NIS 2: A General Overview of the EU Cybersecurity Directive

07 Aug 24 9 min read

Companies have recently been preoccupied with NIS 2, as an estimated 100,000 organizations across the EU will be affected with its regulations since October 2024. What’s coming and how to get prepared — we’ve covered all the questions in our blog.

What NIS 2 is and whom it impacts

NIS 2 is a common name for the EU Directive 2022/2555. NIS is short for ‘Network and Information Security’. The Directive is applicable to some types of companies, which mostly constitute critical infrastructure and systems (we will specify them a bit later below). Number 2 is used because it is an enhanced version of the first NIS, which has been introduced back in 2016.

The directive is not for everyone. It counts in the combination of sectors the companies work in and their size. Companies of high criticality (Essential) are within these sectors:

energy
transport
banking
waste water
digital infrastructure
ICT service management (B2B)
financial markets infrastructure
health
drinking water
public administration
space.

They will be more strictly and closely monitored.

There are also Important sectors such as:

postal and courier services
waste management
manufacture, production and distribution of chemicals
production, processing and distribution of food
the manufacture of:
- medical devices and in vitro diagnostic medical devices
- computer, electronic and optical products
- electrical equipment
- machinery and equipment not elsewhere classified
- motor vehicles, trailers and semi-trailers
- other transport equipment.

You can see more about what features and special cases fall into these categories in the annexes 1 and 2 of the Directive, as sometimes the list is not so obvious. For example, in some cases, the term “public administration entity” might involve some universities.

For public and private entities in each of these sectors, there are more specific criteria whether they fall into the NIS 2 effect. Size also matters: large entities with over 250 employees or more than €50 million annual revenue are most likely to be deemed Essential, while the medium ones (50-249 employees or more than €10million revenue) are Important. Entity size is determined by the European commission’s Recommendation 2003/361/EC.

If the company’s operation falls into several sectors, more stringent obligations prevail over less stringent ones. Moreover, even if your company might not be in the scope, but it works with NIS2 compliant partners, you might be indirectly influenced, as supply chain monitoring is compulsory for them. So sticking to the general rules of cybersecurity will make you a more preferable and reliable contractor.

Basically, NIS 2 applies only to large and medium companies in the above-mentioned sectors. The only exceptions, to which NIS 2 applies strictly no matter what, are electronic communications companies, trust service providers, DNS service providers, top-level domain name registrars or domain name registration service providers.

A basic check whether it is applicable to your organization can be carried out here.

Obligations under NIS 2

Incident notification. Companies should give an early notice to the competent authorities, defined by each state as it national Computer Security Incident Response Team (CSIRT), about the suspected risks within 24 hours; and provide an official statement on an incident within 72 hours of its occurrence. After the incident is resolved, the organization has to make a final report in a month.
Policies to assess the effectiveness of cybersecurity risk management measures, on appropriate use of cryptography and encryption, on access control.
Business Continuity Plan (BCP) to ensure constant operation in case of emergencies, data breaches and other cyber incidents. It might include back-ups, disaster recovery, crisis management etc.
Responsible choice of partnership, as supply chains and data-sharing will be the focus of monitoring.
Multi-factor authentication or continuous authentication solutions, secured communications through all the company’s channels.
Education and awareness — companies’ management are required to undergo cybersecurity training and to regularly train their employees accordingly.
For the Essential entities, it is mandatory to undergo regular conformity assessment.

Cloud providers could help ensure these demands in such ways:

First of all, clouds are included in data supply chains, so having a reliable cloud partner means being sure that this obligation is conformed with.
Backups and DRaaS in the cloud are a great option for data reservation, which also cover the Business Continuity Plan provisions.
Encryption is the key, and some providers also stick to the latest requirements. For example, at GigaCloud we even have a Managed Protected Private Cloud — a solution that has enhanced encryption, SIEM and PAM.
Cloud operators are subject to a lot of certifications and regular cyber monitoring in order to be a trusted contractor. At GigaCloud, we comply with the GDPR requirements, have ISO 27701 and ISO 27001, PCI DSS, CSA STAR certificates.
Cloud infrastructure is usually more reliable, because it is regularly updated. GigaCloud uses the powerful Lenovo hardware and the latest VMware software, keeping pace with the ever-changing cybersecurity threats.
General availability of services affects the security. Cloud providers typically offer signing SLA (Service Level Agreements) to make sure that the clients’ infrastructure is always up-to-date.

What should I do for NIS2?

As with most of the EU directives, the rules of NIS2 should be incorporated into the national law of the member states within 2 years. It means that up till 17 October 17, 2024, countries have time to bring their legislature in tune with the requirements and make them binding to their legal entities.

As of summer 2024, most of the Member States have at least a draft law regarding the system’s implementation. Each country will have its own specifics of procedures and its designated authorities who will control the enforcement and compliance with NIS 2. For example, in Hungary, organizations are binding to conclude a contract with a cybersecurity auditor till the end of 2024 and to make a first assessment in a year. And in Belgium, the national CyberFundamentals (CyFun®) framework works in tune with the Directive.

The next step is to submit the list of companies binding to follow it — by 17 April 2025, Member States shall establish such lists, for which they can ask companies to register on their own. The registration will require at least the following information:

Name, address, registration number
The sector or sub-sector in NIS2 scope under which the companies fall
How to contact them
Member states where they operate
The list of their assigned IP addresses

Later on, these lists should be updated on a regular basis, at least every two years.

Companies should not only formally provide cybersecurity policies they developed, but also be ready to give real evidence, such as the results of security audits carried out by a qualified auditor.

Does it really work?

The previous Network and Information Security policy included way fewer companies, wasn’t so strict, and in general omitted a lot of nuances. The new version is set to be much more efficient.

At the EU level, a new body was established to control implementation of the Directive — the European Cyber Crises Liaison Organisation Network, EU-CyCLONe. It will review the national cyber risks response plans, collect reports from national supervisory agencies and inform the EU Member States on major cyber crises.

For companies that fail to abide the rules, there could be administrative fines of up to €10 million or 2% of the total worldwide annual turnover (for the Essential category) or up to €7 million (for the Important entities). So, the regulation is quite strict, and it also obliges the companies to pay attention not only to their own infrastructure, but also to their suppliers and service providers. The whole supply chain should be regularly monitored and data-sharing must be encrypted.

The company management bodies will be directly responsible for the cybersecurity measures implementation, and their failure to abide could result in temporary bans (to hold some positions, for example) and administrative fines.

Trending articles

How GigaCloud is revolutionizing its private clouds and why it matters

20 May 22 7 min read

The cloud operator’s work does not end after building a private cloud and configuring it to meet the customer’s needs. The technical support service and the operations department monitor the events and indicators of the cloud. Specialists make the necessary changes, help customers deploy virtual infrastructures and, what is very important, they update the cloud.

How the cloud helps you get a PCI DSS certificate

01 Jun 21 6 min read

In 2018, British Airways, the largest airline company of the United Kingdom, experienced a large-scale breach of customer data. Hackers stole payment card information of about 380,000 people.

How to create, use and store passwords correctly

24 Oct 19 4 min read

In 1964, the IBM company created a multi-user computer – a mainframe, it is a computer designed for the simultaneous work of several users. The mainframe worked in time-sharing mode, and in order for users to use it simultaneously, separate accounts were created for each of them. A password was required to log in to the account.

Cloud pyramid: IaaS, PaaS and SaaS

20 Oct 21 4 min read

IaaS, PaaS, or SaaS are cloud service delivery models. The way they relate to each other is often depicted as a pyramid with different levels of information control.

VMware by Broadcom: review of the main updates

06 Mar 24 6 min read

Let’s look into the transformation, initiated by Broadcom, more closely.

Cloud Agnostic for Business: the features and benefits of the solution

27 Jul 22 6 min read

Let’s consider what kind of concept it is, what are its pros and cons, and when you should choose Cloud Agnostic architecture.

Sovereign Cloud: What It Is and How It Works

23 Aug 23 4 min read

According to VMware Explore US estimates, the sovereign clouds market will reach $60 billion by 2025.

Data centers: where we store your data at GigaCloud

19 Jan 24 4 min read

Cloud is a partially virtual concept, and in order for it to function, one has to engage physical servers to run cloud capacities on. These servers and other equipment are stored in the data centers, specific buildings, catered to the needs of infrastructure maintenance. Their main function is to store and process critical business data.

What is a private cloud and how does it differ from a public cloud

15 Jul 21 4 min read

What is a private cloud, what are its features and advantages is explained below.

Is Owning Servers More Profitable Than Cloud Services? Let’s Count TCO

31 Jul 23 12 min read

If your business is not critically susceptible to downtime, and you can wait for a day or two while IT team «revives» the website or CRM-system, then $800 servers will suffice. But if you can’t let yourself be «down» and don’t want to lose money, reputation and clients trust, we suggest that you read this article.

Why Business Needs IaaS: 5 Tasks Solved by the Cloud

10 Jul 23 9 min read

Why businesses need IaaS and what key business challenges can be efficiently solved by adopting cloud solutions.

Service Level Agreement at GigaCloud: what it is and why it matters

22 Jan 24 2 min read

When you become a client at GigaCloud, you are given a Service Level Agreement to sign. SLA is a document defining the level of service which the provider is expected to maintain for its clients.