NIS 2 Directive: who it applies to and which security measures to adopt

In 2024, digital technology permeates every sector of the economy and society. This makes it essential to have a solid regulatory framework, ideally at a supranational level, aimed at minimizing risks related to cyber threats and their impact on critical infrastructures and essential services. 

The NIS 2 Directive addresses this need by setting new security standards for European public and private organizations. 

What is NIS 2: An Overview of the Directive and Differences from NIS 

The NIS 2 Directive (Network and Information Security 2) is an EU legislative act that updates and expands the framework for network and information system security, replacing the previous NIS Directive from 2016. 

The NIS Directive and the Evolution to NIS 2  

NIS laid the foundation for a unified European regulatory framework on cybersecurity, promoting standardized security practices and marking a turning point in protecting information systems, especially in critical industries of the economy and society. 

Despite being a significant step forward, the NIS Directive has proven inadequate over time in addressing the evolving threats. On one hand, the exponential increase in cyberattacks (+12% in 2023, according to Clusit), which are increasingly sophisticated and targeted; on the other hand, the pervasive digitalization of essential sectors and services, combined with the increasing value of data, has driven the need to update and revise the regulatory framework. The NIS 2 Directive emerges from this necessity and introduces stricter requirements and a proactive approach to managing cyber risks. The differences between NIS and NIS 2 primarily concern five areas: 

• Wider scope of the directive compared to NIS; 

• Stricter security and reporting requirements than in the past; 

• Sanctions: NIS 2 introduces a uniform and severe European sanction regime; 

• Management board responsibilities: with NIS 2, cybersecurity becomes the direct responsibility of corporate management bodies, not just IT departments; 

• Supply Chain Focus: NIS 2 requires organizations to consider security throughout the supply chain. 

NIS 2 Entry into Force  

The NIS 2 Directive formally came into force on January 17, 2023. However, as it is not a regulation (which would have had immediate effect), it must be transposed into national law by Member States by October 17, 2024.  

Which Companies Are Subject to NIS 2  

The scope of the NIS 2 Directive is one of the key elements and a clear difference from the previous regulation. The European legislator has recognized the increasing interconnection between information systems, the economy, and society and has significantly expanded the range of entities required to comply with its provisions. So, who does the NIS 2 Directive apply to? 

1. Primarily, public and private entities offering services or conducting activities within the European Union. 
2. These entities must fall within one of the sectors specified in the directive's annexes, which are divided into two categories: highly critical sectors and other critical sectors. The first category includes energy, transport, banking, healthcare, water supply, and digital infrastructure (such as cloud service providers). The second group includes, among others, postal and courier services, waste management, production and distribution of chemicals, food production and processing, digital service providers (e-commerce, search engines, social media platforms), and other key areas of the economy and daily life in every country. 
3. A size criterion also applies: NIS 2 is mandatory only for medium and large companies, with the baseline parameters being 50 employees and 10 million euros in revenue. 

How to Address NIS 2 Compliance  

Compliance with NIS 2 is a complex issue that requires consultancy support from experts capable of guiding the company through a comprehensive process. This includes an in-depth assessment, a subsequent gap analysis, involvement of all relevant stakeholders, and the design and implementation of appropriate solutions, which are technical and organizational, requiring the management of change and discontinuity. 

From a purely regulatory perspective, organizations must adopt technical, operational, and organizational measures to address the risks posed to the security of the systems and networks they use in their activities or to provide services. The European legislator follows a typical risk-based approach, requiring each entity to select appropriate measures after assessing their exposure to risks, as well as the likelihood and severity of potential incidents. 

The Multi-Risk Approach and Measures to Adopt  

Focusing on the protection measures, the European legislator (Art. 21) states that they must be "based on a multi-risk approach aimed at protecting IT and network systems and their physical environment from incidents." The multi-risk approach is central to NIS 2 as it shows the legislator's intention: to go beyond technical attacks (typical external cyberattacks), embracing 360° security that includes prevention and response capabilities to physical and environmental risks, human errors, supply chain risks, process interruptions, and more. 

In terms of cyber risk prevention and management, the legislator identifies 10 key areas, directly taken from the text of the directive: 

1. Risk analysis and IT system security policies; 
2. Incident management; 
3. Business continuity, including backup management and disaster recovery, and crisis management; 
4. Supply chain security, including security aspects related to relationships with suppliers or service providers; 
5. Security in the acquisition, development, and maintenance of IT and network systems, including vulnerability management and disclosure; 
6. Strategies and procedures for evaluating the effectiveness of cyber risk management measures; 
7. Basic cybersecurity hygiene practices and cybersecurity training; 
8. Policies and procedures regarding encryption; 
9. Human resource security, access control strategies, and asset management; 
10. Use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems within the organization. 

Among these points, of particular interest are the business continuity aspect (3), supply chain security (4), and cyber hygiene practices (7), which effectively require the targeted companies to organize security awareness programs. 

Reporting and Penalties: What’s New in NIS 2  

The new European directive sets stricter rules for incident reporting than before and defines a fairly strict sanctioning system. The legislation specifies the information to be provided and the timeframe within which the incident must be reported to the CSIRT: 24 hours for a preliminary warning and no more than 72 hours for the incident notification. 

Regarding penalties, NIS 2 establishes that they must be effective, proportionate, and dissuasive, meaning they should be based on a careful assessment of the circumstances of each case. Here, a distinction is made between so-called essential and important entities, which will be defined by Member States by April 2025. For essential entities, penalties can reach up to 10 million euros or 2% of annual global turnover, whichever is higher. The maximum is 7 million euros or 1.4% of global turnover for important entities.