Getting Started with NIS2 Compliance

Cybersecurity Plan for Newly Affected Entities

The Network and Information Security (NIS) directive is an EU cyber security legislation designed to strengthen the security of critical infrastructure sectors. The first directive was introduced back in 2016, and now its second, extended version is on the horizon. So, in this article, we will explore the changes introduced by NIS2 and provide organizations with actionable suggestions for its compliance.

In our interconnected and digitalized world, the need for fortifying cybersecurity becomes a shared responsibility on individual, national, and global levels. Digital systems provide countless opportunities for simplifying our daily routines and tasks. However, this dependency on systems also makes us open and vulnerable to cyber threats, which can potentially compromise private data, organizational information, or even corporate systems at any given moment.

Cybersecurity NIS2 Directive

The European Commission introduced the cybersecurity act – NIS (Network and Information Security) directive in 2016 to cope with this challenge within the EU. It aimed to provide a high common level of cybersecurity throughout the Member States. With the ever-evolving technologies, changes in the geopolitical environment, conversion to remote work in 2019, etc., EU cybersecurity had faced new challenges related to more frequent and sophisticated attacks. This highlighted core areas for improvement within the NIS, which later were considered and addressed in the next revised version of the directive, known as NIS2. The new EU cybersecurity act took a course toward hardening more industries and domains against potential cyberattacks.

Understanding the newest EU cybersecurity regulations

The legislators introduced the revised version of the directive in 2020, and in January 2023 it came into force. It is to be adopted on the Member States’ level by October 2024, and since then, each company encompassed by the NIS2 will be legally obligated to align with new cybersecurity regulations.

The difference between NIS and NIS2 lies in the broadened scope of requirements, expanded lists of industries covered, and strict provisions for fines. As such, the NIS2 directive is now applied to 15 sectors, including industries that were prioritized by NIS (energy, health, finances, transport, drinking water, digital infrastructure) and newly affected entities (public administration, postal services, space, foods, manufacturing, chemicals, research, digital providers, waste management). The new list recognizes that cyber threats now have far-reaching consequences, affecting not only critical infrastructure. Therefore, the directive also strongly focuses on supply chain protection, as attacks on it can impact numerous businesses and consumers.

NIS2 compliance assumes significant organizational and technical adjustments that require time, effort, and resources. So, the newly affected entities should start preparing already to minimize potential risks, enable seamless compliance, and hedge their organizations against emerging threats. Further in the article, we’ll walk you through the core specifics and requirements of the NIS2 in detail.

Why cybersecurity legislation is important for European businesses

Europe is a political, economic, and security actor that often becomes a target for malicious attacks. According to Deloitte, the number of cyber-attacks on critical infrastructure in 2020 – 2021 has risen by 45% worldwide and up to +220% across EU Member States. As this indicator may further increase, all businesses must undertake measures against possible cybersecurity incidents. Compliance with the NIS2 can not only fortify organizations’ security online but build a collective defense against emerging threats. Among other, adhering to NIS2 will help your business with:

  • Proactive risk management to identify and mitigate cyber threats before they cause harm
  • Business continuity for safeguarding uninterrupted operations, even in case of a cyber incident, that minimizes disruption and maintains the customer trust
  • Incidence reporting to notify countries’ authorities or institutions responsible for cybersecurity law and regulation compliance about incidents or their harmful consequences, saving other organizations from the potential impact
  • Improved collaboration to keep in touch with partners and colleagues, sharing best practices, or experience in preventing threats.

New sectors under the NIS2

NIS2 introduces a revised approach to classifying the industries covered by the directive. Unlike its first version, which affected only the operators of essential services, the new directive includes two categories – essential and important entities. The classification of businesses depends on their industry, staff headcount, and annual turnover. It’s also important to consider whether the organization holds a leading position in its industry or country. However, an entity of any size may still be deemed as essential or important if it is a single provider of a critical service for social or economic activity in a Member State. 

The key difference between the essential and important categories lies in the level of supervision. While essential entities are under continuous monitoring to verify their compliance, important ones undergo inspections only in case of security events, data breaches, or losses.

You may check the following scope of entities to determine whether your business falls under the new directive and, if so, under which category in particular:

Essential Entities (EE)Important Entities (IE)
Size: medium size companies with over 250 employees, annual turnover of € 50M, or balance sheet of € 43MSize: small size companies with over 50 employees, annual turnover of € 10M, or balance sheet of € 10M
  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Wastewater
  • Digital infrastructure (cloud providers, data centers, DNS, etc.)
  • ICT service management (B2B): Managed service providers and Managed Security Service Providers
  • Public administration
  • Space
  • Postal & courier services
  • Waste management
  • Manufacture, production & distribution of chemicals
  • Food production, processing & distribution
  • Manufacturing (medical devices, motor vehicles, computers, electrical, and other equipment)
  • Digital providers (online marketplaces, search engines, social media platforms)
  • All the sectors under the Essential Entities  within the size for Important Entities

Penalties & Fines

According to the NIS2 directive, both essential and important entities can be penalized and fined for non-compliance with cyber security laws and regulations. The fines can be up to € 10M or 2% of annual revenue, depending on the severity and impact of the breach or incident.

Additionally, NIS2 emphasized top management accountability for security within their organizations. So, if the management doesn’t take proper measures to protect the company, they can be held personally responsible. They will have to make public announcements about the violation and identify responsible persons along with the nature of the incident. In severe cases, they could be temporarily banned from holding management positions.
By this, NIS2 intends to strengthen cybersecurity practices and information security law, encouraging management to take proactive steps in safeguarding the organization against cyber threats.

NIS2 requirements & actionable suggestions for complying with the directive

NIS2 conveys the minimum requirements needed to bring European companies in line with cybersecurity standards. The Member States have the flexibility to add specifications regarding their particular governance objectives. This means they may provide further details on the information security regulations to clarify the measures that local organizations need to implement. However, the basic recommendations are mandatory across the EU irrespectively of the country. Therefore, organizations are now encouraged to start implementing the required cybersecurity measures and best practices as soon as possible. This will allow businesses to lay a robust cybersecurity ground and enhance it further according to specifications from national legislators.

The early-on approach allows the newly affected entities to avoid the haste when NIS2 will come into forth on national levels. Hence, organizations have to work through a particular set of activities to meet the NIS2 cyber regulations, and it makes sense to start with a general assessment of your existing cybersecurity level. This will help you benchmark your current state to the NIS2 requirements and create a step-by-step roadmap toward full compliance. It is also a good idea to prioritize the most comprehensive areas since those would take more time to implement.

In the table below, you will find actionable suggestions on how to get started with NIS2 compliance:

NIS2 RequirementsHow to Comply
Policies on risk analysis & information system incident handling
  • Assess your IT system to identify and evaluate gaps
  • Set up ISO-compliant policies for effective incident handling
  • Implement the overall risk & information security system for swift incident reporting to regulators
Business continuity
  • Define all possible disaster scenarios to mitigate those and prevent performance disruption
  • Implement disaster recovery plan & crisis management procedures in case of a cybersecurity event
  • Develop backup systems to preserve important information and prevent data loss
  • Share a disaster plan with your employees so they can be prepared for different scenarios
Supply chain security
  • Identify critical IT service providers and service suppliers
  • Determine your service providers’ security level to ensure their systems are hedged against threats
  • Set up a collaborative framework that requires the supplier to implement robust measures and meet NIS2 requirements or international cybersecurity laws
Security in network & information systems acquisition, development, and maintenance (incl. vulnerability handling and disclosure)
  • Develop/enhance a comprehensive security policy covering the network utilization
  • Assess your existing network & informational system conditions to secure configurations and access controls
  • Employ logging and monitoring systems that continuously track and record activities across the network and infrastructure
  • Develop/enhance a well-defined patch management process that ensures timely systematically identifying, evaluating, and applying of necessary updates to the software, operating systems, and applications
Policies & Procedures to assess the effectiveness of cybersecurity risk management measures
  • Set regular evaluation sessions of the cybersecurity measures to improve those if needed
Basic cyber hygiene practices & cybersecurity training
  • Set an accountable manager to improve the promotion and enforcement of cyber hygiene practices
  • Arrange regular training for employees to educate your team on cybersecurity law and policy
Policies & procedures regarding cryptography and encryption
  • Estimate your data and possible threats to determine the level of protection required
  • Choose your cryptography method that aligns with industry best practices and standards
  • Create clear policies that outline when and how encryption should be applied to protect sensitive data
  • Establish protocols for the proper implementation and management of encryption mechanisms across systems and networks
Multi-factor authentication or continuous authentication solutions
  • Assess your systems and applications that require more robust authentication measures
  • Integrate a reliable multi-factor authentication solution that requires passwords, biometrics, tokens, etc.
  • Set up regular updates of MFA solutions
Human resources security, access control policies, and asset management
  • Check your policies/procedures regarding HR resources security to establish or enhance controls over the company information and access

How Sigma Software can help you comply with NIS2 directive

Sigma Software has extensive expertise in legal regulations and cybercompliance. We support our clients with cybersecurity procedures and best practices implementation, safeguarding their adherence to different standards like ISO 27001. Currently, our experts help organizations take a proactive approach to meeting the NIS2 directive and support organizations with the following activities:

  • Examine & asses your compliance readiness to figure out what needs to be implemented or improved
  • Create a roadmap and support with its step-by-step implementation to enhance your readiness for NIS2 requirements
  • Prepare policies on risk analysis & information system incident handling to develop documented guidelines and procedures that outline specific actions, rules, and protocols in case of cybersecurity incidents
  • Set up business continuity plans to work through and get ready for possible disaster scenarios within your organization, safeguarding its performance without any disruptions
  • Conduct regular training on cybersecurity for your development team and basic cyber hygiene awareness courses to educate employees

Don’t hesitate to contact us if you need consultancy or help with preparing for the NIS2 directive adoption. Our cybersecurity experts will safeguard your readiness for cyber legislation.

Share article: