Everything You Need to Know About NIS2 Compliance

The Network and Information Systems (NIS), a European Union (EU) directive, was established in July 2016. This directive was proposed by the European Commission (EU) and aimed to enhance the level of cybersecurity across the member states of the EU. It focused on strengthening the collaboration between the member states and the organizations while aligning with cybersecurity measures. Its scope is comprised of two categories: Operators of Essential Services (OES) and certain Digital Service Providers (DSPs).

However, due to a lack of accountability and dependency on individual member states’ choices, the European Commission announced its plan of action to replace the NIS directive with a more secure framework, along with the incorporation of stronger requirements.

Therefore, on January 16, 2023, the Directive (EU) 2016/1148 (NIS 1) was replaced by the Directive (EU) 2022/2555, known as NIS 2.

Key Changes in the NIS2 Directive    

“NIS2,” the newer version of NIS, establishes stricter cybersecurity requirements for the various organizations in the EU member states, with a deadline of October 17, 2024. Its aim is to strengthen cybersecurity and resilience for critical infrastructure and digital service providers in the EU. 

The major changes introduced in the NIS2 directive to establish a greater level of cybersecurity in the ever-evolving technological space are as follows:  

1. Extension of scope  

The NIS2 expands its scope from seven sectors to eighteen based on the impact they have on the economy and society, along with their interconnectedness and their level of digitalization.   

The scope includes all medium and large-sized organizations in the selected sectors based on organization size in terms of the number of employees and revenue generated.  

2. New categorizations

NIS2 removes the NIS distinction between the Operators of Essential Services (OES) and certain Digital Service Providers (DSPs). Rather, organizations are now classified based on importance and are therefore divided into two categories, namely: ‘essential’ and ‘important.’  

By April 17, 2025, these essential and important entities must be registered. The Member States of the EU must find them and enable them to register themselves. This implies that entities must figure out whether they fall under the scope mentioned in the NIS2 directive.

3. Introduction of accountability management  

NIS2 introduced the concept of accountability and states that the management of the organizations in scope will be responsible for the level of security they possess. This includes the conduction of risk assessments, the establishment of security policies, information system security, incident handling, business continuity, and supply chain security. Therefore, the members of the management team of an organization are responsible for complying with the cybersecurity risk management requirements.

4. Introduction of fines  

The NIS2 directive provides the authorities with the power to enforce fines on organizations that fail to comply with the NIS2 directive. The details of the fines imposed are as follows: 

5. Incident reporting  

NIS2 introduces stricter requirements for the process of incident reporting, including the detailing of the reports. The organization that experiences a cybersecurity incident must not only report it to the local Computer Security Incident Response Team (CSIRT) but also notify the customers if they are impacted by it.   

In case of ‘significant incidents,’ the entity must notify the customers in phases, including an ‘early warning’ within 24 hours of discovering the incident.   

6. The creation of the Computer Security Incident Response Team (CSIRT) platform

This platform was developed to enhance collaboration among the EU Member States when they deal with cybersecurity incidents.   

The European Vulnerability Disclosure Database was created by the European Union Agency for Cybersecurity (ENISA), which acts as a central repository to share information about the identified cybersecurity vulnerabilities, thereby warning the Member States to enhance their security posture accordingly.  

7. Enhancing Cybersecurity in Supply Chains  

This key change impacts many suppliers who are not in the scope of the NIS 2 directive but provide services to an entity that falls under the scope. It states that the entities are solely responsible for the level of cybersecurity in their supply chain, including handling cybersecurity risks.   

NIS1 vs. NIS2: What’s the Difference?  

What are the cryptographic requirements in the NIS 2?  

The NIS 2 directive ensures that the requirements stated by it for the organizations are always fair and there is no irregularity. Therefore, the requirements for larger organizations indicate their role in society, and smaller organizations are not disproportionally affected by it.  

Therefore, NIS2 mandates that the various essential and important entities must meet the minimum number of requirements. Similar to the above-mentioned four focus areas of this directive, the following measures will provide you with an overview of the minimum requirements areas of this directive. These include:  

• Risk assessments and security policies for information systems.

• Policies and procedures for evaluating the effectiveness of security measures.

• Policies and procedures for the use of cryptography and, when relevant, encryption.

• A plan for handling security incidents.

• Security around the procurement development and operation of systems. This means having policies for handling and reporting vulnerabilities.

• Cybersecurity training and practice for basic computer hygiene.

• Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.

• A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.

• The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication when appropriate.  

• Security around supply chains and the relationship between the company and direct suppliers. Companies must choose security measures that fit the vulnerabilities of each direct supplier. Companies must then assess the overall security level of all suppliers.

Here are the key articles mentioning encryption standards and cybersecurity measures under the NIS2 directive. 

The Key Aspects of NIS2:  Article 20, 21 & 23 

Articles 20, 21 & 23 act as the key pillars of the NIS2 directive, covering areas of Governance, Risk Management, and Incident Reporting, respectively. An organization complying with the requirements stated under these articles has enhanced cybersecurity resilience. Let us explore these articles in detail. 

Article 20

Article 20 of the NIS 2 directive focuses on the Governance aspect of the management bodies of the member states. It aims to ensure that the management of both essential and important entities practice cybersecurity measures. It states that they need to approve and supervise cybersecurity measures so that their organizations achieve the requirements. And, if they fail to do so, they will be held responsible.   

Additionally, the following points must be noted to ensure that your organizations align with the requirements stated in this article.   

• Management teams must undergo cybersecurity training to gain knowledge and understand cyber risks and the best practices they must follow to create a secure infrastructure.

• Employees working in various essential and important entities must also be provided with specialized training to enable them to identify risks and assess cybersecurity risk-management practices.

However, the liability of public officials and government employees will be decided by each country’s national laws rather than this specific regulation. To simplify, management bodies of private essential and important entities will be held accountable for cybersecurity failures, but rules for public institutions such as government agencies differ. 

Article 21

This article focuses on the cybersecurity risk management practices to be followed by both entities, important and essential. It states that organizations must implement strong security measures to protect their infrastructure from cyber threats, ranging from networks to information systems. These measures must be in accordance with the latest technology, relevant standards, and the level of risk faced by that organization. Furthermore, various factors must be considered, such as the organization’s size, exposure to risks, and the impact they may have.   

The article also outlines specific practices to achieve a greater level of security across the organization. These include risk incident policies, backup management, business continuity plans, and cybersecurity training. Also, entities must assess their supply chains to identify vulnerabilities, including the suppliers’ cybersecurity practices and secure development procedures, and ensure they follow strong cybersecurity practices.   

Article 21 has mandated the following measures for the organization to adhere to the NIS 2 directive. These are as follows:  

1. Policies on risk analysis and information system security.

2. Incident handling.

3. Business continuity, such as backup management, disaster recovery, and crisis management.

4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.

7. Basic cyber hygiene practices and cybersecurity training.

8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption.

9. Human resources security, access control policies, and asset management.

10. The use of multi-factor or continuous authentication and secured voice, video, text, and emergency communication systems within the entity, as appropriate.

Article 23

Article 23 of the NIS2 directive covers Reporting Obligations in a detailed manner. It states that the Member States are responsible for reporting to the Computer Security Incident Response Teams (CSIRTs) about cybersecurity incidents that may impact the organization’s services or could cause financial or reputational damage.   

To align with the requirements of Article 23, organizations should consider the following key aspects:  

• An early warning must be provided within 24 hours of the incident to spread awareness and notify within 72 hours. Thereafter, a detailed and final report must be submitted within a month, including the description of the incident that took place, its severity, impact, etc.

• In case one single incident affects multiple countries, then the information must be shared across them effectively for improved coordination. 

• Authorities who deal with these reports must also respond quickly and provide the necessary feedback and guidance.

• Every three months, the EU cybersecurity agency ENISA will save and analyze the incident data to improve cybersecurity policies.

The Key Focus Areas of the NIS2 Compliance   

The NIS 2 directive includes the addition of requirements for the four key areas of your organization, namely, management, proper reporting to the authorities, strategies for risk management, and establishing plans for business continuity.  

Let us explore them in detail.  

1. Management

It is the sole responsibility of the members of the organization to be aware of the requirements established by the directive. It states that the management must identify the cyber risks of the organization and address them to comply with the requirements. If they fail to do so, it may result in penalties for the management and even a temporary ban from management roles. 

2. Proper incident reporting

This requirement states that organizations must have established plans to ensure that in case of incidents, they are reported directly to the concerned authorities. 

• An early warning, i.e., “within 24 hours,” a warning must be reported stating a cybersecurity incident has happened.

• An initial assessment must be provided along with all the relevant details of the incident within 72 hours.

• A final report is to be provided to the authorities within one month, which outlines all the details of the incident that took place, its cause, and the actions taken by the organization to mitigate it. This report also includes the severity and the consequences of the incident and the type of threat that led to the incident.

3. Strategies for risk management

This requirement mandates the implementation of technical, operational, and organizational measures to manage risks across the organization’s infrastructure. These include the establishment of risk analysis policies, enhanced network security, incident handling, access controls, improved supply chain security, and policies regarding the use of cryptography. It states that cybersecurity risks should be managed based on the type of risks faced, considering factors such as the entity’s size, exposure to risks, and potential incident severity.  

4. Establishment of plans for business continuity

Organizations must establish strategies to achieve business continuity in the case of cyber incidents. These plans must include the creation of an incident response team, procedures to be followed in case of emergency, and backups for system recovery.   

Steps to achieve NIS2 compliance  

Compliance is not just about meeting the requirements set by the directive but also strengthening your resilience against growing and evolving cybersecurity threats. Therefore, organizations aligning with NIS 2 not only meet the requirements but also enhance their overall security posture.  

To prepare itself to achieve NIS2 compliance, an organization must follow a step-by-step approach. This approach broadly consists of six steps, which are as follows:  

1. Identifying cybersecurity risks

This step refers to the identification of various cybersecurity risks in the critical infrastructure of your organization, generally carried out by the Chief Information Security Officer (CISO). The NIS2 directive mandates the establishment of effective measures to mitigate risks and manage them, as well as the implementation of appropriate procedures, technologies, and systems to identify risks and mitigate them accordingly.  

2. Evaluation of your security posture

Evaluation of security posture refers to the process of reviewing the existing policies and technologies to assess how effective the strategies of your organization are to mitigate risks. It also includes identifying vulnerabilities, followed by an in-depth analysis to understand their impact.  

3. Protect privileged access

The privileged users in your organization are the main targets for unauthorized access to sensitive data, leading to data breaches and even causing service disruptions. To prevent this, NIS2 recommends the minimization of privileged access, implementation of access controls such as continuous authentication, and maintenance of access logs to detect threats and respond to incidents effectively.  

4. Strengthen your ransomware defenses

To strengthen your organization’s ransomware defenses, employees must be educated about phishing attacks, and there must be secure established processes for data backup. This also includes hardening endpoints through access controls and network segmentation to enhance resilience and ensure that the organization is able to recover quickly from various cybersecurity attacks.  

5. Adopt a zero-trust strategy

Traditional security measures are ineffective for cloud services and hybrid models. Therefore, the adoption of a zero-trust strategy is a must, as it assumes that risks can be from any of the users and devices. For this, authentication processes must be implemented for every entity, such as user identity, device type, location, and access frequency. This ensures that the security of all the systems and the sensitive data across the organization is enhanced.  

6. Inspect software supply chain

This step ensures that the entire lifecycle of software development, ranging from code creation to deployment and distribution, is inspected and secured. This includes enforcement of strict identity and access management for secure source code and conducting automated security procedures. 

Impact of NIS2 on Businesses 

The NIS2 directive establishes stricter security requirements that impact businesses and industries across the EU. To comply with the requirements of this directive, organizations must enhance their overall security posture, introduce risk management strategies, and establish smooth incident reporting mechanisms. The following are the risks of non-compliance and the benefits of complying with it.   

Risks of non-compliance

Failure to meet NIS 2 requirements results in ineffective cyber resilience, therefore increasing the possibility of the occurrence of cyber incidents in your organization. Without effective security measures in place, the possibility of breaches, ransomware attacks, and data leaks increases. This would result in organizations facing high recovery costs, regulatory fines, and legal complications.  

Additionally, this handling of financial overhead could lead to a loss in revenue and affect the organization’s reputation. Furthermore, security breaches can result in operational downtimes, causing a reduction in productivity and impacting its long-term success.  

Benefits of compliance

An organization complying with the NIS 2 directive establishes operational stability and ensures the protection of critical data across its infrastructure. By implementing this proactive security measure, you can lower the risks of cyber threats such as data breaches and ransomware attacks.   

Complying with NIS2 allows an organization to be digitally safe, ensuring that its infrastructure, supply chains, and critical data remain protected. Therefore, by aligning its requirements with the NIS 2 directive, an organization not only protects its operations but also enhances customer trust.  

What happens if you don’t comply with NIS2?  

If an organization fails to comply with the NIS2 directive’s requirements, it may face serious consequences. Let us learn more about it.  

1. Financial penalty

Organizations failing to comply with the requirements of the NIS 2 directive will have to face huge penalties according to the category they belong to.   

• Essential companies: Entities belonging to this type fine up to €10 million euro or 2% of their global annual revenue.

• Important companies: Entities belonging to this type of k fines for up to €7 million euro or 1.4% of their global annual revenue.

2. Legal complications

In addition to fines, if an organization fails to comply with the NIS 2 directive, the members of the management team of that organization will be held responsible for not adhering to the requirements and may face legal action against them.  

3. Loss of trust

Non-compliance may also lead to a loss of trust from customers, partners, and even stakeholders, resulting in reputational damage to the organization. 

How can EC help?  

The NIS2 directive was established to enhance cybersecurity practices across the various critical sectors, and the first crucial step to achieve and maintain NIS2 compliance is an in-depth risk assessment and gap analysis. Our encryption advisory services include thorough audits and assessments to identify the gaps in various processes that can expose your organization to compliance risks. Here’s how we can assist you:   

1. In reviewing existing policies of your organization’s infrastructure

This involves identifying your current encryption abilities and understanding whether any limitations exist in your systems or not. We also examine your overall security to ensure that we have a complete image of your infrastructure, considering the various use cases associated with your organization.  

2. To assess gaps and identify vulnerabilities

This includes identifying gaps in your existing policies against the industry standards to ensure adherence to security and compliance requirements. For this, we conduct workshops for discussions about your current applications, encouraging collaboration among team members to gather valuable insights. Additionally, we created an assessment questionnaire to fetch important information about your encryption practices. Therefore, through this evaluation, we identify existing data encryption capabilities and identify specific domains for improvement.  

3. In implementing the roadmap

After the successful completion of the assessment, we will provide you with an in-depth report which consists of summaries of our findings and recommendations for each of them. This report lays out a strategy to implement the necessary capabilities to ensure that you are well-prepared to enhance your encryption practices. Also, our roadmap will aid you in adhering to the industry standards and aligning with the best practices to enhance data protection and help you align according to your compliance requirements. 

Conclusion

The NIS2 Directive is a key element in the European Union’s action to strengthen cybersecurity and protect its essential services. It lays down a clear guideline for member states, builds collaboration, and focuses on securing the supply chain within the region.

For organizations, NIS2 is more than just a regulation. Rather, it is an opportunity for organizations to improve how they manage cyber risks. Adopt strong risk management practices, prepare for incident response, and build solid governance frameworks. Businesses will not only protect their systems but also establish customer trust and contribute to a safer digital environment.

It may be overwhelming to learn about and comply with these new requirements, but the good news is that you won’t have to do it alone. Contact our team to get started today.