Companies have recently been preoccupied with NIS 2, as an estimated 100,000 organizations across the EU will be affected with its regulations since October 2024. What’s coming and how to get prepared — we’ve covered all the questions in our blog.
What NIS 2 is and whom it impacts
NIS 2 is a common name for the EU Directive 2022/2555. NIS is short for ‘Network and Information Security’. The Directive is applicable to some types of companies, which mostly constitute critical infrastructure and systems (we will specify them a bit later below). Number 2 is used because it is an enhanced version of the first NIS, which has been introduced back in 2016.
The directive is not for everyone. It counts in the combination of sectors the companies work in and their size. Companies of high criticality (Essential) are within these sectors:
- energy
- transport
- banking
- waste water
- digital infrastructure
- ICT service management (B2B)
- financial markets infrastructure
- health
- drinking water
- public administration
- space.
They will be more strictly and closely monitored.
There are also Important sectors such as:
- postal and courier services
- waste management
- manufacture, production and distribution of chemicals
- production, processing and distribution of food
- the manufacture of:
- medical devices and in vitro diagnostic medical devices
- computer, electronic and optical products
- electrical equipment
- machinery and equipment not elsewhere classified
- motor vehicles, trailers and semi-trailers
- other transport equipment.
You can see more about what features and special cases fall into these categories in the annexes 1 and 2 of the Directive, as sometimes the list is not so obvious. For example, in some cases, the term “public administration entity” might involve some universities.
For public and private entities in each of these sectors, there are more specific criteria whether they fall into the NIS 2 effect. Size also matters: large entities with over 250 employees or more than €50 million annual revenue are most likely to be deemed Essential, while the medium ones (50-249 employees or more than €10million revenue) are Important. Entity size is determined by the European commission’s Recommendation 2003/361/EC.
If the company’s operation falls into several sectors, more stringent obligations prevail over less stringent ones. Moreover, even if your company might not be in the scope, but it works with NIS2 compliant partners, you might be indirectly influenced, as supply chain monitoring is compulsory for them. So sticking to the general rules of cybersecurity will make you a more preferable and reliable contractor.
Basically, NIS 2 applies only to large and medium companies in the above-mentioned sectors. The only exceptions, to which NIS 2 applies strictly no matter what, are electronic communications companies, trust service providers, DNS service providers, top-level domain name registrars or domain name registration service providers.
A basic check whether it is applicable to your organization can be carried out here.
Obligations under NIS 2
- Incident notification. Companies should give an early notice to the competent authorities, defined by each state as it national Computer Security Incident Response Team (CSIRT), about the suspected risks within 24 hours; and provide an official statement on an incident within 72 hours of its occurrence. After the incident is resolved, the organization has to make a final report in a month.
- Policies to assess the effectiveness of cybersecurity risk management measures, on appropriate use of cryptography and encryption, on access control.
- Business Continuity Plan (BCP) to ensure constant operation in case of emergencies, data breaches and other cyber incidents. It might include back-ups, disaster recovery, crisis management etc.
- Responsible choice of partnership, as supply chains and data-sharing will be the focus of monitoring.
- Multi-factor authentication or continuous authentication solutions, secured communications through all the company’s channels.
- Education and awareness — companies’ management are required to undergo cybersecurity training and to regularly train their employees accordingly.
- For the Essential entities, it is mandatory to undergo regular conformity assessment.
Cloud providers could help ensure these demands in such ways:
- First of all, clouds are included in data supply chains, so having a reliable cloud partner means being sure that this obligation is conformed with.
- Backups and DRaaS in the cloud are a great option for data reservation, which also cover the Business Continuity Plan provisions.
- Encryption is the key, and some providers also stick to the latest requirements. For example, at GigaCloud we even have a Managed Protected Private Cloud — a solution that has enhanced encryption, SIEM and PAM.
- Cloud operators are subject to a lot of certifications and regular cyber monitoring in order to be a trusted contractor. At GigaCloud, we comply with the GDPR requirements, have ISO 27701 and ISO 27001, PCI DSS, CSA STAR certificates.
- Cloud infrastructure is usually more reliable, because it is regularly updated. GigaCloud uses the powerful Lenovo hardware and the latest VMware software, keeping pace with the ever-changing cybersecurity threats.
- General availability of services affects the security. Cloud providers typically offer signing SLA (Service Level Agreements) to make sure that the clients’ infrastructure is always up-to-date.
What should I do for NIS2?
As with most of the EU directives, the rules of NIS2 should be incorporated into the national law of the member states within 2 years. It means that up till 17 October 17, 2024, countries have time to bring their legislature in tune with the requirements and make them binding to their legal entities.
As of summer 2024, most of the Member States have at least a draft law regarding the system’s implementation. Each country will have its own specifics of procedures and its designated authorities who will control the enforcement and compliance with NIS 2. For example, in Hungary, organizations are binding to conclude a contract with a cybersecurity auditor till the end of 2024 and to make a first assessment in a year. And in Belgium, the national CyberFundamentals (CyFun®) framework works in tune with the Directive.
The next step is to submit the list of companies binding to follow it — by 17 April 2025, Member States shall establish such lists, for which they can ask companies to register on their own. The registration will require at least the following information:
- Name, address, registration number
- The sector or sub-sector in NIS2 scope under which the companies fall
- How to contact them
- Member states where they operate
- The list of their assigned IP addresses
Later on, these lists should be updated on a regular basis, at least every two years.
Companies should not only formally provide cybersecurity policies they developed, but also be ready to give real evidence, such as the results of security audits carried out by a qualified auditor.
Does it really work?
The previous Network and Information Security policy included way fewer companies, wasn’t so strict, and in general omitted a lot of nuances. The new version is set to be much more efficient.
At the EU level, a new body was established to control implementation of the Directive — the European Cyber Crises Liaison Organisation Network, EU-CyCLONe. It will review the national cyber risks response plans, collect reports from national supervisory agencies and inform the EU Member States on major cyber crises.
For companies that fail to abide the rules, there could be administrative fines of up to €10 million or 2% of the total worldwide annual turnover (for the Essential category) or up to €7 million (for the Important entities). So, the regulation is quite strict, and it also obliges the companies to pay attention not only to their own infrastructure, but also to their suppliers and service providers. The whole supply chain should be regularly monitored and data-sharing must be encrypted.
The company management bodies will be directly responsible for the cybersecurity measures implementation, and their failure to abide could result in temporary bans (to hold some positions, for example) and administrative fines.