Dec 7, 2023
6 min read

What You Need To Know About NIS2, the EU's Newest Cybersecurity Directive

As cyberthreats and attacks continue to challenge organizations worldwide, the EU is confronting the situation head-on with an upgrade to its Network and Information Security (NIS) Directive, originally adopted in 2016. The resultant NIS2 Directive is designed to bolster the EU's Cyber Resilience Act (CRA) and help the countries of the European Union more effectively cope with the evolving threat landscape. The European Parliament describes the latest directive as providing a "high common level of cybersecurity across the Member States.” 

Similar to how the EU addresses privacy with its General Data Protection Regulation (GDPR), NIS2 strives to harmonize cybersecurity measures with a risk-based approach to tackle the increasing threat of cyberattacks across its member nations. 

NIS2 Timelines and Important Dates 

The following dates show the progression of the NIS2 Directive and continuing future review work: 

July 2016: The original NIS Directive enters into force. 

May 2022: EU parliament votes to adopt NIS2. 

November 2022: NIS2 approved. 

December 2022: The NIS2 Directive is published in the Official Journal of the European Union as Directive (EU) 2022/2555. Journal signed by co-legislators. 

January 2023: NIS2 enters into force. 

October 17, 2024: The NIS2 Directive deadline for transposition into law. Covered entities must adopt measures to demonstrate compliance with the NIS2 Directive.  

Post-October 17, 2024: EU authorities will continue to carry out regular work to review and cement aspects of the Directive, such as establishing a list of the Essential and Important entities by Member States. 

What is the NIS2 Directive? 

NIS2 is a framework that sets out a series of cybersecurity requirements that affect all covered entities in EU member states. NIS2 includes:  

  • A series of best practices that standardize approaches to security across Member States;

  • Enforcement of the requirements of the Directive using strict penalties;

  • Obligatory incident reporting requirements. 

NIS2 also promotes an EU-wide collaboration and vulnerability-sharing program to build up resilience through collaboration and cooperation. The European Union Agency for Cybersecurity (ENISA) plays an integral role in the implementation and management of NIS2 and holds responsibility for the development and maintenance of a European vulnerability registry. 

Why Did the EU Commission Overhaul the Original NIS Directive? 

The cracks in the first NIS Directive began to appear in the early days of the Covid-19 pandemic, when the rapid shift to remote work vastly expanded the attack surface of organizations across Europe and the world. The EU Commission identified several warning signs that an update to the NIS Directive was needed:  

  • Cyber resilience levels of EU businesses were shown to be ineffective. 

  • Cyber resilience was inconsistent across Member States and sectors. 

  • Understanding of cyberthreats and challenges was poor. 

  • A lack of a joint crisis response. 

NIS2 attempts to address these challenges.  

NIS2 Scope 

NIS2 builds upon and increases the scope of the original three core pillars of the first NIS Directive, enhancing it in the following ways:   

  • Expands the scope of cybersecurity measures;  

  • Increases the number of sectors and industries covered and introduces a size threshold to define which entities fall in its scope; these entities are required to report significant cybersecurity incidents to the national competent authorities. 

  • Introduces the cyber crisis management structure (CyCLONe); 

  • Enforces stricter reporting obligations; 

  • Requires Member States to designate national Computer Security Incident Response Teams (CSIRTs) with a Single Point of Contact (SPOC). 

The extended coverage of NIS2 also includes business continuity and crisis management, vulnerability handling and disclosure, and multi-factor authentication

NIS2 Cybersecurity Measures  

Article 21 of the NIS2 Directive states:  

“Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”

More specifically, the updated Directive expects—at a minimum—a commitment to the following practices as a means of reducing risk and lessening the impact of a cybersecurity event: 

  • Policies covering risk analysis and information security; 

  • Incident handling;  

  • Business continuity; 

  • Supply chain security across the ecosystem of vendors; 

  • Vulnerability handling and disclosure; 

  • Assessment of the effectiveness of cyber risk management;  

  • Computer hygiene practices, including security awareness training;  

  • Cryptography and encryption;  

  • Human resources security, access control policies and asset management;  

  • Application of multi-factor authentication (MFA) and continuous authentication. 

Industries Covered Under the NIS2 Directive  

In another significant change, NIS2 applies to substantially more industries and organizations than its predecessor. To determine who must comply with the directive, organizations are deemed as very critical or critical and then sub-categorized as ‘Essential’ and ‘Important.’ NIS2 covers entities from the following sectors: 

Very Critical Sectors 

  • Energy;  

  • Transport;  

  • Financial market infrastructures; 

  • Health (including manufacture of pharmaceutical products);  

  • Water; 

  • Digital infrastructure (including DNS service providers, cloud computing service providers, data center service providers, and public electronic communications networks); 

  • ICT service management;  

  • Public administration; 

  • Space travel. 

Critical Sectors 

  • Postal and courier services; 

  • Waste management; 

  • Chemicals manufacturing and processing;

  • Food;  

  • Manufacturing of medical devices; 

  • Computers and electronics; 

  • Machinery and equipment; 

  • Digital providers (including online search engines and social networking platforms);  

  • Research organizations. 

In some instances, the size of the organization and placement in the Very Critical or Critical categories determines whether it is an Essential or Important organization. However, certain entities are considered Essential by default, regardless of their size. This is typically the case if an outage would have impactful consequences across society. In addition, any entity designated as an “essential service” by the EU Critical Entities Resilience directive (CER) is automatically also considered Essential under NIS2.  

Notably, NIS2 does not generally apply to micro-enterprises with fewer than 50 employees and an annual turnover of less than 7 million euros. However, such micro-enterprises would be covered under the Directive if the entity is deemed a vital service. 

A full list of covered entities can be found in NIS2 Annex I and II

Penalties for Non-Compliance with NIS2 

A sanctions framework covers the European Union, with supervision and enforcement carried out by competent authorities supervising Essential and Important entities.   

Supervision includes: 

  • Regular and targeted audits; 

  • On-site and off-site checks;

  • Request for information; 

  • Access to documents or evidence. 

Penalties differ based on whether the entity status is Essential or Important.  

Essential entities: A maximum fine of €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  

Important entities: A maximum fine of € 7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

Can NIS2 Have a Global Impact? 

The jurisdiction of Essential and Important entities comes under the Member State where the entity provides services; however, complications may arise if an entity provides services in multiple Member States or in countries outside the EU. Companies operating in multiple EU states must abide by the jurisdiction of all the Member States in which the organization was established. Covered entities providing services or operations outside the EU must ensure the continuity of any EU services if any disruption occurs in non-EU operations. 

While it is EU-focused by definition, NIS2 will undoubtedly have implications for multinational companies as well as for cross-border collaboration. Just as the GDPR raised the stakes for global privacy regulations and led to similar legislation in California and elsewhere, the hope (if not the expectation) is that NIS2 will influence cybersecurity standards beyond Europe. At the very least, the work done to establish the NIS2 directive will provide a framework for regions or industries looking to upgrade their own cybersecurity standards in the years ahead.

Subscribe to Our Newsletter