Estimated companies affected by NIS2
Or 2% of annual turnover—max fine for non-compliance
Number of sectors covered by NIS2 Directive
NIS2 will take effect
OVERVIEW
What is the NIS2 directive?
The NIS2 Directive, an updated EU cybersecurity rule introduced to address gaps from its predecessor, the NIS, has a wider scope, encompassing more sectors than before. It aims to unify cybersecurity standards across the EU and introduce stricter penalties for those who don't comply.
The directive emphasizes a risk-based approach, meaning organizations should protect their systems based on potential threats. Collaboration is key, as NIS2 encourages information sharing among stakeholders. Moreover, it requires comprehensive incident reporting to help understand and counter emerging threats.
Main goals & objectives of the NIS2
Implement effective risk management
Ensure corporate accountability for cybersecurity
Establish efficient reporting obligations for security incidents
Develop robust business continuity plans for cyber incidents
NIS & NIS2: What’s the difference?
The NIS2 directive is an evolution of the foundational NIS framework, reflecting the changing landscape of cybersecurity and the need for robust regulations in a digital age. While it retains the core principles of the original NIS, NIS2 introduces a series of significant enhancements that address emerging threats and challenges. These modifications are not just extensions but are pivotal shifts designed to encompass a wider range of entities and promote a more holistic approach to cyber security.
- A broader spectrum of enterprises, governmental bodies, and organizations fall under the purview of NIS2.
- Increased emphasis on ensuring that partners and suppliers adhere to cybersecurity protocols.
- Implementation of sanctions, reminiscent of those found in GDPR.
- Mandated cybersecurity training for management teams.
- Obligatory reporting of cybersecurity incidents.
- Encouragement of encryption practices.
Sectors affected by the NIS2
NIS2 classifies organizations as either "Essential Entities" (EE) or "Important Entities" (IE). Public or private entities in these sectors with over 50 employees and an annual turnover above 10M have to determine their group and follow the related rules.
Elevating the fortification of Europe's critical sectors to ensure societal and economic stability.
Energy
Covers the crucial energy sectors of electricity, oil, and gas, underscoring their importance in everyday functions and the need for cybersecurity.
Transport
Focuses on the major modes of transport: air, rail, sea, and road, highlighting their role in connecting people and places.
Healthcare
Prioritizes the protection of healthcare settings, encompassing both public hospitals and private clinics, given their role in public welfare.
Public Administration
Emphasizes the protection of public services, reflecting the directive's commitment to ensure uninterrupted and secure administrative functions.
Banking & Financial Market Infrastructure
Addresses the backbone of our financial system, spotlighting areas like payment services that facilitate economic activities.
Digital Infrastructures
Targets foundational digital services, such as those providing DNS and TLD registries, acknowledging their role in the digital ecosystem.
Water Supply
Focuses on the preservation and security of both drinking water and wastewater systems, which are vital for public health.
Space
Illuminates the strategic significance of the space sector, ensuring it meets high cybersecurity standards given its impact on various technologies and services.
Amplifying security measures across key industries to safeguard the continuity of daily life.
Digital Providers
Encompassing a broad array of digital services such as search engines, online marketplaces, and social networks, this sector is pivotal in today's interconnected world.
Food
Covering the full spectrum from farm to fork, this sector ensures that every stage—from farming and processing to retail—is secure and robust.
Postal & Courier Services
As the lifeline for communications and goods delivery, this sector must uphold a fortified digital defense, ensuring consistent and safe operations.
Research organizations
As a hub of innovation and progress, this sector is pivotal, driving forward scientific breakthroughs while being a potential target for cyber threats.
Chemicals
This sector, vital for Europe's industrial competitiveness, spans from the creation to the distribution of chemicals, serving as a bedrock for innovative solutions.
Manufacturing
A broad field that includes the making of items like medical devices, electronics, machinery, vehicles, and transport equipment, it's at the heart of Europe's production capabilities.
Waste Management
Handling everything from collection to disposal, it's essential this sector remains secure to ensure the environment and public health are protected.
Enforcing a blanket of cybersecurity to protect every entity, big or small, against emerging threats.
Public telecom & ISP providers
Those offering publicly available communication networks and services, such as telecom companies and internet service providers.
Trust service providers
Entities that offer digital trust services, ensuring the authenticity of electronic transactions and communications.
Sole providers of a critical service
Unique entities that are the only sources of specific, vital services critical to daily operations or infrastructure.
TLD registries & DNS providers
Organizations managing top-level domain listings and the systems directing internet traffic to the correct addresses.
Domain name registrars
Businesses that oversee the reservation of internet domain names, ensuring each is unique and correctly assigned.
Entities crucial for safety, security, or health
Vital organizations whose disruption could jeopardize public safety, security measures, or health outcomes.
Central or regional public administration entities
Main governmental bodies at central or regional levels, playing a pivotal role in public governance and administration.
CRITERIA
Understanding the building blocks of NIS2
Organizations under NIS2 must proactively implement policies and measures to minimize cybersecurity threats. This includes a core set of measures encompassing risk analysis, incident response, encryption, improved access control, and addressing vulnerabilities in their ICT supply chain. Moreover, entities should undertake vulnerability assessments to ensure that measures align with the entity's exposure to potential risks and the potential societal and economic impacts of such threats.
Incident management system Create a comprehensive incident management system for timely detection, analysis, and response to cybersecurity events. Features should include automated alerts, classification of incidents, and detailed response strategies.
Access control mechanisms Strengthen access control with multi-factor authentication, role-based access control, and enhanced privilege management to safeguard critical systems and data. Identity and access management (IAM) solutions
Supply chain security Enhance supply chain security by regularly auditing and assessing third-party vendors. Ensure these vendors adhere to security standards and establish secure communication protocols.
Data encryption Implement comprehensive end-to-end encryption for sensitive data to ensure its confidentiality and integrity.
Network security upgrades Improve network security with advanced firewall technologies, intrusion detection and prevention systems, and continuous monitoring features to identify and mitigate unauthorized access or suspicious activities. Network security solutions
NIS2 emphasizes that management bodies of in-scope entities are responsible for overseeing and approving cybersecurity risk management measures. They are expected to undergo regular training to identify and assess cybersecurity risks and their potential impact on services. Moreover, breaches might lead to management being held liable, which underscores the heightened corporate responsibility under this directive.
Management training program Introduce mandatory cybersecurity training for corporate management to increase awareness of cyber risks, best practices, and organizational cybersecurity policies. Explore SoSafe awareness trainings
Cybersecurity oversight committee Form an executive-level committee to oversee cybersecurity measures, develop policies, and manage cybersecurity budgets.
Risk reporting & mitigation Develop a structured mechanism for management to regularly report on cybersecurity risks, vulnerabilities, and mitigation strategies.
Penalties & incentives Establish a framework of penalties for non-compliance and incentives for proactive cybersecurity risk management.
Cybersecurity compliance audits Regularly conduct audits to evaluate management's adherence to cybersecurity policies and identify areas for enhancement.
In-scope entities are mandated to promptly report significant incidents. This includes an "early warning" within 24 hours of awareness, followed by a comprehensive incident notification within 72 hours to competent national authorities. Affected users should also be notified promptly, ensuring a robust and transparent communication process during cybersecurity incidents.
Incident reporting platform Utilize systems enabling suppliers, vendors, and customers to efficiently report all kinds of cybersecurity incidents.
Automated incident notifications Set up an automated system for escalating alerts and notifications to relevant stakeholders, including regulatory bodies, within prescribed timeframes.
Incident classification guidelines Develop clear guidelines for categorizing incidents based on severity and impact to ensure consistent reporting and effective response protocols.
Incident documentation & reporting process Establish a detailed process for documenting incident details, responses, and post-incident analysis to enhance organizational learning and response improvement.
Incident response teams Form specialized teams equipped with the necessary tools and expertise for prompt handling and containment of cybersecurity incidents.
In the face of major cyber incidents, organizations are expected to have a business continuity plan. This entails strategies for system recovery, emergency procedures, and the establishment of a crisis response team. The emphasis is on ensuring uninterrupted business operations and quick recovery after significant cybersecurity events.
Redundancy & backup Implement data redundancy and backup strategies to maintain data availability and system resilience during and post-cyber incidents.
Business impact assessment Conduct thorough assessments to identify key systems and processes critical for operations during cyber incidents.
Cyber incident response plan Develop a comprehensive plan detailing step-by-step procedures for cyber incident management, including communication strategies, recovery tactics, and roles of crisis response teams.
Cybersecurity awareness training Provide organization-wide training on the business continuity plan and employee roles in minimizing disruptions during cyber incidents.
Regular plan testing & drills Periodically test and conduct simulated drills of the business continuity plan to identify gaps, enhance response efficiency, and ensure the plan’s ongoing effectiveness.
GUIDELINES
Minimum cybersecurity measures for NIS2 compliance
Risk management policies
Establish policies on risk analysis and information system security to effectively manage cybersecurity threats.
Incident handling plan
Implement a comprehensive plan for handling and responding to security incidents swiftly.
Business continuity
Ensure up-to-date backups, disaster recovery strategies, and crisis management for uninterrupted operations.
Supply chain security
Prioritize security in relationships with direct suppliers, assessing vulnerabilities and ensuring product cybersecurity.
System security lifecycle
Maintain robust security during network and system acquisition, development, maintenance, and vulnerability disclosure.
Effectiveness assessment
Incorporate policies and procedures to routinely evaluate the efficacy of cybersecurity risk-management measures.
CONSEQUENCES
What if a company is not compliant with NIS2?
Companies failing to comply with the NIS2 Directive could face severe penalties ranging from non-monetary sanctions to substantial administrative fines. Additionally, top management personnel can be held personally accountable for non-compliance, emphasizing the significance of cybersecurity responsibility at an organizational level.
Non-monetary actions & sanctions
Under the NIS2, national supervisory authorities can enforce various non-monetary penalties. These could include compliance orders, binding instructions, orders for security audits, and mandates for threat notifications to an entity’s customers.
Administrative fines
The NIS2 differentiates between essential and important entities concerning administrative fines. Essential entities could incur fines of either €10,000,000 or 2% of their global annual revenue, depending on which is higher. On the other hand, important entities face fines up to €7,000,000 or 1.4% of their global annual turnover, again depending on which amount is greater.
Sanctions for management
NIS2 makes top management personally accountable, shifting the responsibility from IT departments alone. In cases of non-compliance, authorities can make violations public, identify responsible personnel, hold management liable for breach of their duties, and, for essential entities, temporarily ban individuals from holding managerial positions after repeated infractions.
Assess applicability & impact
Determine if NIS2 affects your organization. Understanding its relevance to your business ensures you focus on what truly matters. Highlight and prioritize your organization's critical services, processes, and assets for a targeted approach.
Elevate cybersecurity awareness
Secure top management support by raising awareness about NIS2 sanctions and fines. This includes dedicated training programs for leadership on cybersecurity risk management and the significance of a cyber-oriented culture.
Enhance security infrastructure
Implement a risk and information security management system (ISMS). Review and adapt the 10 mandated cybersecurity risk management measures of NIS2. This includes streamlining incident reporting, enhancing supply chain security, and establishing a robust business continuity plan.
Allocate resources effectively
Plan and budget accordingly, focusing on areas with the highest cyber risks. This involves allocating sufficient financial resources for cybersecurity endeavors, bearing in mind the stiffer penalties that NIS2 introduces for non-compliance.
Continuously monitor & adapt
Foster a culture of continuous improvement. Regularly assess and close security gaps, stay updated on expected security controls, and leverage expert guidance as needed. Ensure that your organization remains agile and adaptive in its compliance journey.
NIS2 WITH NORDLAYER
How can NordLayer contribute to your NIS2 compliance strategy?
Robust access control
Benefit from our robust Network Access Control (NAC) features like Cloud Firewall or Device Posture Security to ensure only authorized users access your company’s data. Elevate your network protection with multi-layered authentication methods such as 2FA (SMS & TOTP) and biometrics to access your network. For a seamless yet secure login experience, opt for SSO options compatible with various platforms, including Google Workspace, Azure AD, Okta, OneLogin, and JumpCloud.
Incident handling
Armed with advanced features such as encryption, IP masking, and a dedicated server with fixed IP, NordLayer stands as the indispensable shield for your digital domain. Ingrained with ThreatBlock, DNS filtering, and Device Posture Security, our approach focuses on minimizing risks, streamlining a defense strategy that reduces the likelihood of navigating to malicious or threatening websites and, consequently, mitigating the chances of network infection.
Network maintenance security
Ensure robust and comprehensive network maintenance with features such as Activity Monitoring and Device Posture Monitoring. Watch all network connections, devices entering your network, and admin actions closely, maintaining a high-availability service option to bolster the network's overall security and performance without compromises.
Network development security
Safeguard sensitive development information and assets with NordLayer's Cloud Firewall, dedicated server with fixed IP, Virtual Private Gateways, and VPN encryption. Enhance your company's development phase by restricting access to crucial codes and information, ensuring they remain secure and inaccessible to unauthorized personnel.
Vulnerability handling
Fortify your network's vulnerability handling capabilities with NordLayer. Utilize top-tier threat prevention features like encryption, IP masking, DNS filtering, and Always On VPN, among others, to manage and mitigate potential network vulnerabilities effectively. Enhance detection mechanisms with Device Posture Security to maintain a resilient network infrastructure.
Supply chain assurance
Ensure the security of your supply chain. NordLayer helps keep your logistical operations uncompromised.
NordLayer: turning NIS2 challenges into achievements
In the era of expanding hybrid and remote work, adhering to regulatory standards at such a vast scale can seem daunting. As part of Nord Security, our primary mission is to deliver an expansive array of premium cybersecurity tools, empowering you to achieve, sustain, and surpass compliance standards.
NORDLAYER COMPLIANCE
Partnering with an industry standards leader
NordLayer is dedicated to regulatory compliance and protecting sensitive business data. Our systems boast ISO 27001 certification and pass the stringent SOC 2 Type 2 audit. We align with HIPAA Security Rules and utilize AES-256 encryption to ensure data security. Now, let us help you with your compliance.
Additional info
Frequently asked questions
The NIS2 Directive has to be transposed into EU national laws by 17 October 2024. It ensures consistency across Member States.
NIS 2 targets organizations with over 50 employees and an annual turnover surpassing €10 million. It extends beyond the original NIS Directive, now encompassing sectors like electronic communications, digital services, space, waste management, food, medicine production, postal services, and public administration. Some smaller but crucial entities in member states are also covered to safeguard against potential cyber threats.
If your business is established outside the EU but serves the EU market, complying with the NIS2 Directive becomes mandatory under certain conditions. This applies if your operations meet specific quantitative thresholds or if you're in a designated service category. Additionally, non-EU entities must appoint a representative within one of the EU Member States where they provide services. This representative will be your main contact for regulatory matters, and their location determines the jurisdiction for compliance issues. Without this representative, any EU state you serve may commence legal actions for non-compliance with the Directive.
*Disclaimer. This article is provided for informational purposes only and should not be construed as legal or any other professional advice. The content herein is intended to offer general insights into regulation requirements and potential solutions. It does not provide a comprehensive overview of the law, nor does it address specific legal scenarios. While we strive to present accurate and up-to-date information, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the information, our products, our services, or related graphics contained in this article for any purpose. Any reliance you place on such information is, therefore, strictly at your own risk. Our products may assist in compliance with certain cybersecurity regulations; however, their effectiveness can vary based on a multitude of factors, including but not limited to your specific circumstances, changes in law, and technological advancements. We recommend consulting with a qualified legal professional to understand how the regulations apply to your particular situation and how our products can aid in your compliance efforts. In no event will we be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this article. This article does not establish a client-professional relationship between Nord Security Inc. and the reader.