The Whats, Whens, and Hows of NIS2 (Updated)

The NIS2 Directive is an EU-wide legislation that aims to increase the level of cybersecurity within the European Union. It does so, among other things, by addressing a wider range of industry sectors, mandating cybersecurity measures to be implemented, and creating strict(er) incident reporting requirements.

Currently, there are vast differences in these subject’s maturity levels between the Member States, this is something that this legislation intends to streamline.

Note that NIS2 does not only require public and private organizations to improve their cybersecurity posture, but it also requires national governments to set up EU-wide collaboration and vulnerability sharing programs.

The NIS2 directive is intended for organizations that are classified as medium or large by the EU, which means organizations that have over 50 employees and/or generate more than 10 million Euros revenue per year.

This so-called “size cap” does however not apply to organizations in certain sectors, such as ones that are deemed critical infrastructure.

Moreover, this size cap does not apply to organizations that provide public services (such as electronic communication networks) or are the sole provider of a service to a government.

This exclusion also does not apply to service providers where an incident could have an impact on public safety, security, health, or disruption could create systemic risks. In other words, NIS2 always applies to organizations that fall in these categories regardless of size.

Types of organizations

Furthermore, NIS2 differentiates between two types of organizations. They are either classified as important or essential depending on the sector they operate in. This classification greatly influences the responsibilities that organizations have when NIS2 comes into effect.

These responsibilities will be further explained in the next section, here we list what sectors fall within what classification.

When implemented, NIS2 will increase the (minimal) effort that organizations should spend on cybersecurity. It does so by allowing governments to hold management personally accountable if gross negligence is proven after a cyber incident.

Depending on organization classification, NIS2 furthermore allows governments to (temporarily) stop a person from exercising managerial positions in case of repeated negligence.

This is however a worst-case scenario and NIS2 provides guidelines for preventing such negligence. For example, to ensure that management is sufficiently aware of cyber risks, NIS2 mandates that management bodies receive adequate cybersecurity training.

NIS2 advices that all employees receive such training, but this is not mandatory. Furthermore, it requires risk management and assessment activities to be performed to ensure that management is aware and has considered the cybersecurity risks within their organization.

Incident obligations

These pro-active and preventive measures are not the only thing described in NIS2, it also describes mandatory post-incident activities. NIS2 defines an incident as an event that compromised or was capable of compromising “the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems”.

When an organization becomes aware of such an incident, they are required to provide an early warning to the applicable authorities within 24 hours of becoming aware of the incident, and perform an initial assessment within 72 hours.

This assessment must include the severity and impact of the incident, and possibly indicators of compromise on a best effort basis. Lastly, all incidents require a complete incident report within one month of the initial report.

Important vs essential classification

Next to these requirements that apply to all organizations, there are also category specific requirements. Essential organizations be subject to on-site inspections, off-site supervision, including random checks.

This includes annual and targeted audits, based on risk assessment outcomes or risk-related available information.

When requested, these organizations must hand-over any form of information needed to perform these supervisory tasks to the auditing entity. This information includes access data, documents, and proof of implemented cybersecurity measures.

When necessary, governments will have the ability to impose deadlines and binding instructions on these organizations to ensure compliance. On the other hand, important organizations are only subject to such audits when there is evidence or an indication that they do not adhere to the NIS2 obligations set for them.

Opposed to essential organizations, important organizations are not obliged to provide access to information for supervisory purposes. Note that how these requirements will be implemented or executed depends on each Member State their implementation of NIS2.

How the government will help you

NIS2 does not only lay down obligations for organizations however, but it also helps them. Among others, Member States must provide help in implementing the necessary cybersecurity measures, assist in incident response tasks, and set-up information sharing arrangements. Moreover, they must warn organizations of possible cyber threats that might be relevant to them.

NIS2 Webinar Series

We had two webinars related to NIS2 already.

NIS2 Webinar 1

1. In the first webinar we invited Bart Groothuis, the NIS2 Rapporteur for the European Parliament, to talk about this new directive. During this webinar we discussed the need for this new directive, the changes that it will bring, and how the Member States will help organizations comply with the obligations presented in NIS2. Watch the replay here: Webinar | The NIS2 Directive

NIS2 Webinar 2

2. In the second webinar we invited Jasper Nagtegaal, the head of the Dutch Authority for Digital Infrastructure (RDW), to talk about NIS2 from a regulator’s perspective. In this webinar Jasper provided insights into how the Dutch government handled the enforcement of the original NIS and how NIS2 will be enforced by the RDW. Watch the replay here: Webinar | NIS2 Perspectives from a Regulator.

These webinars are part of our NIS2 webinars series, if you want to be kept up to date with the webinars that Secura holds, subscribe to our newsletter at the bottom of this page.