The updated Network and Information Security Directive (NIS 2) entered into force last January 2023, with the European Commission setting the deadline for the implementation of its requirements on October 17, 2024. This gives organizations that operate and provide services within the 27 Member States of the European Union only a few months left to adjust their compliance practices and align with NIS 2.
To ensure that your organization is ready to go through the compliance process, we have prepared a guide to help you navigate the changes and new obligations that you need to fulfill. Read on to learn more:
What are the key changes in NIS 2?
The original NIS Directive was enacted in 2016 as the first official law that establishes a cybersecurity risk management framework for enhancing the security posture of critical service providers in the EU. It was since revised and replaced by the NIS 2 Directive, which was published in December 2022.
Just like the first directive, NIS 2 outlines a set of requirements in the form of minimum security measures that organizations in specified sectors must implement. These include conducting risk assessments, establishing information security policies, reporting high-severity incidents to national authorities, evaluating the effectiveness of cybersecurity risk management measures, and more. Significant changes between the previous directive and NIS 2 include:
Extended scope
While NIS 1 covers private and public entities that are either operators of essential services or digital service providers, NIS 2 now applies to all medium companies (those with 50 to 249 employees) and large entities (those with 250 or more employees) that fall under essential and important categories. These categories refer to sectors that are deemed vital to the economy and society by the EU. NIS 1 initially consisted of 7 essential sectors, but NIS 2 has broadened its scope to include 4 new essential sectors and 7 new sectors under important entities:
Entities are responsible for determining whether their services are within the scope of NIS 2 and have the option to register their organizations under the Member States in which they operate.
More precise provisions for incident reporting
As mandated by NIS 1, each Member State assigns its own Computer Security Incident Response Team (CSIRT) or an equivalent authority to coordinate incident reporting from entities. Now, NIS 2 defines more stringent incident reporting procedures and timeframes for organizations. Aside from submitting a full notification report to their Member State’s CSIRT within 72 hours of any major incident, both essential and important entities also have to issue an early warning within 24 hours of the incident. They must also submit a temporary report and a final report or progress report – if the incident is still ongoing – within 1 month of submitting the notification report.
Focus on supply chain security
NIS 2 also puts greater emphasis on supplier relationships and addressing risks in supply chains. Under the directive, entities are in charge of assessing the cybersecurity practices of their suppliers and service providers and securing their own supply chains. This means that organizations that are not within the scope of the directive are still affected and must comply with the requirements of NIS 2 if they are providing products or services to registered essential or important entities. Suppliers and service providers will not be supervised by national authorities but by the entities they are working with.
Corporate accountability
One of the most important provisions of the NIS 2 Directive is the personal responsibility delegated to the members of an organization’s management. NIS 2 requires the complete involvement of boards and executive leadership in cybersecurity risk management activities. This includes overseeing risk assessments, approving risk treatment plans, and undergoing cybersecurity training. For essential entities, failure to comply can result in corporate managers being held personally liable for security incidents and stripped of their authority to exercise leadership functions.
Penalties and enhanced regulatory supervision
Lastly, under NIS 2, organizations are subject to hefty fines and stricter oversight from national authorities. In case of non-compliance, important entities face penalties amounting to €7 million or 1.4% of their total revenue for the previous year, while essential entities are looking at up to €10 million or 2% of their total annual turnover. Authorities are also permitted to conduct onsite or off-site inspections, regular and ad hoc audits, and random checks and security scans and are granted full access to an organization’s data and other information or evidence of their cybersecurity implementation.
How can you prepare your organization for NIS 2?
There are several steps that you can take to ensure that your organization is well-prepared to become NIS 2 compliant. They include:- Familiarizing with NIS 2: Before applying the NIS 2 framework to your organization, you must first develop a thorough understanding of its scope and requirements. Determine whether your organization is considered an essential or important entity and what your corresponding regulatory and jurisdictional obligations are.
- Getting top management on board: By gaining the support of executives and board members, your organization can streamline the necessary preparations such as budgeting and resource allocation. Once you have stakeholder buy-in, you can easily jumpstart planning and set goals and timelines for compliance activities.
- Assessing current cybersecurity readiness: The first step to achieving compliance with NIS 2 is evaluating your organization’s cybersecurity status. This involves identifying critical products or services, assets, and stakeholders and their associated risks and examining existing operational processes, security policies and controls, and risk and incident management procedures to identify gaps in cybersecurity measures. Organizations can verify their cybersecurity practices by performing internal audits or security assessments.
- Implementing corrective measures and improvements: After reviewing your cybersecurity implementation and determining your level of compliance with the legal measures specified in the directive, you can then proceed to apply improvements and address non-conformities in your cybersecurity framework. Building an information security management system (ISMS), establishing incident response and third-party risk management procedures, putting in place controls like encryption and multi-factor authentication, and updating your security policies are some of the actions you can carry out to align your organization with NIS 2.
- Building a strong security culture: Since cybersecurity training is one of the specific requirements outlined in the directive, fostering a culture of security awareness and cyber resilience is a critical aspect of NIS 2 compliance. By ensuring that cybersecurity risk management strategies and initiatives are communicated to all stakeholders, educating employees on good cyber hygiene practices, internal policies, and security procedures, and onboarding suppliers to verify their security and compliance, organizations can cultivate a mature security culture.
Become NIS 2 compliant with 6clicks
The 6clicks platform can equip your organization with AI-powered capabilities and cybersecurity risk management solutions to fast-track your NIS 2 compliance.
Start your compliance journey by getting access to the NIS 2 Directive. The 6clicks Content Library is where users can freely download the NIS 2 framework among other standards, regulations, templates, and more. Then, quickly analyze and assess your compliance with NIS 2 using the compliance mapping capability of Hailey, 6clicks’ AI engine.
6clicks’ IT Risk Management solution enables you to store and organize your risks, perform risk assessments, and create risk treatment plans, all within one powerful risk register to streamline your risk management efforts. You can also onboard, assess, and manage risks and issues associated with your suppliers and service providers using 6clicks’ Vendor Risk Management and Issue & Incident Management features.
Meanwhile, you can utilize 6clicks’ custom incident submission forms, automated workflows, and integrated task assignment capabilities to optimize and align your incident reporting and response processes with the requirements of NIS 2.
Finally, 6clicks’ Policy & Control Management capability allows you to enforce and monitor security controls to comply with the security measures mandated by the NIS 2 Directive.
Learn the various ways 6clicks can benefit your organization by scheduling a consultation with one of our experts.
Frequently asked questions
What is the difference between NIS 1 and NIS 2?
The NIS Directive is an EU legislation that enforces cybersecurity implementation requirements for essential and digital service providers. It has recently been updated to NIS 2. Some of the key differences between NIS 1 and the NIS 2 Directive include revisions on the categorization of organizations, extended coverage across more industries, more detailed incident reporting requirements, and enhanced focus on supply chain security and management accountability.
Who is affected by the NIS 2 Directive?
Medium and large organizations that provide services or are located within any of the 27 EU Member States under essential or important sectors such as banking, healthcare, food, chemicals, and more, are required to comply with NIS 2. Compliance is also mandatory for suppliers and service providers that are associated with essential and important entities.
What is the timeline for NIS 2 compliance?
By October 17, 2024, all organizations covered by the directive must achieve a complete implementation of the requirements of NIS 2. They must also be registered as either essential or important entities under their corresponding Member States by April 17, 2025.
Written by Louis Strauss
Louis is the Co-founder and Chief Product Marketing Officer (CPMO) at 6clicks, where he spearheads collaboration among product, marketing, engineering, and sales teams. With a deep-seated passion for innovation, Louis drives the development of elegant AI-powered solutions tailored to address the intricate challenges CISOs, InfoSec teams, and GRC professionals face. Beyond cyber GRC, Louis enjoys reading and spending time with his friends and family.