What do the new NIS2 requirements mean in concrete terms?

At a time when cyber threats are bigger and more sophisticated than ever, the European Union (EU) has taken an important step towards strengthening its digital defenses with the introduction of the Network and Information Security Directive (NIS2).

The NIS2 Directive builds on the foundation of the previous directive from 2016 and is a response to the increasing attacks on supply chains and the need for more robust reporting procedures across Europe. This directive affects more than 160,000 companies operating in the EU, in particular those classified as “essential” and “important” companies in 15 key sectors.

NIS2 requires these companies to comprehensively overhaul their cyber security practices, forcing them to reassess and improve their supply chain protection measures and reporting obligations. With the deadline for compliance set for October 2024, companies are racing against time to meet the stringent requirements of NIS2.

A closer look at the new requirements

NIS2 introduces four main areas, each with specific mandates aimed at raising cybersecurity standards across the board:

• Risk management: Companies must implement a multi-layered approach to minimize cyber risks. This includes introducing advanced incident management protocols, strengthening supply chain security, improving network security, improving access control and using encryption technologies.
• Corporate responsibility: The policy emphasizes the need for management to monitor and train on cybersecurity measures. It introduces sanctions, including financial sanctions, for violations that are attributable to negligent behavior on the part of managers.
• Reporting obligations: Organizations must establish procedures for the prompt reporting of cyber incidents that significantly affect the provision of services or data recipients, adhering to established reporting deadlines.
• Business continuity: Companies need to develop robust plans to ensure business continuity following major cyber incidents. This includes strategies for system recovery, emergency procedures and the formation of crisis response teams.

The 10 minimum requirements of NIS2

In addition to the general obligations, NIS2 defines ten basic requirements that should form the foundation of cybersecurity in the EU:

1. Risk assessments and formulation of security guidelines for information systems
2. Evaluation of the effectiveness of security measures through defined guidelines and procedures
3. Application of cryptography and encryption
4. Efficient management of security incidents
5. Secure system procurement, development and operation, including vulnerability reporting protocols
6. Conducting cybersecurity training and adherence to basic cyber hygiene practices
7. Security procedures for employees who access sensitive data
8. Contingency plans to maintain business operations during and after cyber incidents
9. Multi-factor authentication and encryption for voice, video and text communication
10. Strengthening security in the supply chain – adapting security measures to the vulnerabilities of individual direct suppliers

Failure to comply with these comprehensive requirements could result in significant fines, amounting to €10 million or 2% of annual global turnover for “significant companies” and €7 million or 1.4% for “important companies”.

Preparing for NIS2: a strategic imperative

For companies operating in the EU, preparing for NIS2 involves a number of strategic steps, including determining applicability, assessing existing security measures, revising security policies and incorporating new security and reporting measures into their supply chain management.

Fortunately, current cybersecurity frameworks, such as the NIST Cyber Security Framework (CSF) or ISO27001, can provide a solid foundation that can ease the transition for organizations. As the October 2024 deadline draws ever closer, the message is clear: the time to act is now. The EU’s NIS2 directive not only raises the bar for cybersecurity, but also emphasizes the importance of a unified and proactive approach to protecting the digital landscape from new threats. Companies must approach these changes with care and foresight.