’s critical infrastructure could look like.

Aware of constantly evolving cyber threats (e.g., ransomware) and increasingly frequent attacks on critical sectors, which pose a real threat to states and entire societies, EU authorities decided to systematically enforce the implementation of (better) cybersecurity capabilities on the most essential and vulnerable entities. That’s how the NIS2 directive came into being.

What Is the NIS2 Directive in a Nutshell?

NIS2 (Network and Information Systems Directive 2) is a directive* of the European Parliament and the EU Council aimed at strengthening cyber resilience and achieving a high common level of cybersecurity capabilities for organizations providing essential services in the EU economy.

It’s worth noting that these are not the only goals of NIS2. Another one, just as important, is the standardization of security measures, as subtly hinted by the adjective “common” in the definition above. This is because the previous directive, NIS1 from 2016, gave EU member states a lot of freedom in this regard. As a result, the level of security could differ drastically between key entities, a gap that cybercriminals could easily exploit.

* Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) – the full text of the legal act is available at this link.

Is the NIS2 Directive in Force Now?

NIS2 was adopted by the European Parliament and the EU Council on December 14, 2022, and came into force on January 16, 2023. EU member states were required to transpose it to their national legislation by October 17, 2024. However, since the process of adopting NIS2 is legally and operationally complex, not all states met this deadline.

If your organization operates in Belgium, Croatia, Denmark, Estonia, Finland, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Portugal, Romania, Slovakia, or Slovenia, the NIS2 directive is already in force and you are required to comply with the national laws that have transposed it.

On the other hand, if you’re based in a member state not listed above, NIS2 obligations are still not binding on your organization. However, it’s definitely a good idea to ensure NIS2 compliance as fast as possible, because it requires multiple complex measures and takes a lot of time. To stay informed, you can also follow updates on your local government’s legislative updates website. 

Who Needs to Comply with NIS2, and Who It Isn’t Mandatory For?

Before you dive into implementation, check if the NIS2 directive applies to your organization by analyzing the following criteria.

Criterion of Belonging to a Critical Sector

NIS2 was created to protect strategic areas of the economy, so the directive applies to organizations that belong to the so-called sectors of high criticality (most important) and other critical sectors sectors:

  • Sectors of high criticality:
    • Energy – electricity, district heating and cooling, oil, gas, or hydrogen processing
    • Transport – air, rail, water, road
    • Banking
    • Financial market infrastructures – operators of trading venues and central counterparties (CCP) in the financial sector
    • Health – hospitals, laboratories, manufacturers of pharmaceuticals and critical medical devices
    • Water supply
    • Waste treatment
    • Digital infrastructure (digital service providers) – internet exchange point providers, including DNS providers, TLD domain registries, cloud providers, data center providers, CDN network providers, trust service providers, providers of communication networks
    • ICT service management (B2B) – managed service providers, including in the area of security
    • Public entities/public administration entities
    • Space – entities that support the provision of space services
  • Other critical sectors:
    • Postal and courier services
    • Waste management
    • Manufacture, production and distribution of chemicals
    • Production, processing and distribution of food
    • Manufacturing – medical devices, computers, consumer electronics, optical devices, electrical equipment, machinery and equipment, motor vehicles, trailers, other transport equipment
    • Digital providers – providers of online marketplaces, search engines, and social networking platforms
    • Research – research organizations

The Entity Size and Other Criteria

Now that you know which sectors are covered by NIS2, let’s check the other criteria that ultimately qualify your organization as subject to the provisions of this directive. The table below will help you with this:

Type of an entitySize criteriaOther criteriaIs subject to NIS2?
Large≥250 employees or ≥50 million EUR of annual turnoverYes, if it operates in a sector of high criticality or other critical sector.
Medium≥50 employees or ≥10 million EUR of annual turnoverYes, if it operates in a sector of high criticality or other critical sector.
Small/Micro<50 employees and <10 million EUR of annual turnover– Provides services of critical importance.
– Is the sole provider in the country.
– Is important for public safety.
– Belongs to the supply chain of an essential/important entity.
– Has been deemed an essential or important entity by a decision of a competent national authority.		⚠️ Yes, if it operates in a sector of high criticality or other critical sector, and meets at least one of the other criteria.

As you can see, meeting the criteria of a) belonging to one of the strategic sectors and b) the size criteria automatically brings an organization under NIS2’s provisions. In this case, such an organization is considered an essential entity (operates in a sector of high criticality) or an important entity (operates in other critical sector).

For small and micro-enterprises that do not meet the size criteria but operate in a strategic sector of the economy, being subject to NIS2 depends on meeting additional criteria and the decision of a competent national authority.

What Penalties and Sanctions Apply for Non-Compliance with NIS2?

According to the European Union doctrine, sanctions must be “effective, proportionate, and dissuasive.” And, indeed, the financial penalties certainly reflect this doctrine. It’s worth adding that the final amount of a financial penalty is influenced by factors such as the type of entity and the scale of violation:

  • Essential entity: up to 10 million EUR or 2% of the total worldwide annual turnover, whichever is higher
  • Important entity: up to 7 million EUR or 1,4% of the total worldwide annual turnover, whichever is higher

In addition to financial penalties, severe administrative and even personal liability sanctions apply as well:

  • Withdrawal of permits/certifications
  • Ban on holding management positions (for management board members responsible for violations)
  • A fine of up to 300% of the monthly salary (for managers), which applies when negligence directly affects public safety or health.

Of course, sanctioned organizations must implement corrective actions.

But this isn’t the end of it. Member states can introduce additional sanctions “independently.” For example, in Poland, plans include measures such as a fine of up to 25 million EUR and the possibility of temporary suspension of operations.

What Are the Requirements for NIS2 and How to Meet Them?

As you can see, the consequences can be truly severe, not to mention intangible losses such as damage to reputation or customer trust. So, it’s now time to check what compliance obligations are placed on organizations covered by NIS2. This will help you move on to the phase of developing an implementation plan and specific cybersecurity risk management measures.

The NIS directive itself does not specify the requirements due to vastly different business specifics and risk levels in individual sectors. Instead, Article 21 lists the areas that need to be addressed, while also indicating that the technical, organizational, and operational measures implemented must be appropriate and proportionate.

To give these recommendations a more concrete form, we have prepared a table below with a list of the aforementioned areas along with examples of specific cybersecurity measures/actions that can be implemented in those areas.

An Area Defined in Art. 21 of the NIS2 DirectiveCybersecurity Measures/Actions During ImplementationCybersecurity Measures/Actions After Implementation
Policies on risk analysis and information system security– Develop a risk analysis policy.
– Develop an information systems security policy.
– Appoint a cybersecurity contact person.		– Conduct regular risk analyses.
– Submit periodic reports (at the request of a national supervisory authority).
Incident handling– Document and implement a computer security incident management process.
– Appoint people responsible for incident handling.
– Develop a procedure describing incident reporting to a Computer Security Incident Response Team (CSIRT).
– Implement tools to automate incident response, e.g., Security Orchestration, Automation and Response (SOAR).		– Monitor and detect cybersecurity incidents, e.g., using Security Information and Event Management (SIEM) tools.
– Submit an early warning (within 24 h of becoming aware of a significant incident).
– Create and submit an incident notification (within 72 h of becoming aware of the significant incident).
– Create and send a final report (within 1 month of the incident notification).
– Perform a post-mortem analysis to understand what happened.
Business continuity, such as backup management and disaster recovery, and crisis management.– Develop a business continuity plan containing emergency, recovery, and disruption minimization procedures.
– Implement software or a comprehensive solution for creating and restoring backups, e.g., Xopero Unified Protection or Xopero One Backup&Recovery.
– Establish a crisis team and communication procedures for crisis situations.		– Regularly perform backups of the organization’s data.
– Securely store copies outside the organization’s infrastructure, e.g., using the 3-2-1 model.
– Test data restoration from a backup.
– In the case of an incident, assess its potential financial and operational impact.
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.– Conduct a risk analysis of suppliers/service providers to ensure supply chain security.
– Implement procedures to identify and manage risk throughout the supply chain.
– Conclude contracts that clearly specify cybersecurity requirements.		– Monitor compliance with cybersecurity requirements of suppliers/service providers.
– Cooperate and communicate with suppliers/service providers to take coordinated steps in the case of an incident. 
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.– Verify suppliers for applying appropriate security measures, obtaining certificates, etc.
– Implement Extended Detection and Response (XDR) and Mobile Device Management (MDM) solutions to protect endpoints and mobile devices.		– Monitor and detect incidents, e.g., using Security Information and Event Management (SIEM) tools.
– Manage vulnerabilities by monitoring, identifying, and eliminating them.
– Conduct regular security audits and configuration reviews, at least once every 24 months.
– Securely develop proprietary products (the secure by design rule); this measure applies to, among others, software companies.
Policies and procedures to assess the effectiveness of cybersecurity risk management measures.– Conduct an analysis of risks relevant to your business activity to identify and mitigate them.
– Develop key performance indicators (KPIs) to assess implemented security measures.		– Conduct regular audits assessing compliance with policies.
– Conduct penetration tests to check digital infrastructure integrity.
Basic cyber hygiene practices and cybersecurity training.– Conduct initial training on cybersecurity (e.g., identifying cyber threats, password management, data protection on devices) for employees.
– Conduct training for the management board on the obligations imposed by the NIS2 directive.
– Conduct knowledge tests.		– Conduct regular “refresher” training sessions.
– Conduct simulated phishing attacks to identify individuals needing additional training.
– Raise awareness of cyber threats through newsletters, posters, campaigns promoting basic cyber hygiene rules, etc. 
Policies and procedures regarding the use of cryptography and, where appropriate, encryption.– Develop a cryptography policy (when and how to encrypt data).
– Implement proven and certified cryptographic tools.
– Develop SSL/TLS certificate management systems to prevent their expiration and exposing your communication to attack.		– Encrypt data in transit (e.g., in networks) and at rest (e.g., encrypting hard drives, backups).
– Renew encryption certificates.
Human resources security, access control policies and asset management.– Develop security procedures for employee hiring and dismissal.
– Develop a procedure for accessing organization’s offices.
– Implement an Identity and Access Management (IAM) solution.
– Create an inventory of IT assets (e.g., computers, mobile devices).		– Verify candidates and timely revoke permissions upon dismissal.
– Apply the “principle of least privilege.”
– Centrally manage identity and access through IAM.
– Regularly update the asset inventory.
– Securely decommission systems.
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.– Implement multi-factor authentication (MFA) and train users on it.
– Implement continuous authentication solutions (monitoring user behavior and prompting for authentication in the case of a suspicion).
– Prepare special communication channels for emergency situations.		– Monitor if every user uses MFA and track user behaviors.
– Activate and use the special communication channels in the case of an emergency.

The number of possible cybersecurity measures/actions can be overwhelming. However, the final scope of implementation will depend on the nature and complexity of your organization, as well as data and assets that require protection within it.

To facilitate the coordination of these tasks, we have prepared a sample checklist that you can print, customize to your needs, and use to oversee your readiness for NIS2.

Download NIS2 checklist

Staying Compliant with NIS2 vs. the ISO 27001 Standard

If information security has always been a core value of your organization, you may have already implemented the ISO 27001 standard that defines the requirements for an Information Security Management System (ISMS). By regulating areas such as risk management, security policies and controls, incident response procedures, documentation and reporting obligations, and continuous improvement and training, the standard can greatly support you in ensuring compliance with NIS2 and save you a lot of work when it comes to implementing individual measures or actions.

It’s worth remembering this to make the most of the resources you already have at your disposal. 

The NIS2 Directive as an Opportunity for Better Cyber Resilience

Penalties, requirements… all of this can be overwhelming and create a negative mindset. However, it’s worth looking at the NIS2 directive not as an unpleasant obligation, but as an opportunity to strengthen organization’s cyber resilience. In the long run, it may save you a lot of unpleasant experiences, stress, and extra work related to dealing with and eliminating the consequences of cyberattacks.

At the same time, it’s important to remember that you don’t have to do everything yourself. Many of the measures required under NIS2, especially those in the post-implementation phase, can be carried out using solutions from proven providers.

Xopero—as a data backup expert—can help you meet the requirements in the area of ensuring business continuity (creating, testing, and restoring data backups, related reporting/auditing). For example, by choosing Xopero Unified Protection (a scalable enterprise-class hardware and software platform for data backup and disaster recovery), you get a number of valuable benefits, such as protection against huge financial losses and loss of trust/reputation, or—from an IT admin’s point of view—instant plug-and-play experience. Not to mention other advanced and innovative features that you can check out on the website dedicated to our backup appliance.

Learn about our offer and see how we can support you both in the context of NIS2 and in the broader sense of your organization’s data security.

How did you like the article?

Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0

Comments are closed.