Loader
zifo_logo
search_icon
zifo_logo
search_icon

Home arrow_in_separator Blogs arrow_in_separator Exploring the NIS2 Directive: Strengthening Cybersecurity Measures Throughout the European Union

Chat Chat icon

ZifoZifo

Close

Exploring the NIS2 Directive: Strengthening Cybersecurity Measures Throughout the European Union

author image

Tript Srivastava, Engagement Lead   |   23rd July 5mins

The Network and Information Security Directive (NIS2) represents a major enhancement over NIS1, aiming to strengthen cybersecurity throughout the European Union. As cyber threats continue to evolve, the EU has recognized the need for more robust and comprehensive measures to protect critical infrastructure and essential services. This blog will delve into the details of the NIS2 regulation, highlighting its key components and how it differs from its predecessor, NIS1.

Introduction to NIS2

Directive (EU) 2022/2555, commonly referred to as the NIS2 Directive, was adopted on December 14, 2022, and became effective on January 16, 2023. The directive aims to enhance cybersecurity across the European Union by requiring entities that manage critical infrastructure and essential services to adopt appropriate security practices and report incidents to designated authorities. EU Member States were required to integrate the directive into national law by October 17, 2024.

Key components of NIS2

  • 1. Broader scope of covered entities
    • NIS2 expands its coverage from 7 to 15 sectors, now including areas such as postal and courier services, chemical and food production, manufacturing, digital service providers, and public sector organizations. This broader scope ensures that more entities vital to societal and economic stability are subject to the directive’s cybersecurity requirements.
  • 2. New classification of organizations
    • NIS2 establishes a standardized classification system for organizations, dividing them into two groups: Essential Entities and Important Entities. This distinction allows for tailored cybersecurity obligations based on the criticality of the entity’s role in society and the economy. Essential Entities face more stringent requirements and closer supervision, whereas Important Entities are subject to less intensive oversight.
  • 3. Enhanced risk management obligations
    • Organizations are required to implement robust cybersecurity practices, which include conducting formal risk assessments, performing regular penetration tests and audits, securing their supply chains, and using encryption to protect sensitive data.
  • 4. Tightened incident reporting protocols
    • NIS2 defines clear expectations for incident reporting: an initial alert must be submitted within 24 hours, followed by a detailed report within 72 hours, and a final report with full analysis and corrective actions.
  • 5. Increased penalties for non-compliance
    • Entities that fail to meet NIS2 requirements may face substantial fines of up to €10 million or 2% of their global annual revenue, particularly for those classified as essential.

Differences between NIS1 and NIS2

Aspect NIS1 NIS2
Scope Limited to sectors like energy, transport, and healthcare Expanded to include additional industries, such as postal services, chemical and food industries, manufacturing, digital technology providers, and public administration
Classification Member States had flexibility in defining covered entities Uniform classification into Essential Entities and Important Entities
Risk management Basic risk management measures Advanced risk management measures, including mandatory risk assessments, regular audits, supply chain security, and encryption
Incident reporting General guidelines for incident reporting Clearly defined timelines for incident reporting include: an initial alert within 24 hours, a comprehensive follow-up within 72 hours, and a final submission detailing the full analysis and mitigation steps
Penalties Lower penalties for non-compliance Essential Entities may face significantly higher penalties for non-compliance, including fines reaching up to €10 million or 2% of their total global annual revenue

How organizations can comply with NIS2

To comply with NIS2, organizations must adhere to the cybersecurity risk management measures outlined in Article 21. These measures include:

Organization Comply
  • 1. Risk analysis and system security policies
    • Organizations should establish structured policies for evaluating risks and securing their information systems.
  • 2. Incident response procedures
    • Clear protocols must be in place to manage and respond to cybersecurity incidents effectively.
  • 3. Continuity planning
    • Entities should develop strategies for data backup, disaster recovery and managing crises to ensure operational resilience.
  • 4. Securing the supply chain
    • Security measures must extend to relationships with suppliers and service partners to mitigate third-party risk.
  • 5. Secure system lifecycle management
    • Security should be embedded throughout system acquisition, development and maintenance, including handling and disclosing vulnerabilities.
  • 6. Evaluating control effectiveness
    • Cybersecurity controls and risk management practices should be reviewed regularly to ensure they remain effective.
  • 7. Cyber hygiene and awareness
    • Promoting basic cybersecurity practices and providing regular ongoing training to staff helps maintain a secure environment.
  • 8. Use of encryption and cryptography
    • Sensitive data should be protected using appropriate cryptographic techniques and encryption standards.
  • 9. Workforce security measures
    • Access controls and asset management policies should be applied to safeguard systems and data from internal threats.
  • 10. Authentication and secure communication
    • Multi-factor authentication, secure communication channels and emergency communication systems should be implemented to protect against unauthorized access and ensure reliability during incidents.

Conclusion

The NIS2 Directive marks a vital advancement in bolstering cybersecurity throughout the European Union. By expanding the scope of covered entities, introducing uniform classifications, enhancing risk management measures, and imposing stricter penalties, NIS2 aims to create a more resilient and secure digital environment. Organizations must take a meticulous approach to compliance to ensure they meet the new requirements and protect their critical infrastructure and essential services.

As cyber threats continue to evolve, the NIS2 Directive offers a robust framework to protect the EU's digital environment, ensuring the security and continuity of essential services.