Getting Started with NIS2 Compliance
10 min read
The Network and Information Security (NIS) directive is an EU cyber security legislation designed to strengthen the security of critical infrastructure sectors. The first directive was introduced back in 2016, and now its second, extended version is on the horizon. So, in this article, we will explore the changes introduced by NIS2 and provide organizations with actionable suggestions for its compliance.
In our interconnected and digitalized world, the need for fortifying cybersecurity becomes a shared responsibility on individual, national, and global levels. Digital systems provide countless opportunities for simplifying our daily routines and tasks. However, this dependency on systems also makes us open and vulnerable to cyber threats, which can potentially compromise private data, organizational information, or even corporate systems at any given moment.
The European Commission introduced the cybersecurity act – NIS (Network and Information Security) directive in 2016 to cope with this challenge within the EU. It aimed to provide a high common level of cybersecurity throughout the Member States. With the ever-evolving technologies, changes in the geopolitical environment, conversion to remote work in 2019, etc., EU cybersecurity had faced new challenges related to more frequent and sophisticated attacks. This highlighted core areas for improvement within the NIS, which later were considered and addressed in the next revised version of the directive, known as NIS2. The new EU cybersecurity act took a course toward hardening more industries and domains against potential cyberattacks.
Understanding the newest EU cybersecurity regulations
The legislators introduced the revised version of the directive in 2020, and in January 2023 it came into force. It is to be adopted on the Member States’ level by October 2024, and since then, each company encompassed by the NIS2 will be legally obligated to align with new cybersecurity regulations.
The difference between NIS and NIS2 lies in the broadened scope of requirements, expanded lists of industries covered, and strict provisions for fines. As such, the NIS2 directive is now applied to 15 sectors, including industries that were prioritized by NIS (energy, health, finances, transport, drinking water, digital infrastructure) and newly affected entities (public administration, postal services, space, foods, manufacturing, chemicals, research, digital providers, waste management). The new list recognizes that cyber threats now have far-reaching consequences, affecting not only critical infrastructure. Therefore, the directive also strongly focuses on supply chain protection, as attacks on it can impact numerous businesses and consumers.
NIS2 compliance assumes significant organizational and technical adjustments that require time, effort, and resources. So, the newly affected entities should start preparing already to minimize potential risks, enable seamless compliance, and hedge their organizations against emerging threats. Further in the article, we’ll walk you through the core specifics and requirements of the NIS2 in detail.
Why cybersecurity legislation is important for European businesses
Europe is a political, economic, and security actor that often becomes a target for malicious attacks. According to Deloitte, the number of cyber-attacks on critical infrastructure in 2020 – 2021 has risen by 45% worldwide and up to +220% across EU Member States. As this indicator may further increase, all businesses must undertake measures against possible cybersecurity incidents. Compliance with the NIS2 can not only fortify organizations’ security online but build a collective defense against emerging threats. Among other, adhering to NIS2 will help your business with:
- Proactive risk management to identify and mitigate cyber threats before they cause harm
- Business continuity for safeguarding uninterrupted operations, even in case of a cyber incident, that minimizes disruption and maintains the customer trust
- Incidence reporting to notify countries’ authorities or institutions responsible for cybersecurity law and regulation compliance about incidents or their harmful consequences, saving other organizations from the potential impact
- Improved collaboration to keep in touch with partners and colleagues, sharing best practices, or experience in preventing threats.
New sectors under the NIS2
NIS2 introduces a revised approach to classifying the industries covered by the directive. Unlike its first version, which affected only the operators of essential services, the new directive includes two categories – essential and important entities. The classification of businesses depends on their industry, staff headcount, and annual turnover. It’s also important to consider whether the organization holds a leading position in its industry or country. However, an entity of any size may still be deemed as essential or important if it is a single provider of a critical service for social or economic activity in a Member State.
The key difference between the essential and important categories lies in the level of supervision. While essential entities are under continuous monitoring to verify their compliance, important ones undergo inspections only in case of security events, data breaches, or losses.
You may check the following scope of entities to determine whether your business falls under the new directive and, if so, under which category in particular:
|Essential Entities (EE)||Important Entities (IE)|
|Size: medium size companies with over 250 employees, annual turnover of € 50M, or balance sheet of € 43M||Size: small size companies with over 50 employees, annual turnover of € 10M, or balance sheet of € 10M|
Penalties & Fines
According to the NIS2 directive, both essential and important entities can be penalized and fined for non-compliance with cyber security laws and regulations. The fines can be up to € 10M or 2% of annual revenue, depending on the severity and impact of the breach or incident.
Additionally, NIS2 emphasized top management accountability for security within their organizations. So, if the management doesn’t take proper measures to protect the company, they can be held personally responsible. They will have to make public announcements about the violation and identify responsible persons along with the nature of the incident. In severe cases, they could be temporarily banned from holding management positions.
By this, NIS2 intends to strengthen cybersecurity practices and information security law, encouraging management to take proactive steps in safeguarding the organization against cyber threats.
NIS2 requirements & actionable suggestions for complying with the directive
NIS2 conveys the minimum requirements needed to bring European companies in line with cybersecurity standards. The Member States have the flexibility to add specifications regarding their particular governance objectives. This means they may provide further details on the information security regulations to clarify the measures that local organizations need to implement. However, the basic recommendations are mandatory across the EU irrespectively of the country. Therefore, organizations are now encouraged to start implementing the required cybersecurity measures and best practices as soon as possible. This will allow businesses to lay a robust cybersecurity ground and enhance it further according to specifications from national legislators.
The early-on approach allows the newly affected entities to avoid the haste when NIS2 will come into forth on national levels. Hence, organizations have to work through a particular set of activities to meet the NIS2 cyber regulations, and it makes sense to start with a general assessment of your existing cybersecurity level. This will help you benchmark your current state to the NIS2 requirements and create a step-by-step roadmap toward full compliance. It is also a good idea to prioritize the most comprehensive areas since those would take more time to implement.
In the table below, you will find actionable suggestions on how to get started with NIS2 compliance:
|NIS2 Requirements||How to Comply|
|Policies on risk analysis & information system incident handling|
|Supply chain security|
|Security in network & information systems acquisition, development, and maintenance (incl. vulnerability handling and disclosure)|
|Policies & Procedures to assess the effectiveness of cybersecurity risk management measures|
|Basic cyber hygiene practices & cybersecurity training|
|Policies & procedures regarding cryptography and encryption|
|Multi-factor authentication or continuous authentication solutions|
|Human resources security, access control policies, and asset management|
How Sigma Software can help you comply with NIS2 directive
Sigma Software has extensive expertise in legal regulations and cybercompliance. We support our clients with cybersecurity procedures and best practices implementation, safeguarding their adherence to different standards like ISO 27001. Currently, our experts help organizations take a proactive approach to meeting the NIS2 directive and support organizations with the following activities:
- Examine & asses your compliance readiness to figure out what needs to be implemented or improved
- Create a roadmap and support with its step-by-step implementation to enhance your readiness for NIS2 requirements
- Prepare policies on risk analysis & information system incident handling to develop documented guidelines and procedures that outline specific actions, rules, and protocols in case of cybersecurity incidents
- Set up business continuity plans to work through and get ready for possible disaster scenarios within your organization, safeguarding its performance without any disruptions
- Conduct regular training on cybersecurity for your development team and basic cyber hygiene awareness courses to educate employees
Don’t hesitate to contact us if you need consultancy or help with preparing for the NIS2 directive adoption. Our cybersecurity experts will safeguard your readiness for cyber legislation.
Sigma Software provides IT services to enterprises, software product houses, and startups. Working since 2002, we have build deep domain knowledge in AdTech, automotive, aviation, gaming industry, telecom, e-learning, FinTech, PropTech.We constantly work to enrich our expertise with machine learning, cybersecurity, AR/VR, IoT, and other technologies. Here we share insights into tech news, software engineering tips, business methods, and company life.Linkedin profile