NIS2 is the successor to the original directive, Network and Information Security (NIS), from 2016. The background for revising the directive is the increasing cyber threats that pose a risk to the efficiency of the internal market. These threats and the actors behind them range from mere amateurs to cyber criminals and state-sponsored actors.
The damages that these threats can cause can spread through vulnerable supply chains and critical infrastructure, thereby devastating society, the economy, and businesses. Therefore, there is a need to protect at a new and uniform level.
The revised NIS2 directive aims to ensure:
The directive should be implemented in legislation by October 2024, and thereafter, compliance with the legislation is required by the affected companies. There has not yet been a specific timetable announced by the authorities.
There are several changes compared to the previous NIS directive. The changes can be divided into those that have implications for national authorities and those that have implications for individual companies.
For national authorities, there are several changes and initiatives that strengthen cooperation across borders in the EU. This includes the establishment of organizations that will work on preventive measures, including close collaboration with ENISA (European Network and Information Security Agency), and corrective measures that ensure that major cyber incidents can be managed at an EU level through a newly established entity called "EU CyCLONe" (Cyber Crises Liaison Organization Network).
For organizations and companies, the changes are related to four areas:
Risk management and security measures
There are stricter requirements to base control measures on risk assessments.
There are uniform requirements regarding the timing and recipients of reporting a cyber incident. The incident must be reported to the supervisory authority within 24 hours if it's deemed critical. A report summarizing the incident, including how it was handled, must be provided within 72 hours. Finally, a final report must be submitted within one month.
Greater emphasis is placed on management's insight into the prevention and handling of cyber incidents, both nationally and within companies. This means that members of the company's management can be held directly and personally accountable for security breaches under the NIS2 directive.
Supervision, enforcement, and sanctions
Similar to GDPR, there is the possibility of imposing fines on organizations and companies for non-compliance. Organizations or companies may potentially face fines of up to 10 million euros or 2% of the organization's annual global turnover.
If your company is subject to the NIS directive and therefore required to comply with NIS2, you may have many questions that you would like to have answered.
The good news is that if your company is subject to NIS2 requirements, you are likely already working with ISO 27001/2. That's because if you comply with ISO 27001/2, you have already made significant progress in terms of NIS2 compliance.
If you are not already working with ISO 27001/2, that's precisely where you should start. We can certainly assist you with that. Book a non-binding meeting with us here.
If you want to read more about the measures and changes that you, as an Information Security Officer, should consider if you are subject to NIS2 regulations, read the article "How will NIS2 impact an Information Security Manager?"
Currently, there is sector responsibility for the prevention of cyber incidents as practiced today. However, in the future, it is expected that a common supervisory authority (CSIRT) will be appointed, and supervision will be carried out through this authority. Guidance and advice are also expected from this or other EU-organized knowledge and competence centers.
Our best guess for an organization that will have broad supervisory responsibility for Danish companies that need to comply with NIS2 is the Center for Cyber Security. We believe that this organization in Denmark has the best expertise to fulfill this task.
NIS2 has different criteria for determining who is covered by the directive. Your company is covered by the NIS2 directive if it falls into one of the following categories:
Criteria for significant or essential organizations and companies.
If your company is a supplier to a company falling under the first two categories.
The following sectors and industries have been selected in the category of significant organizations and companies:
In the category of essential organizations and companies, the following sectors and industries have been selected:
The size criteria prescribe (with few exceptions) that a company is covered by NIS2 if all three of the following sub-criteria are met:
Please note that you may be indirectly covered by the directive even if you do not fall within the aforementioned sectors. This applies in cases where you provide critical services or deliver to significant or critical companies. In other words, if you are a subcontractor to a company covered by NIS2.