With the deadline for Member States to transpose the European Union's updated Network and Information Systems Directive (Directive (EU) 2022/2555) ("NIS 2" or "Directive") into national law having passed on 18 October 2024, organisations operating in or servicing the EU market face significant new cybersecurity obligations. The revised Directive, which repeals and expands on the original NIS framework ("NIS 1"), broadens its regulatory scope and imposes enhanced compliance requirements to address the growing threats in a new era of digitalisation.
Background of the NIS 2 Directive
NIS 1 (introduced in 2018) primarily impacted 'operators of essential services' and 'digital service providers', such as online search engines and cloud services, requiring them to maintain a certain level of cybersecurity. However, NIS 2 expands on these categories, replacing them with 'essential' and 'important' classifications. If an organisation is deemed 'important' or 'essential' (defined by various categories, including provision of public electronic communication networks or services, domain name registries or system service providers, i.e. companies which, if disrupted, could have an impact on public safety, security or health or where disruption could result in systemic risks), they are also within scope. Therefore, digital infrastructure and digital providers (including social networking services platforms), manufacturing of critical products including medical devices, food, space, postal and courier services, and public administration fall within the broader scope of NIS 2.
New Requirements Under NIS 2
NIS 2 aims to address the increased prevalence of cyber threats
across the expanding digital landscape. To bolster security, the
Directive imposes comprehensive cybersecurity management and
reporting obligations on in-scope organisations. These obligations
are structured to prompt entities to actively manage risks, monitor
vulnerabilities, and respond to incidents promptly.
Core compliance obligations include:
- Enhanced Security and Risk Management: Organisations must implement comprehensive cybersecurity measures to address risks across network and information systems, including incident detection, vulnerability disclosure, and data encryption.
- Incident Reporting: In a significant shift from NIS 1, NIS 2 introduces more onerous reporting requirements than the current 'without undue delay', and the reporting timelines are in stages. Entities are required to report significant incidents within 24 hours, followed by a more detailed report within 72 hours, and a final report within a month. The definition of 'significant' has also been simplified to avoid overreporting. Entities may also be required to notify the general public.
- Increased Management Accountability: Senior management must approve and oversee cybersecurity measures and may face personal liability if they fail to meet the requirements set out under NIS 2. A 'management body' isn't defined in the Directive, and will be determined individually by member states. This requirement underscores the importance of leadership in driving and maintaining cybersecurity standards, and undertaking continuous training to ensure they have the necessary skills to assess the risks that their entity faces.
- Supply Chain Security: Recognising the risk posed by third-party providers, NIS 2 mandates that organisations actively monitor the security practices of their suppliers and incorporate these into their own risk management processes. NIS 2 applies to both large and medium-sized organisations in high-risk sectors and indirectly affects certain small entities through the supply chain, imposing standards for incident response, risk management, and compliance.
- Regular Security Audits: Essential entities are subject to regular audits and spot checks, while important entities undergo audits based on reasonable suspicion.
Key Implications for Organisations
Compliance Costs: The new obligations under NIS 2 are
expected to impose additional costs on entities, particularly those
newly subject to these requirements. Compliance measures, including
additional staff training, consulting cybersecurity experts, and
technology investments, will require significant planning and
budget allocation.
Fines and Penalties: NIS 2 allows for stringent penalties
for non-compliance – member states have discretion to
implement fines of up to €10 million or 2% of global turnover
for essential entities and €7 million or 1.4% of global
turnover for important entities. Member states also have discretion
to implement their own rules on penalties for infringement. This
reinforces the EU's stance on prioritising cybersecurity and
serves as a strong deterrent against non-compliance.
Operational Adjustments: Affected organisations must
integrate NIS 2's requirements into their existing
cybersecurity framework. For example, risk management practices
need updating, and incident response plans should be revised to
accommodate the Directive's quick turnaround times for
reporting.
Steps to Prepare For NIS 2 Compliance
- Applicability Assessment: Evaluate whether your organisation qualifies as an 'essential' or 'important' entity under NIS 2 and assess which services and sectors are impacted.
- Resource Allocation and Protocols Revision: Ensure adequate budget and personnel are in place to implement cybersecurity measures, including regular audits, management training, and incident response.
- Cybersecurity Expertise Engagement: For entities new to EU cybersecurity regulation, consulting with experts can clarify compliance steps, especially for technical aspects like supply chain security and risk management.
- Supply Chain Security Strengthening: Evaluate supplier relationships, assess their cybersecurity standards, and ensure they align with NIS 2 requirements.
- Documentation Preparation: Entities should establish audit trails and reporting mechanisms to meet the documentation and accountability expectations under NIS 2.
- EU/UK Regulatory Discrepancies: Organisations operating in both the UK and the EU must also be mindful of regulatory discrepancies, as the UK has opted out of NIS 2 due to Brexit and is pursuing its own Cyber Security and Resilience Bill, anticipated in 2025. This means UK-based entities working with EU clients must align with NIS 2 while remaining compliant with UK cybersecurity standards.
Concluding Insights
The NIS 2 Directive represents a significant step forward in strengthening the EU's digital security landscape, with its expansive coverage and stringent compliance measures. For organisations, this Directive provides an opportunity to enhance cybersecurity and build resilience against growing digital threats. By preparing now, organisations can not only meet regulatory standards but also strengthen their position as cybersecurity-conscious leaders in their industries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.