NIS 2 Directive: a comprehensive guide for organizations

22/01/2024

Introduction

The NIS 2 Directive stands as a pivotal piece of legislation designed to bolster cybersecurity throughout the European Union. This directive marks a notable departure from its predecessor (Directive (EU) 2016/1148) and introduces measures to establish a consistently high level of cybersecurity across the Union. By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.

Understanding the NIS2 Directive

The NIS2 Directive, officially recognised as Directive (EU) 2022/2555, was crafted collaboratively by the European Parliament and the Council of the European Union. Its primary objective is to elevate cybersecurity standards across the EU by amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 while repealing Directive (EU) 2016/1148.

Who is Affected by NIS2?

The NIS2 Directive casts a wide net, impacting all entities that provide essential or important services to the European economy and society. The affected categories are delineated as follows:

  • Essential Entities (EE)
    • Energy
    • Transport
    • Finance
    • Public Administration
    • Health
    • Space
    • Water supply (drinking & wastewater)
    • Digital Infrastructure (e.g., cloud computing service providers and ICT management)
  • Important Entities (IE)
    • Postal Services
    • Waste Management
    • Chemicals
    • Research
    • Foods
    • Manufacturing (e.g., medical devices and other equipment)
    • Digital Providers (e.g., social networks, search engines, online marketplaces)

It’s important to note that an entity may still be classified as “essential” or “important,” even if it does not meet size criteria, particularly when it is the sole provider of a critical service for societal or economic activity in a Member State.

Assessing Compliance with NIS2

Organisations can evaluate their compliance with the NIS2 Directive by following a structured approach, like the one designed by Auren:

A) Assessment

  • Understand the NIS2 Directive – Assessment: The foundational step is to comprehensively understand the NIS2 Directive, its requirements, and its implications for your organisation.
  • Identify Your Organization’s Category: Determine whether your organisation falls under the category of Essential Entities (EE) or Important Entities (IE) as defined by the NIS2 Directive.

B) Gap Analysis

  • Review Current Cybersecurity Measures: Conduct a thorough assessment of your current cybersecurity measures and compare them with the specific requirements outlined in the NIS2 Directive.

C) Roadmap

  • Implement Necessary Changes: Implement any necessary changes to align with the NIS2 Directive’s requirements, which may involve strengthening security protocols, addressing supply chain security, streamlining reporting obligations, and adopting more stringent supervisory measures.

D) Control and Continuous Improvement

  • Regular Monitoring and Reporting: Establish a system for ongoing monitoring of your organisation’s compliance with the NIS2 Directive and promptly report any incidents, as required by the directive.

Consult Auren’s Experts, who will guide you with cybersecurity experts or legal advisors to ensure comprehensive compliance.

Penalties for Non-Compliance

Understanding the potential penalties for non-compliance is crucial for organisations subject to the NIS2 Directive. Penalties may include:

  • Non-monetary Remedies:
    • Compliance orders
    • Binding instructions
    • Security audit implementation orders
    • Threat notification orders to entities’ customers
  • Administrative Fines:
    • For Essential Entities, the directive requires Member States to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
    • For Important Entities, the directive requires Member States to impose a fine of at least €7,000,000 or 1.4% of global annual revenue, whichever is higher.

Additionally, there is a set of Criminal Sanctions, namely:

  • NIS2 includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident.
    • Specifically, NIS2 allows Member State authorities to hold organisation managers personally liable if gross negligence is proven after a cyber incident.
    • This includes ordering that organisations make compliance violations public and making public statements identifying the natural and legal person(s) responsible for the violation and its nature.
    • And if the organisation is an essential entity, temporarily ban an individual from holding management positions in case of repeated violations.

These measures are designed to hold C-level management accountable and prevent gross negligence in managing cyber risks. The specific fines will vary depending on the Member State, but the Directive establishes a minimum list of administrative sanctions for breaches of the cybersecurity risk management and reporting obligations. As the NIS2 Directive becomes fully integrated, organisations that proactively adhere to its principles contribute not only to their cybersecurity resilience but also to the collective strength of the European Union against evolving cyber threats.

Rui Ribeiro from Consulting & Technology, Auren Portugal