What is the NIS2 Directive and compliance?
Introduction to the European Union’s Network and Information Security 2.0 Directive
In response to the increased threat of cyberattacks and the associated need to increase defenses, the Council of the European Union (EU) and the European Parliament adopted the Network and Information Security 2.0 Directive in December 2022. NIS2 provides for revised and broader IT security requirements in all EU member states. One of the most important purposes of this IT security legislation in the EU is to contribute “to the effective functioning of its economy and society.”
The NIS Directive was originally enacted in 2016. This updated set of FAQs provides you with information about the new and broadened requirements that NIS2 places on companies doing business in the European market and how Sophos solutions can help you comply with the new requirements.
What is the NIS2 Directive?
NIS2 is a follow-on to the NIS1 Directive, which was adopted in 2016 and introduced the first cybersecurity standardization efforts into the legal systems of EU member states. In December 2022, the Council of the EU and the European Parliament adopted the NIS2 Directive, which revised and broadened cybersecurity requirements throughout the EU.
Because NIS2 is also a directive and not a formal regulation, it is not directly applicable in the member states until it undergoes transformation into national law. National legislators are therefore required to amend their national IT security laws by the deadline set by European legislators: October 17, 2024.
What is the purpose of the NIS2 Directive?
NIS2 aims to strengthen security requirements in the EU by expanding their scope to more sectors and entities and taking into account measures such as risk analysis and information system security policies, incident response handling, and supply chain security. It also intends to streamline reporting obligations. View the Sophos NIS2 Webinar slide on EU wide incident response: (18:45).
When will the NIS2 Directive go into effect?
Organizations will have to comply with the EU’s new and stricter cybersecurity regulations by October 18, 2024, or risk heavy penalties. You can view Sophos’ NIS2 compliance card for assistance; it maps out how Sophos solutions offer effective tools to support organizations in addressing NIS2.
What are the penalties for failure to comply with the NIS2 Directive?
In cases of noncompliance, NIS2 requires member states to issue hefty penalties: €10 million or 2% of global turnover (whichever is higher) for essential entities and €7 million or 1.4% of global turnover (whichever is higher) for important entities.
NIS2 imposes direct obligations on the management bodies for implementation and supervision of their organizations’ compliance with the legislation. Noncompliance could potentially lead to the imposition of a temporary ban from discharging managerial responsibilities on the senior management of the entity, including C-suite-level executives. View the Sophos NIS2 Webinar slide on standards and penalties: (16:20).
What cybersecurity coverage is required under the NIS2 Directive?
Specifically, NIS2 requires that specific measures be adopted as part of an active risk management strategy that extends to secure the supply chain, even beyond non-European companies that do business with EU companies obligated to abide by NIS2.
To see the list of specific risk management measures, view the Sophos NIS2 whitepaper, page 5.
Who is required to adopt the NIS2 Directive?
NIS2 broadens NIS1’s scope to include 18 public and private sectors. Among them are highly critical sectors such as energy, transportation, and public administration services.
The NIS2 scope primarily extends to companies that have at least 50 employees or achieve an annual turnover or an annual balance sheet total of more than €10 million. In some exceptions, NIS2 applies regardless of the entity’s size; for example, it applies to all providers of publicly available electronic communications services.
The primary way to determine whether a private or public institution falls under the new directive is to see whether it meets both of the following conditions:
- The institution provides at least one of the services listed in the directive’s attachment (see the list of 18 sectors the Directive identifies) AND
- It is a medium or large institution, meaning it employs 50+ employees, OR its annual turnover or annual balance sheet total reaches at least 10 million EUR
To see the full list of 18 sectors, entity classifications, and additional requirements view the Sophos NIS2 whitepaper, pages 3-5.
How can I achieve NIS2 compliance with Sophos?
Sophos offers a complete portfolio of cybersecurity solutions and services to help businesses achieve and maintain NIS2 compliance. Sophos provides expertise and support for your NIS2 compliance initiatives through continuous compliance monitoring and by securing your data and devices. Get in touch with a Sophos security expert to learn more about reducing your risk.
The Sophos NIS2 Reference Card outlines the NIS2 requirements and how Sophos security solutions can help businesses meet NIS2 compliance mandates for risk management assessment and training, incident handling, and the technical, operational, and organizational measures required to manage cybersecurity risk at the obligatory levels.
How can I make sure to remain in NIS2 compliance going forward?
NIS2 and other cybersecurity regulations require more than a one-time assessment of your current state of security. You need to maintain a record of evidence demonstrating regular cybersecurity training and hygiene for every aspect of your IT environment, from access controls to network and device security to the data itself, both at rest and in motion.
To remain compliant, companies must establish a process for continuously monitoring their IT environments, including cloud assets, to ensure that regulatory requirements are met at all times. Automation and security tools can assist by constantly scanning for network threats and notifying you immediately when your environment becomes noncompliant.
A cybersecurity-as-a-service (CSaaS) provider can support this continuous compliance approach because it has the expertise and dedicated resources to monitor your compliance status 24/7. This model helps your internal security team shift from reacting to NIS2 audit requests to adopting a more proactive approach. Continuous compliance means you can confidently respond to any scrutiny of your systems' security and any inquiries about your privacy policies.
Should I consider an NIS2 compliance assessment?
Many companies benefit from bringing in a consultant to evaluate their systems for NIS2 compliance. An NIS2 assessment provides a holistic view of your organization’s cybersecurity posture, offering detailed insights when needed. It gives you a comprehensive inventory of all potential weaknesses in your current IT environment and identifies areas needing improvement.
How can cybersecurity-as-a-service (CSaaS) help me support NIS2 compliance?
Partnering with a cybersecurity cloud service provider reduces the burden on businesses lacking internal resources to maintain continuous NIS2 compliance. For instance, a managed detection and response (MDR) provider deploys security experts to investigate and assess potential security risks across your entire environment, 24/7, 365 days a year. The right MDR partner will use world-leading threat intelligence to identify your risk level and prioritize a fast, effective response to neutralize threats and ensure that personal data is protected. Download the Sophos NIS2 compliance card to learn more about how managed security can address the security requirements of regulatory compliance.
NIS2 Quick FAQs
Introduction to NIS2 directive
1. What is the NIS2 Directive? NIS2 is an EU regulation focused on improving cybersecurity across member states by setting stricter security and incident reporting requirements.
2. What are the main features of the NIS2 Directive? Key features include stricter security requirements, expanded scope, and enhanced incident reporting.
3. What prompted the European Commission to propose a new NIS Directive? The commission proposed the new directive to better address the quickly evolving cybersecurity landscape and emerging threats. View the Sophos NIS2 Webinar slide about the threats: (5:18), which discusses these additional points.
- Increased Dependency on Digital Infrastructure: The COVID-19 pandemic heightened reliance on digital systems for both individuals and businesses, including those not traditionally considered digital enterprises. This shift emphasized the importance of robust digital security.
- Rise in Cyber Attacks: There has been a dramatic increase in cyber attacks, particularly ransomware. Such attacks are now described as occurring on an "industrial scale" and are part of a lucrative criminal business generating hundreds of millions of Euros.
- Significant Supply Chain Attacks: The impact of major supply chain attacks has underscored the vulnerabilities in interconnected global supply chains, reinforcing the need for comprehensive cybersecurity strategies.
- Geopolitical Threats: The Russian invasion of Ukraine in February of the previous year has underlined the heightened cyber threat landscape and the necessity for state-level action to address these risks.
- Inadequacies of Previous Measures: Despite improvements brought about by the original directive, there was still a significant variation in cybersecurity standards across the EU, with an inconsistent perception of cyber threats among member states.
4. Which aspects of the previous NIS1 Directive are incorporated into NIS2? Core elements like risk management and incident reporting have been retained and enhanced.
5. What are the main objectives of the NIS2 Directive? The primary goals are to enhance cybersecurity resilience, improve incident reporting, and foster cooperation among member states. View the Sophos NIS2 Webinar slide on the purpose: (7:54), which discusses these additional points.
- Protection of Critical Infrastructure: Ensure that critical infrastructure and organizations within the EU are safeguarded from cyber attacks.
- Enhancement of Existing Regulations: Build upon the requirements established by the original directive, by introducing stricter measures and more comprehensive guidelines.
- Achieving Uniform Security Levels: Achieve a higher and more uniform level of cybersecurity across all member states of the European Union.
6. What are the key differences between NIS1 and NIS2? NIS2 introduces stricter security requirements, expands the scope of covered sectors, and imposes more rigorous incident reporting obligations compared to NIS1.
NIS2 implementation and enforcement
7. When will the NIS2 Directive go into effect? It’s set to go into effect in October 2024, with a phased implementation timeline.
8. How will the NIS2 Directive be enforced across different EU member states? National authorities will be responsible for supervising and enforcing compliance, with coordination at the EU level.
9. How should businesses prepare for the NIS2 Directive? Organizations should start by conducting a gap analysis, enhancing their cybersecurity measures, and implementing continuous monitoring and reporting systems.
10. Should I consider an NIS2 compliance assessment? Many companies benefit from bringing in a consultant to evaluate their systems for NIS2 compliance and identify any needed fortification to their cyber defenses.
11. How can organizations assess their current compliance status with the NIS2 Directive? Organizations can use compliance assessment tools, methodologies, and consultants to evaluate their security posture.
12. What constitutes an effective incident response plan under the NIS2 Directive? An effective incident response plan should include defined roles, communication protocols, and regular testing.
13. How does the NIS2 Directive impact small and midsize businesses (SMBs)? SMBs are required to comply with the directive's provisions, which may involve additional cybersecurity investments and resources if you meet the following requirements.
A company with over 50 employees and an annual turnover of 10 million euros meets the size threshold for eligibility under NIS2.
14. To whom does NIS2 apply; which sectors are required to adopt the directive? NIS2 applies to a broad range of sectors, segmented into two groups for essential sectors and important sectors as follows:
If you are in one of these sectors, and you also have at least 50 employees and an annual turnover of at least 10 million euro, you are required to adopt NIS2. View the Sophos NIS2 webinar slide on essential and important sectors.
Essential Sectors
| Important sectors
|
What is the scope of NIS2?
15. Which member state will have jurisdiction over entities under NIS2? Jurisdiction is typically determined by the location of the entity's main establishment in the EU.
16. What is Article 21 and the cybersecurity measures required by the NIS2 Directive? The goal of article 21 of the NIS2 Directive is to strengthened cyber security standards and penalties while improving cyber resilience. It contains many of the details of what is required by the directive, such as implementing risk management measures, incident response protocols, and regular security audits. View the Sophos NIS2 Webinar slide on security standards: (14:25), which discusses these additional points.
- Basic 'Cyber Hygiene': Covers baseline practices such as password management, protection of systems administrators, software updates, and having backups.
- Vulnerability Management: Ensures that vulnerabilities within systems are identified and mitigated.
- Supply Chain Security: Focuses on securing the supply chain against cyber threats.
- Encryption and Cryptography Standards: Sets standards for encryption and cryptography to protect sensitive data.
- Asset Management: Involves the management and protection of digital assets.
- Access Control and Zero Trust Security: Implements strict access control measures and a Zero Trust security model.
- Risk Analysis Process: Requires a risk analysis process that identifies the necessary security measures.
- Incident Handling and Reporting: Mandates proper procedures for incident handling and reporting.
- Business Continuity: Emphasizes the need for crisis management and disaster recovery plans to ensure business continuity.
17. What types of incidents need to be reported under the NIS2 Directive? Incidents that significantly disrupt services or compromise security must be reported.
How do I become NIS2 compliant?
18. What are the training and awareness requirements under the NIS2 Directive? Regular cybersecurity training and awareness programs are required for all employees.
19. What resources are available to help organizations comply with the NIS2 Directive? Guidance documents, best practice frameworks, consulting services, and support services are available to assist organizations.
20. How does the NIS2 Directive integrate with existing IT governance frameworks? NIS2 aligns with frameworks like COBIT and ITIL to ensure comprehensive IT governance.
21. What are the reporting requirements under the NIS2 Directive? Entities must report significant incidents within 24 hours and provide updates on mitigation efforts.
22. What role do third-party service providers play in NIS2 compliance? Vendors and suppliers are required to meet the same security standards as their clients.
Are there any NIS2 risks or penalties?
23. What happens if we don’t adopt the NIS2 Directive? Noncompliance can result in significant penalties, including fines and potential operational restrictions.
24. What are the financial implications of noncompliance with the NIS2 Directive? Noncompliance can lead to hefty fines and increased operational costs due to security breaches.
Who is coordinating the NIS2 directive?
25. How will the new rules foster better cooperation? The directive promotes information sharing and joint exercises among member states.
26. Does this initiative align with other EU policies? NIS2 aligns with broader EU cybersecurity and digital market policies, such as the General Data Protection Regulation (GDPR).
27. How does the European Commission plan to improve cyber crisis management? Strategies include establishing coordinated response frameworks and promoting cross-border cooperation.
Explain the strategic considerations
28. What are the benefits of complying with the NIS2 Directive? Compliance enhances security, improves reputation, and boosts competitiveness while avoiding the financial impact of noncompliance.
29. How can CSaaS support NIS2 Compliance? Partnering with a third-party security company that delivers cybersecurity as a cloud service reduces the ongoing monitoring, detection, and response burden on businesses lacking internal resources to maintain continuous NIS2 compliance.
30. How does the NIS2 Directive address emerging cybersecurity threats? It includes provisions for adapting to new and evolving cybersecurity threats.
How do I implement NIS2?
31. What are the subsequent steps for implementing the Directive? Steps include understanding national transposition for your country, stakeholder engagement, and setting up enforcement mechanisms. A full list of Sophos products available to help operators become compliant is available for download in the NIS2 whitepaper.
32. How can organizations use technology to meet NIS2 Directive requirements? Utilizing advanced security tools and automation can help meet compliance requirements efficiently.
NIS2 Resources
Download the NIS2 Compliance Card
Strengthen Your Cybersecurity: Understanding the NIS 2 Directive
Sophos Guidance on the Digital Operational Resilience Act (DORA)