An European Union Flag resembling the new NIS2, focusing on what it is and how to get prepared?

NIS2 Directive: What is it and how to get prepared?

Published On: December 5, 2024

What is the NIS2 Directive?

The NIS2 Directive is the European Union’s updated legislation designed to strengthen cybersecurity across member states. It builds on the original 2016 Network and Information Systems (NIS) Directive, addressing evolving cyber threats and the increasing dependence on digital technologies. The directive aims to create a harmonized framework to enhance resilience, improve coordination and secure the functioning of society’s critical sectors.

Key Changes from NIS1 to NIS2 Directive

NIS2 expands its scope to include a wider range of critical and important sectors. While the original NIS directive primarily targeted industries like energy, transport and healthcare, NIS2 brings additional sectors under its purview, including public administration, space, manufacturing, food supply chains and digital providers (cloud services, data centers, etc.). This broader scope ensures that more entities essential are protected against cyber threats.

The NIS2 Directive also introduces stricter and more comprehensive cybersecurity requirements:

  • Risk Management Measures: Organizations must implement updated controls like supply chain security, vulnerability handling, and regular incident response exercises.
  • Incident Reporting: Mandatory reporting of significant cybersecurity incidents within 24 hours of detection, followed by detailed updates within 72 hours.
  • Governance: Boards and management are now explicitly held accountable for compliance, requiring them to understand and oversee cybersecurity measures.
  • Harmonized Penalties: Consistent fines and penalties across member states, improving enforcement and creating stronger incentives for compliance. These fines can be up to 10 million euros or 2% of the company’s global annual revenue, whichever is higher.

Why the NIS2 Directive Matters?

A major reason why the NIS2 Directive matters to businesses is the risk of big fines. Companies that do not follow the rules can face penalties of up to €10 million or 2% of their global revenue. Beyond fines, ignoring the directive could hurt a business’s reputation and damage trust with customers and partners, which can be even harder to recover from. Notably, NIS2 helps businesses become stronger against cyber threats by providing a unified framework to the approach of cybersecurity.

How to get prepared for NIS2?

The first step to getting prepared for NIS2 is determining whether your organization falls under it’s scope. This depends on the industry, size, and the services you provide. Review the sectors listed in the directive and consider whether your organization is classified as essential or important under its rules. There are several helpful online resources that assist in identifying your classification.

For organizations that must comply, requirements include risk management practices, incident reporting timelines, and supply chain security.

A detailed gap analysis provides a roadmap for prioritizing actions and allocating resources efficiently, ensuring no critical area is overlooked. This process highlights what you’re already doing well and where improvements are necessary. Generally it involves reviewing policies, technologies, and processes to see if they align with NIS2 requirements.

After the gap analysis, measures can be implemented such as upgrading your cybersecurity tools, improving monitoring systems, training staff, or revising policies.

Tools and Resources

Ensuring compliance with the NIS2 Directive requires organizations to implement comprehensive cybersecurity measures, including staff training and incident response planning. RiskSight offers tools and resources to assist in these areas:

Cyber Awareness Trainings for NIS2

RiskSight provides tailored cyber awareness training programs designed to educate employees on the latest cybersecurity threats and best practices. These programs align with NIS2’s emphasis on basic cyber hygiene and regular training, helping organizations meet compliance requirements. To get started with a customized cyber awareness programme, visit our Cyber Security Awareness page.

Table-Top Exercises for NIS2

To enhance incident response capabilities, RiskSight facilitates table-top exercises that simulate cyber incidents. These exercises allow organizations to test and refine their response strategies, ensuring preparedness for real-world scenarios. This proactive approach supports NIS2’s mandate for effective incident handling and business continuity planning. To get started with planning table-top exercises, visit our Strategic Cybersecurity Exercises page.