NIS2: The Rules For Cybersecurity Have Just Changed, And How

Heer Chheda

Heer Chheda

Oct 30, 2024
NIS2 Directive

With cyber threats on the rise in vital sectors like energy, healthcare, finance, and transportation, the European Union (EU) recognized the urgency of addressing these risks. In 2016, they introduced the NIS Directive to lay the groundwork for enhancing cybersecurity across member states. 

However, as time went on, it became clear that the directive had its limitations. Many organizations struggled with inconsistent enforcement, and the focus was primarily on large operators of essential services, leaving gaps in protection.

To tackle these challenges, the EU introduced NIS2, which builds upon the original directive. This updated framework broadens the scope significantly, now including medium-sized organizations and additional critical sectors. One of the key aspects of NIS2 is its emphasis on holding management accountable for cybersecurity governance. 

As you read this, there’s a chance that the deadline for EU member states to transpose NIS2 into their national laws may have already passed. But there’s much more context and nuance to understanding the NIS2 Directive than simply implementing it. 

NIS2’s here, why did we need another directive?

When the first NIS Directive was introduced in 2016, it was a significant step forward for the EU’s cybersecurity landscape. The aim was clear—to improve the protection of networks and information systems in critical sectors. However, while it provided a solid foundation, it didn’t quite keep pace with the changing nature of cyber threats.

One of the NIS Directive’s biggest shortcomings was its narrow focus. It primarily targeted large operators of essential services and a handful of digital service providers, leaving several vital sectors without the regulation they desperately needed.

Additionally, the old directive struggled with inconsistent enforcement. Each EU member state could define essential services however they deemed fit, leading to fragmented protection measures that differed significantly across borders. This lack of cohesion ultimately weakened the directive’s overall effectiveness.

In response to these shortcomings, NIS2 aims to fill those gaps by broadening its reach and including medium-sized organizations and sectors that were previously overlooked. 

NIS2’s Annex I and II

NIS2 not only broadens the sectors covered by the NIS Directive, but also introduces a critical classification system for entities, categorizing them as either essential or important

Annex I focuses on essential entities that are subject to proactive supervision. These larger organizations, operating in critical sectors such as energy, healthcare, and digital infrastructure, are recognized for their vital roles in maintaining societal security and stability. Because of their importance, they face stringent scrutiny and are required to adhere to stronger cybersecurity measures, than entities mentioned under Annex II. 

Essential sectors under Annex I

  1. Energy
    • Includes electricity, oil, gas, district heating, and hydrogen.
  2. Transport
    • Covers air, rail, water, and road transport.
  3. Banking
    • Encompasses credit institutions and financial market infrastructures.
  4. Health
    • Involves healthcare providers, including hospitals and laboratories.
  5. Drinking Water
    • Addresses the supply and distribution of drinking water.
  6. Wastewater
    • Focuses on the treatment and management of wastewater.
  7. Digital Infrastructure
    • Involves data centers, cloud computing services, and internet exchange points.
  8. Public Administration
    • Covers government services that rely on digital systems.
  9. Space
    • Encompasses satellite communications and other space-related services.

In contrast, Annex II covers important entities that are subject to reactive supervision. These medium-sized enterprises, operating in sectors such as postal services and waste management, play vital roles in maintaining operational integrity but do not face the same level of scrutiny unless a security incident occurs. 

Important sectors under Annex II

  1. Digital Providers
    • Includes social media platforms and search engines.
  2. Postal Services
    • Encompasses courier and mail delivery services.
  3. Waste Management
    • Involves the management of solid waste and recycling services.
  4. Manufacturing
    • Covers industries that produce goods, particularly those with critical components.
  5. Food Production
    • Encompasses sectors involved in food safety and supply chains.
  6. Chemicals
    • Includes the manufacturing and distribution of chemicals essential for various industries.

What’s new in NIS2? 

NIS2 has a significant impact on organizations by transforming the way cybersecurity is approached across essential sectors. With stricter regulations in place, entities in areas like energy, healthcare, and digital infrastructure are now required to step up their cybersecurity measures. 

This means they must implement thorough risk management strategies, improve their incident reporting processes, and pay closer attention to supply chain security. While this shift can be challenging—bringing potential increases in operational costs and the need for ongoing employee training—it’s ultimately about creating a culture of resilience.

Nevertheless, this should not be a deterrent as it also opens the door to better your defenses against cyber attacks.

Here’s what has changed..

Incident reporting 

One of the most significant changes under NIS2 is the mandatory 24-hour incident reporting rule. Organizations must notify relevant authorities of significant cyber incidents within a 24-hour detection window

This control represents a substantial shift from the original NIS directive, which allowed for more lenient and varied reporting timelines across EU member states. Now, organizations have clear obligations, with significant penalties for failure to comply. This shift necessitates companies to have strong incident detection systems in place and well-defined incident response protocols. 

Risk management and governance 

The directive mandates that organizations establish comprehensive risk management frameworks that identify and mitigate cybersecurity risks internally and extend to the broader sector. Significantly, senior management is now legally accountable for ensuring compliance with NIS2. This means that leadership teams could face financial and legal repercussions for shortcomings in cybersecurity governance.

This heightened level of accountability guarantees that risk management is woven into the fabric of corporate governance frameworks, ensuring it receives the attention and resources it deserves.

Supply chain 

Perhaps one of NIS2’s most transformative elements is its emphasis on supply chain security. Cybersecurity can no longer be confined to an organization’s internal systems. Instead, businesses must now ensure that their entire supply chain is protected against cyber risks. This includes not only direct suppliers but also any third-party vendors that interact with critical data or services.

NIS2 requires organizations to conduct thorough risk assessments of their supply chains, ensuring that all partners and vendors adhere to established cybersecurity standards. This proactive approach acknowledges that cyberattacks often exploit vulnerabilities in less secure suppliers as a gateway to infiltrate larger, more fortified organizations.

Business continuity 

One of the critical mandates of NIS2 is its strong focus on business continuity. The directive pushes organizations to not only develop but also rigorously maintain plans that ensure their essential services remain operational in the face of disruptions.

 It’s not just about having a plan on paper—it’s about implementing strategies for data protection, disaster recovery, and maintaining key functions during crises.

Acquisition and system maintenance 

NIS2 goes beyond the basics of securing internal systems by stressing the need for security integration across the entire lifecycle of network and information systems. From acquisition and development to ongoing maintenance, security measures must be woven into every phase. This means adopting secure development practices, regularly patching vulnerabilities, and keeping systems updated.

Security measures 

NIS2 mandates that organizations regularly assess the effectiveness of their cybersecurity measures, ensuring that security policies and procedures remain relevant in the face of evolving threats. This involves periodic evaluations to detect any gaps or outdated practices that could leave the organization vulnerable. 

Cyber hygiene 

NIS2 places a strong emphasis on fostering a culture of cybersecurity awareness. This involves not only periodic training to help employees recognize threats like phishing but also reinforcing the importance of quickly reporting suspicious activities. Practical steps, such as enforcing strong password policies and organizing regular cybersecurity drills are also a part of the directive that drive security. 

Cryptography and encryption policies 

NIS2 mandates the use of strong cryptographic practices to protect sensitive information, both in transit and at rest. Organizations should implement end-to-end encryption and secure remote access solutions to safeguard data from unauthorized access. Policies must be established regarding the use of cryptography, ensuring that sensitive data is adequately protected against cyber threats. 

This includes using virtual private networks (VPNs) and zero-trust network access (ZTNA) to secure communications

Access control and asset management

Organizations must establish clear procedures for onboarding and offboarding employees, ensuring that access rights are promptly adjusted when personnel changes occur. Implementing least-privilege access principles helps limit exposure to sensitive information and reduces the potential impact of credential compromise​. 

Multi-factor Authentication 

Multi-factor Authentication (MFA) is a vital measure for enhancing the security of user accounts. By requiring multiple forms of verification, organizations significantly reduce the likelihood of unauthorized access. This could involve a combination of passwords, security tokens, or biometric verification.

There are clear similarities between ISO and NIS2. The controls you implement for ISO 27001 can significantly help with NIS2 compliance. It’s also important to note that ISO 27001 isn’t the only framework that shares overlapping controls with NIS2.

ISO 27001 and NIS2: Understanding the technical overlap

Many professionals have recognized significant overlaps between NIS2 and ISO 27001, highlighting how these frameworks can complement each other in bolstering cybersecurity practices. For instance, both frameworks emphasize the need for robust incident management. NIS2’s mandatory 24-hour incident reporting aligns closely with the structured processes outlined in Annex A.16 of ISO 27001, which focuses on effectively addressing security events.

Moreover, NIS2 holds management directly accountable for cybersecurity failures, contrasting with ISO 27001, which encourages leadership involvement without imposing the same level of legal obligation. 

Supply chain security is another area where these frameworks intersect. NIS2 requires organizations to conduct comprehensive assessments of their suppliers’ cybersecurity practices, reflecting the principles in Annex A.15 of ISO 27001. 

Additionally, NIS2’s focus on business continuity closely aligns with Annex A.17 of ISO 27001, which underscores the importance of maintaining essential functions during disruptions. NIS2 specifically addresses the resilience of essential services within a regulatory framework, ensuring that organizations are prepared for various types of incidents that could impact critical operations.

So does NIS2 render ISO 27001 obsolete? 

No, NIS2 does not render ISO 27001 obsolete. In fact, the two frameworks can work hand-in-hand. While NIS2 provides a regulatory baseline for cybersecurity in critical sectors, ISO 27001 offers a more comprehensive and internationally recognized framework that extends beyond the specific mandates of NIS2. 

ISO 27001 is particularly beneficial for organizations operating across multiple countries and industries, where NIS2 might not apply directly. While NIS2 focuses on legal requirements within the EU, ISO 27001 supports wider business goals such as trust, international reputation, and business resilience.

The fundamental distinction between NIS2 and ISO 27001 lies in their enforceability. NIS2 is a legally binding directive issued by the European Union, mandating compliance for organizations operating in essential and important sectors, such as energy, healthcare, and digital infrastructure. Failure to comply can result in substantial fines and legal consequences for senior management. 

ISO 27001, on the other hand, is an internationally recognized voluntary framework that provides a structured approach for managing information security risks.

ISO 27001 serves as an enabler for NIS2. 

GDPR and NIS2: The overlapping geography 

Since both the General Data Protection Regulation (GDPR) and the NIS2 Directive come from the European Union, it’s understandable that there might be some confusion about their respective scopes and overlaps. At a high level, while GDPR’s focus is on protecting personal data, NIS2 is designed to secure essential services. 

We see an intersection in their approaches to supply chain security. GDPR mandates that organizations ensure their third-party processors are compliant with data protection standards, while NIS2 goes a step further by requiring detailed assessments of cybersecurity practices throughout the entire supply chain. 

GDPR’s breach notification requirement mandates a response within 72-hours, while NIS2 defines a more stringent 24-hour incident reporting mandate. 

GDPR and NIS2 both stress the importance of accountability. While GDPR emphasizes the need for data controllers and processors to be responsible for compliance, NIS2 imposes legal obligations on top management, holding them directly accountable for failures in cybersecurity.

Why do you need both?

For companies operating in the EU, adhering to both NIS2 and GDPR are both regulatory mandates enforced by the EU. In this sense, they complement one another.

GDPR emphasizes the management of data, focusing on how organizations handle personal information, while NIS2 prioritizes the protection of the systems that manage that data, ensuring the integrity and security of the infrastructure supporting these processes.

A data breach can trigger violations of both GDPR and NIS2, necessitating reporting under each framework. By establishing a strong cybersecurity framework—anchored in GDPR —organizations can significantly reduce the risk of data breaches and, consequently, violations of both.  

While GDPR is the more stringent of the two, NIS2 complements these efforts by providing a solid foundation for implementing necessary controls and measures to safeguard the systems managing that data.

NIS2 is a relatively new framework, what blockers can you expect?

NIS2 is still relatively new, and it’s understandable that organizations might have reservations or concerns as they work to comply with its requirements. There are indeed potential blockers—whether it’s confusion over how to interpret specific aspects of the regulation or concerns about balancing regulatory obligations with day-to-day operations. 

It often just takes a nudge about the personal liabilities tied to non-compliance for leadership to fully grasp the urgency. 

Another challenge stems from the lack of detailed technical requirements in the directive itself. While NIS2 outlines necessary governance structures and reporting obligations, it falls short of providing explicit instructions on implementing technical cybersecurity measures. This vagueness leaves organizations struggling to interpret the requirements effectively.

This ambiguity could also lead to disruptions during an audit as they would have varying standards to evaluate compliance, namely because NIS2 can be adopted differently across EU member states. 

That being said, the NIS2 directive understands the nuance that one size fits all security measures are no longer sufficient. Companies must tailor their security strategies based on their own risks, incorporating best practices from established frameworks like ISO 27001 or GDPR

Heer Chheda
Heer is a content marketer at Sprinto. With a degree in Media, she has a knack for crafting words that drive results. When she’s not breaking down complex cyber topics, you can find her swimming or relaxing by cooking a meal. A fan of geopolitics, she’s always ready for a debate.

How useful was this post?

0/5 - (0 votes)