The NIS 2 Directive is an updated regulatory framework by the European Union designed to enhance cybersecurity measures across the member states. It is an evolution of the original Network and Information Systems (NIS) Directive, which was the first piece of EU-wide legislation on cybersecurity.
The NIS 2 Directive was formally adopted by the EU on 16 January 2022. The member states are required to transpose the directive into national law by October 17, 2024. Let's dive into the details of NIS 2 Directive!
In this blog, we’ll cover:
What are the main goals of NIS 2 Directive?
The NIS 2 Directive aims to significantly improve the cybersecurity posture across the European Union. Here are its three main goals:
- To address security gaps that were present under the original NIS Directive.
- To enhance the security of network and information systems across the EU, and ensure a high common level of cybersecurity, and
- To boost the overall resilience of the EU against cyber threats and attacks, protecting essential services that rely on information technologies and networks.
What entities does NIS 2 Directive apply to?
The NIS 2 Directive significantly expands the scope of its predecessor to include a broader range of entities.
Essential Entities
Essential entities include those from sectors that are critical for societal and economic activities:
- Energy: Electricity, oil, and gas
- Transport: Air, rail, water, and road
- Banking
- Financial Market Infrastructures
- Health: Healthcare providers
- Drinking Water: Both supply and distribution
- Waste Water
- Public Administration
- Digital Infrastructure: IXPs, DNS service providers, TLD name registries
Important Entities
Important entities are those in sectors significant to the economy but not as critical as the essential services:
- Postal and courier services
- Waste management
- Chemical
- Food
- Manufacturing: Production of medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, trailers, semi-trailers, other transport equipment, and products not elsewhere classified
- Digital Providers: Online marketplaces, online search engines, and cloud computing services
- Research
What are the key areas to focus on NIS 2 Directive?
-
Broader scope
NIS 2 expands the range of sectors and types of entities that are required to comply with its regulations. It includes more types of entities in critical sectors like energy, transport, health, and digital infrastructure.
-
Stricter security requirements
The directive sets stricter security requirements for companies, requiring them to take appropriate technical and organisational measures to manage the risks posed to their network and information systems.
-
Mandatory reporting
It mandates incident reporting within stricter timeframes, improving the time-sensitive nature of responding to cyber threats. NIS2 sets specific notification deadlines, such as a 24-hour “early warning”.
-
Higher fines
NIS 2 imposes higher fines for non-compliance, aligning the potential penalties more closely with those of the General Data Protection Regulation (GDPR).
-
Enhanced member state cooperation
The directive fosters increased cooperation and information sharing between member states, enhancing the collective cybersecurity posture across the EU.
What are the possible penalties for non-compliance?
The original NIS Directive, implemented in 2016, left significant discretion to individual EU member states regarding the exact nature and severity of penalties for non-compliance. While it mandated that penalties be "effective, proportionate and dissuasive," the specifics could vary widely between countries. Typically, these penalties included fines, and in some jurisdictions, they could also include other types of sanctions. However, there was no EU-wide standard for the maximum fines, leading to variations in enforcement.
However, the NIS 2 Directive aims to harmonise and intensify the penalties across all member states, making them more aligned with those seen under the General Data Protection Regulation (GDPR). The directive specifies that penalties should be strong enough to encourage compliance and ensure that they are a deterrent to negligence or non-compliance.
- For essential entities: with administrative fines of up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
- For important entities: administrative fines of up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.
10 actions to cultivate a security-conscious culture in your workplace!
Employees play a crucial role in helping their organisation maintain compliance with the NIS 2 Directive. Their actions can significantly impact the overall cybersecurity posture of the organisation.
-
Understand the regulation and its requirements
Employees should familiarise themselves with the NIS 2 Directive, especially how it pertains to their specific job functions. organisations should provide resources or training sessions that help employees understand their roles in maintaining compliance.
-
Adhere to internal policies and procedures
Follow all organisational policies and procedures designed to uphold NIS 2 compliance. This includes adhering to security protocols, data handling procedures, and any other processes that have been put in place to safeguard network and information systems.
-
Participate in training and awareness programs
Regularly participate in cybersecurity training and awareness programs offered by the organisation. These programs help employees recognise and respond to security threats, understand best practices in digital security, and stay updated on the latest cybersecurity trends and threat intelligence.
-
Report security incidents promptly
If employees suspect a security breach or if they identify a potential cybersecurity issue, they should report it immediately according to the organisation's incident response plan. Timely reporting is crucial under NIS 2, as it helps mitigate the impact of security incidents.
- Use technology responsibly
Employees should use organisational technology resources responsibly. This includes following guidelines for secure use of devices, avoiding the installation of unauthorised software, and adhering to the company’s acceptable use policy.
- Maintain strong password hygiene
Practise and promote strong password management, such as using complex passwords, changing them regularly, and not sharing them with others. Use multi-factor authentication (MFA) wherever possible to add an extra layer of security.
- Secure physical and digital assets
Ensure that physical and digital access to sensitive information and critical infrastructure is secured. This includes locking screens when away from the desk, not leaving sensitive documents exposed, and following protocols for secure access.
- Engage with cybersecurity teams
Collaborate with cybersecurity teams by providing them with any information they need to protect the organisation. Being responsive to security audits and checks and providing feedback on system usage can help identify and mitigate risks.
- Advocate for a culture of security
Promote a culture of security within the organisation. This can be achieved by being a proactive advocate for cybersecurity best practices and by helping to create an environment where security is everyone’s responsibility.
- Stay informed about legal and compliance updates
Keep informed about updates to the NIS 2 Directive and related compliance requirements as they evolve. Regulatory landscapes can change, and staying informed helps ensure ongoing compliance.
Our 5 competitive advantages to make compliance a breeze for you!
As a cybersecurity vendor, we are dedicated to helping you adapt to evolving regulatory requirements. We're confident that our suite of products can help you achieve compliance.
-
Comprehensive security awareness training
Our famous security awareness training program -- uLearn provides a large variety of training modules designed to educate your employees on a wide range of cybersecurity topics, including recognising phishing attempts, safe internet practices, and secure password management. These modules help fulfil the training requirements under NIS 2, which emphasises the need for ongoing awareness and education to mitigate cyber risks.
-
Phishing simulation tools
Our easy-to-deploy phishing simulation tool -- uPhish enhances the practical skills of your employees in identifying and handling phishing and other social engineering attacks, Regular testing and training ensure that employees are not only aware of how to spot phishing attempts but are also prepared to react appropriately, which is crucial for maintaining cybersecurity as mandated by NIS 2.
-
Gap Analysis Report and Risk Score
We help organisations identify and assess user-related risks with our Gap Analysis Report and Risk Score. Thes features align with the NIS 2 Directive’s requirement for entities to have a clear understanding of the risks facing their networks and information systems and to take appropriate security measures.
-
Policy management and compliance tracking
We assist organisations in managing and distributing internal cybersecurity policies with uPolicy. It tracks employee engagement and completion of required training, which is crucial for demonstrating compliance with NIS 2 during audits or regulatory reviews.
-
Scalability and flexibility
We offer a cloud-based platform that is scalable and can be easily accommodated by organisations of different sizes across different sectors. Our products are ideal choices for you to effortlessly adapt to regulatory changes.
Comply with NIS 2 Directive today!
Our products help you build a strong foundation of cybersecurity knowledge that is crucial for complying with NIS 2. Watch a demo to learn more about how we can help you comply with cybersecurity regulations or sign up for a 14-day free trial and equip your team with essential skills now! Alternatively, you can look at our blog to learn how usecure could help you navigate regulations and standards around the world.