NIS2 Directive: Everything EU Member States and Organizations Need to Know to Prepare and Comply

Welcome to Part II of the NIS2 Directive Series. Part I focused on understanding the NIS2 Directive, what it is, and how it evolved.

However, many CISOs have been reaching out to security providers to understand how NIS2 will affect their organization. Therefore, this article will focus on the regulated sectors, how NIS2 requirements will affect those mandated industries, and what security providers can do to help them prepare and comply.

What Sectors Does NIS2 Apply?

The revised NIS2 Directive significantly expands the scope of application compared to the original 2016 version and will apply to a wider and deeper pool of entities than the current Directive. 

NIS2 includes new sectors that broaden the criteria for inclusion of entities and categorizes these as Essential or Important depending on factors such as size, sector, and criticality.  These two entities are divided into two groups: “Sectors of High Criticality” and “Other Critical Sectors.” 

Both need to meet the same requirements with differences in governing measures and penalties.

Essential and Important entities are defined by NIS2 as follows:

• Essential Entities: Defined as organizations that provide services critical to the functioning of society and the economy, and a disruption in their operations would have significant adverse impacts.  Essential entities are subject to stricter obligations under NIS2.

• Important Entities: While still critical, these organizations are not considered as fundamental as essential entities. A disruption in their services would have serious consequences, but perhaps not as widespread or severe. Important entities have lighter obligations compared to Essential entities under NIS2.

Entities will be defined as follows:

• Large Entities:  >= 250 employees or more than 50M in revenue
• Medium Entities:  50 to 249 employees or more than 10M in revenue
• Small & Micro Entities
• Lex Specialis: May apply where sectoral regulations are at least equivalent
• CER: Entities designated as Critical entities under Directive (EU) 2022/2557, (CER Directive) shall be considered Essential entities under NIS2

Annex 1:  Sectors of High Criticality (Essential Entities)

Energy

• Sectors:  Electricity; District Heating & Cooling; Gas; Hydrogen; Oil.  Including providers of recharging services to end users
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Transport

• Sectors:  Air (commercial carriers; airports; Air Traffic Control); Rail (infra and undertakings); Water (transport companies; ports; Vessel Traffic Services) Road (ITS); Special case:  Public Transport only if identified as CER
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Banking

• Credit Institutions (DORA lex specialis)
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Financial Market Infrastructure

• Sectors: Trading venues, central counterparties (DORA lex specialis
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Health

• Sectors: Healthcare Providers; EU Reference Laboratories; R&D of medicinal products; Manufacturing of basic pharma products and preparations; Manufacturing of medical devices critical during public health emergency.
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Drinking water

• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Waste Water

• Sectors:  Only if it is an essential part of entities’ general activity
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Digital infrastructure

• Sectors: 
  • Qualified trust service providers; DNS service providers (excl. root name servers); TLD name registries:
    • Large Entities: Essential
    • Medium Entities: Essential
    • Small & Micro Entities: Essential
  • Providers of public electronic communication networks:
    • Large Entities: Essential
    • Medium Entities: Essential
    • Small & Micro Entities: Important
  • Non-qualified trust service providers:
    • Large Entities: Essential
    • Medium Entities: Important
    • Small & Micro Entities: Important
  • Internet exchange point providers; cloud computing service providers (including ISP and Cloud); data centre service providers; content delivery network providers:
    • Large Entities: Essential
    • Medium Entities: Essential
    • Small & Micro Entities: Not in Scope

ICT-Service Management (B2B)

• Sectors:  MSPs, MSSPs
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Public Administration Entities

• Sectors:
  • Central Governments:  Excludes judiciary, parliaments, central banks, defence, national or public security
    • All Entities:  Essential
  • Regional Governments:  Risk based.  (Optional for Member States of local governments)
    • All Entities:  Important

Space

• Sectors:  Operators of ground-based infrastructure (by Member Sates
• Inclusion
  • Large Entities: Essential
  • Medium Entities: Important
• Exclusion:  Small & Micro Entities

Annex II:  Other critical sectors

• Postal and Courier Services
• Waste Management: Only if principal economic activity
• Chemicals: Manufacture, production, distribution
• Food:  Wholesale and industrial production and processing
• Manufacturing: (in vitro diagnostic) medical devices; computer, electronic, optical products; electrical equipment; machinery; motor vehicles, trailers, semi-trailers; other transport equipment (NSCE C 26-30)
• Digital Providers:  Online marketplaces, search engines, social networking platforms
• Research: Research organizations (excl. education institutions); Optional Member States: education institutions
• Domain Registration: Entities providing domain name registration services

The category an entity belongs to has significant practical implications. The activities of entities classified as Essential will be subject to much stricter and proactive oversight, including random raids, special security checks, and requests for proof of compliance. For non-compliance with NIS2, Essential entities may face a fine of up to €10 million or 2% of global annual turnover.

Entities classified as Important are subject to less stringent controls. For Important entities, the penalties are slightly more modest of up to €7 million or 1.4% of global annual turnover.

How Should Companies Start Preparing for NIS2? 

NIS2 requires EU Member States to legally amend their national legislation by October 17, 2024. So, the deadline is here. For those organizations who are feeling a bit behind the eight ball, companies and other entities can start preparing now by:

Align Practices

Take a strategic approach to assess cybersecurity readiness and align with NIS2.  Evaluate current security practices and ensure measure are in place to identify and mitigate potential threats effectively.

Understand Compliance Requirements

Determine if your organisation falls under NIS2 as Essential or Important, as this defines your obligation.  Review how NIS2 is implemented in your country and follow guidance from national cybersecurity authorities to ensure compliance.

Develop Cyber Security Measures

Implement technical, operational, and organisational measures to manage risks and prevent incidents.  Offensive security solutions can play a critical role in being proactive and adhering to NIS2 requirements.

Role of Offensive Security to Comply with NIS2

Offensive security solutions like penetration testing services, attack surface management, and red teaming help to proactively identify vulnerabilities and strengthen defenses, supporting compliance with NIS2.

Offensive Security Solutions & Compliance with NIS2

Conclusion

The NIS2 Directive will take effect on October 17, 2024 and will have several ramifications on cybersecurity in the EU. What we should expect next in the upcoming months include:
 

• The updated directive will introduce stricter cybersecurity measures to harmonise standards across EU member states and various sectors in energy, transport, healthcare, and critical and digital infrastructure.

• The directive will unify cybersecurity standards across EU nations, minimising discrepancies in their implementation.

• Organisations will face increased obligations regarding incident reporting and notification of such incidents to authorities as well as the public.

• Enforcement will be more stringent, with penalties including administrative fines and even potential personal accountability for senior executives.

• A new body, the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), will be created to manage large-scale cyber incidents.

• Businesses will need to enhance the security of their supply chains by ensuring that their vendors adhere to cybersecurity protocols.

NIS2 will be fully implemented in 2025 with the goal of a more mature and unified cybersecurity landscape across the EU. As industries come to terms with compliance, the EU may provide more specific guidance tailored to critical sectors, further refining implementation and integration efforts. Overall, NIS2 will set a higher bar for cybersecurity preparedness, but also encourage innovation in response strategies and technologies across the EU.