What is the NIS 2 Directive and how does it impact your organization?

Today, organizations face advanced and numerous cyber threats that endanger their very existence. In 2023 alone, a staggering 8,302 security incidents occurred in the European, Middle Eastern, and African (EMEA) regions, with 6,005 involving data disclosure according to Verizon’s 2024 Data Breach Investigations Report. As a solution to more frequent and evolving cyberattacks, the European Union enacted the NIS Directive to establish EU-wide policies on cybersecurity and enhance organizations’ cyber resilience.

The NIS Directive was recently updated and replaced by the NIS 2 Directive, which builds on the previous legislation and introduces several new requirements that all 27 EU member states must fulfill by October 2024. To help your organization navigate this transition and ensure your compliance, this article contains all you need to know about the NIS 2 Directive. Read on to learn more:

What is the NIS 2 Directive?

In August 2016, the Network and Information Security Directive, which was the first piece of legislation to provide legal measures for cybersecurity across the EU, was entered into force.

The law mandates rules and requirements for boosting the security posture of critical infrastructure in the EU. Under the directive, public and private entities that operate essential services, as well as digital service providers, must meet the established baseline of security in their networks and information systems by undergoing a cybersecurity risk assessment, putting appropriate security measures in place, and reporting major incidents to relevant authorities.

To improve on the directive and address its limitations, the European Commission proposed the NIS 2 Directive. It was first published in December 2022 and came into effect in January 2023. The NIS 2 Directive provides organizations with a framework for cyber risk management, incident reporting, supply chain security, information sharing, and governance. All organizations in the EU must implement the required security measures specified in the directive and secure their compliance by October 17, 2024.

Which organizations does NIS 2 apply to?

Organizations can determine whether they need to comply with the obligations set by NIS 2 if they satisfy the following criteria:

• Location: NIS 2 applies to organizations that are located or carry out services within any country in the European Union
• Size: Large entities (with 250 employees or more) and medium companies (with 50-249 employees) are subject to NIS 2 compliance
• Sector: Organizations operating in any of the sectors indicated in the directive must fulfill its requirements
  

One of the key differences between the original directive and NIS 2 is that it expands its scope to include all medium and large companies, as well as small entities with a high-security risk profile within the specified sectors. The new law also moves away from classifying entities as operators of essential services and digital service providers and now categorizes them as either essential or important.

Aside from the seven sectors originally included in the directive, NIS 2 adds 4 new sectors under essential entities and features the inclusion of new industries under important entities:

If your organization is located within any of the 27 EU member states, is considered medium or large, and falls under any of the sectors mentioned above, it is mandatory that you comply with the requirements of the NIS 2 Directive.

What are the requirements of NIS 2?

The NIS 2 Directive requires organizations to implement a combination of technical, operational, and organizational measures to manage risks and prevent or mitigate the impact of incidents. Organizations must ensure the application and operation of the following minimum security measures to comply with NIS 2:

1. Risk assessment procedures and information security policies
2. Incident management procedures
3. Business continuity plan, which includes backup management, disaster recovery, and crisis management
4. Supply chain security covering direct suppliers or service providers
5. Security for the acquisition, development and maintenance, and vulnerability management of network and information systems
6. Assessment of the effectiveness of cybersecurity risk management measures
7. Cybersecurity training including basic cyber hygiene practices
8. Policies and procedures for the use of cryptography and encryption
9. Human resources security, which involves access control policies and asset management
10. The use of multi-factor authentication and encrypted communication systems within the organization

While retaining the key elements of the old directive, NIS 2 also adds new security components. Its specific requirements include:

• Cybersecurity risk management – Organizations must implement cybersecurity risk management measures such as performing risk assessments, implementing information security policies, incident management and response, and more

• Reporting – Organizations must report to their Member State’s designated Computer Security Incident Response Team (CSIRT) any incident that significantly impacts their ability to deliver essential or important services. This involves submitting an early warning within 24 hours of discovering the incident, a full notification report within 72 hours, a temporary report, and a final or progress report within one month after the initial notification.

• Supply chain security – Organizations must assess the cybersecurity practices of their suppliers and service providers. This means that suppliers that do not necessarily fall under the sectors covered by NIS 2 but provide products or services to entities that must comply with NIS 2, will be regulated by the directive as well.

• Corporate accountability – Boards and executives must actively engage in the organization’s cybersecurity and risk management initiatives. NIS 2 includes a personal responsibility clause to strengthen governance and enhance the accountability of top management within organizations.

Streamline your NIS 2 compliance with 6clicks

Manage risks and incidents, secure your networks, and achieve regulatory compliance all in one platform. 6clicks’ Security Compliance solution enables you to develop and seamlessly align your organization’s cybersecurity and risk management program with the NIS 2 framework and expedite your compliance process.

Put in place security policies and controls through our Policy & Control Management solution and leverage 6clicks’ comprehensive IT Risk Management capabilities to conduct risk assessments and implement risk mitigation measures.

Evaluate the security of your suppliers and their associated risks using our Vendor Risk Management functionality. Then, with 6clicks’ Issue & Incident Management features, utilize custom submission forms and systematic incident registers to meet the incident reporting and management requirements of NIS 2.

Get started on your NIS 2 compliance journey with 6clicks by booking a demo below.