Book Demo
Lone Forland
About author
08 Dec 2023

The Impact and Scope of NIS2

The NIS2 Directive from the EU will be implemented into European legislation in the near future for a wide range of companies and organisations. The directive introduces stricter legal requirements for network and information security across selected sectors.

On this page, you will gain a clearer understanding of the impact and scope of NIS2.

 

What is NIS2 and why is there a new directive?

 

NIS2 is the successor to the original Network and Information Security (NIS) Directive from 2016. The reason for revising the directive is the increasing level of cyber threats, which pose a risk to the effectiveness of the internal market. These threats, and the actors behind them, range from amateurs to organised cyber criminals and state-sponsored actors.

 

The damage caused by these threats can spread through vulnerable supply chains and critical infrastructure, with potentially devastating consequences for society, the economy, and businesses. There is therefore a need to strengthen protection at a new and uniform level.

 

The revised NIS2 Directive aims to ensure:

  • A consistent selection of relevant sectors across the EU

  • Consistency in security requirements

  • Uniform handling of major cyber incidents

When should the NIS2 Directive be implemented into legislation?

 

The directive must be implemented into national legislation by October 2024. From that point onwards, affected companies will be required to comply with the legislation. At present, no detailed implementation timetable has been published by the authorities.

 

What is the difference between NIS and NIS2 compliance?

 

There are several changes compared to the previous NIS Directive. These changes can be divided into those affecting national authorities and those affecting individual organisations and companies.

 

Changes for national authorities

 

For national authorities, several initiatives have been introduced to strengthen cross-border cooperation within the EU. This includes the establishment of organisations responsible for preventive measures, working closely with ENISA (the European Union Agency for Cybersecurity), as well as corrective measures to ensure that major cyber incidents can be managed at EU level.

A newly established entity, EU CyCLONe (Cyber Crises Liaison Organisation Network), will support coordinated incident response across the EU.

 

Changes for organisations and companies

For organisations and companies, the changes fall into four main areas:

 

  • Risk management and security measures

    There are stricter requirements to ensure that security controls are based on thorough risk assessments.

  • Notification obligations

    Uniform requirements have been introduced regarding both the timing and recipients of incident reporting. A cyber incident must be reported to the supervisory authority within 24 hours if it is deemed critical. A follow-up report summarising the incident, including how it was handled, must be submitted within 72 hours. A final report must be provided within one month.
    NIS2 incident response timeline – when to do what

  • Management commitment

    Greater emphasis is placed on management’s awareness of, and involvement in, the prevention and handling of cyber incidents, both nationally and within organisations. Members of senior management may be held directly and personally accountable for security breaches under the NIS2 Directive.

  • Supervision, enforcement, and sanctions

    As with GDPR, authorities may impose fines for non-compliance. Organisations and companies may face penalties of up to €10 million or 2% of their annual global turnover.

 

What does NIS2 mean for you as an Information Security Manager?

 

If your organisation is subject to the NIS Directive and therefore required to comply with NIS2, you may have several questions, such as:

  • What will happen next?

  • Where should additional information security resources be allocated?

  • How can this be done correctly and as effectively as possible?

  • What are the consequences of failing to comply with NIS2 on time?

The good news is that if your organisation falls under NIS2 requirements, you are likely already working with ISO 27001/27002. Compliance with ISO 27001/27002 means you have already made significant progress towards NIS2 compliance.

 

If you are not already working with ISO 27001/27002, this is the ideal place to start. We can, of course, assist you with this. Book a non-binding meeting with us here.

 

If you would like to read more about the measures and changes that you, as an Information Security Officer, should consider under NIS2, read the article How will NIS2 impact an Information Security Manager?”

 

Who is responsible for NIS2 supervision of companies?

 

At present, responsibility for preventing cyber incidents remains sector-based, as is currently the case. However, it is expected that a common supervisory authority (CSIRT) will be appointed in the future, through which supervision will be carried out. Guidance and advice are also expected from this authority or other EU-organised centres of knowledge and expertise.

 

Our best estimate is that the Centre for Cyber Security will assume broad supervisory responsibility for Danish companies required to comply with NIS2. We believe this organisation has the strongest expertise in Denmark to fulfil this role.

 

Which sectors and companies are covered by the NIS2 Directive?

 

NIS2 applies different criteria to determine which organisations are covered. Your organisation is subject to the NIS2 Directive if it meets one or more of the following conditions:

  • It qualifies as a significant or essential organisation

  • It meets the size criteria

  • It is a supplier to an organisation that falls within the first two categories

Criteria for significant or essential organisations

 

The following sectors are classified as significant organisations:

  • Energy

  • Transport

  • Financial institutions

  • Market infrastructure

  • Healthcare

  • Drinking water

  • Wastewater

  • Digital infrastructure and service providers

  • Public administration

  • Space activities

The following sectors are classified as essential organisations:

  • Postal services

  • Waste management

  • Chemical products

  • Manufacturing, distribution, and production of food

  • Manufacturing and production of pharmaceuticals, electronics, optical equipment, machinery, and vehicles

Size criteria

With few exceptions, an organisation is covered by NIS2 if all three of the following criteria are met:

  • The organisation operates within one of the sectors listed above

  • It employs more than 50 people

  • It has an annual turnover exceeding €10 million

You may be indirectly covered by NIS2 if…

You may still be subject to NIS2 even if you do not fall directly within the listed sectors. This applies if you provide critical services to, or are a supplier for, significant or essential organisations. In other words, if you act as a subcontractor to an organisation covered by NIS2.

 

Read more about what NIS2 means for you as an Information Security Manager here.