What is the NIS 2 directive?

The NIS 2 Directive (Network and Information Security Directive 2) is an EU framework designed to enhance cybersecurity and resilience across critical sectors. Building on the original 2016 directive, NIS 2 broadens its scope to include more sectors such as aerospace, public administration, postal services, and chemicals. It introduces stringent measures for risk management, incident reporting, and supply chain security, alongside increased penalties for non-compliance. Senior management is held accountable for cybersecurity frameworks, and reporting obligations now include detailed updates within 24, 72 hours, and a month post-incident.

The changes implemented in October 2024 focus on enforcing these measures as national laws, strengthening supply chain security by mandating the assessment of third-party risks, and ensuring organizations align with robust cybersecurity frameworks. Non-compliance penalties can reach up to €10 million or 2% of global turnover for essential entities, reflecting the EU's commitment to a unified and secure digital environment.

Key provisions of the NIS 2 directive

1. Broader Scope: Expands to include more sectors like aerospace, postal services, chemicals, and public administration. Covers both essential entities (large-scale critical infrastructure) and important entities (medium-sized organizations in key sectors).

2. Incident Reporting: Organizations must report incidents within 24 hours, provide a detailed assessment within 72 hours, and a final report within one month.

3. Supply Chain Security: Mandates organizations to assess and manage cybersecurity risks in their supply chains, including suppliers' practices and vulnerabilities.

4. Senior Management Accountability: Requires executive management to oversee cybersecurity measures, approve risk management plans, and take responsibility for non-compliance.

5. Stricter Penalties: Fines up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% of turnover for important entities.

6. Harmonized Rules Across Member States: Implements uniform cybersecurity standards, ensuring consistency while allowing member states to introduce stricter measures.

7. Enhanced Governance: Establishes national Computer Security Incident Response Teams (CSIRTs) and introduces an EU-wide vulnerability database for better coordination and preparedness.

These provisions aim to improve cybersecurity resilience across the EU and enforce robust compliance mechanisms.

Essential services and digital service providers under NIS 2

The NIS 2 Directive enhances cybersecurity for essential services and digital service providers, recognizing their critical roles in society and the economy.

Essential services: These include sectors such as healthcare, critical infrastructure, financial institutions, and public administration. Their role in societal functioning makes them prime targets for cyber threats, and disruptions can lead to severe consequences. NIS 2 requires these entities to implement stringent security measures, ensure proactive oversight, and undergo regular audits to maintain resilience against cyber risks.

Digital Service Providers (DSPs): Digital Service Providers (DSPs) are integral to the NIS 2 directive, which enhances the security and resilience of essential digital infrastructure. The directive covers three main categories of DSPs:

• Online marketplaces: These platforms, including Amazon, eBay, and Alibaba, allow third-party sellers and buyers to transact. Ensuring secure payment processing, data protection, and protection from fraud is essential. These platforms must implement strong security measures to prevent cyberattacks that could compromise both the transactions and the trust of the users involved.
• Online search engines: Platforms like Google, Bing, and Yahoo help users navigate and retrieve information from the internet. These DSPs must secure their systems to protect users from malicious websites, misinformation, and harmful content, ensuring that search results are accurate, trustworthy, and free from cyber threats.
• Social networking services: Platforms such as Facebook, Instagram, and Twitter that connect users and enable them to share personal content. Given the volume of sensitive personal data shared, DSPs must prioritize robust privacy protections, safeguard against data breaches, and mitigate risks related to online harassment, phishing, and identity theft to ensure a secure online environment for users.

Key obligations and requirements under NIS 2

1. Obligations for essential entities and competent authorities

• Essential entities (e.g., energy, transport, banking, healthcare) must secure their systems and data against cyber threats.
• Competent authorities oversee and audit these security measures, ensuring compliance and incident response coordination.
• Cybersecurity training is mandatory for management, who must also foster cybersecurity awareness across their teams.

2. Security requirements for essential entities and Digital Service Providers (DSPs)

• Essential entities and DSPs must implement risk analysis, incident handling, and security measures in their systems.
• Business continuity plans and supply chain security protocols are required to maintain operations during disruptions.
• Regular system maintenance and upgrades are needed to stay resilient against evolving cyber risks.

3. Responsibilities of national authorities

• National authorities designate and oversee competent authorities, assess essential entities' cybersecurity, and manage DSP frameworks.
• They collaborate with operators and stakeholders to address cybersecurity risks and ensure regulatory compliance.

4. Enforcement, business continuity, and cybersecurity training

• Enforcement: Non-compliance can result in fines up to 2% of turnover or €10 million. Regular audits and inspections are conducted.
• Business Continuity: Organizations must have robust recovery plans, including backup systems and crisis response teams.
• Cybersecurity Training: Employees in essential sectors must receive training on threat recognition and secure practices.

5. Reporting obligations

• Initial Incident Assessment: Conducted within 24 hours, includes impact analysis and risk mitigation steps.
• Reporting Requirements: Early warnings, incident notifications, and final reports are required to ensure transparency and effective response.

By adhering to NIS 2 guidelines, organizations and national authorities enhance cybersecurity, maintain operational resilience, and safeguard essential digital infrastructures.

Summary

The NIS 2 Directive is an EU regulation aimed at improving cybersecurity resilience across critical sectors by expanding its scope to include industries such as aerospace, public administration, postal services, and chemicals. It requires essential services like energy, healthcare, and banking to implement stringent security measures, conduct regular risk assessments, and ensure supply chain security. The directive holds senior management accountable for cybersecurity compliance and mandates incident reporting within tight timeframes. Penalties for non-compliance can reach up to €10 million or 2% of global turnover. With a focus on harmonized standards and strengthened national cooperation, NIS 2 aims to safeguard essential digital infrastructures and enhance operational resilience across the EU.