NIS2 Guidelines Broken Down: Non-Negotiable for EU

The risk of large-scale disruptions and data breaches has skyrocketed, exposing vulnerabilities in systems essential to our everyday lives. The NIS2 directive aims to strengthen cybersecurity frameworks and ensure organizations are better prepared to tackle these threats head-on.

The Network and Information Systems (NIS) 2 Directive isn’t just another boring compliance checklist. It introduces significant changes that impact industries ranging from energy and transportation to healthcare and digital infrastructure. 

The guidelines to implement this regulation can seem a little too complicated. But here’s the good news: we have broken down the directive into easy, actionable steps or tasks so you can comply with it effectively and not face its heavy penalties.

Let’s dive in. 

TL;DR To comply with NIS2 guidelines, organizations must adopt security measures, ensure top management accountability, and have incident notification processes. NIS2 mandates specific timelines for reporting cybersecurity incidents: early warnings within 24 hours, detailed notifications within 72 hours, and final reports within a month or upon resolution. NIS2 allows businesses to align its requirements with widely recognized standards like ISO 27001, SOC 2, and NIST CSF.

Three main pillars of the NIS2 directive

The main goal of the NIS2 Directive is to set common standards across all industries and businesses with respect to cybersecurity in the European Union. 

On a broader level, the NIS2 Directive has three main pillars:

1. Member state responsibilities

2. Risk management

3. Co-operation and information exchange

Out of these, the duties from an organizational perspective only cater to the risk management section. It outlines three main responsibilities:

• Accountability for top management: The senior leadership in an organization will be directly accountable for non-compliance with the NIS2 Directive. 
• Mandatory security measures: If a business is under NIS2 scope, it is mandatory for them to adopt necessary security practices mentioned in the directive. 
• Incident notification requirements: Any business must report cybersecurity incidents within the specified timeframes in the directive to avoid non-compliance. 

NIS2 guidelines for cybersecurity risk management 

As communicated by the European Commission, the guidelines for the application of Articles 4(1) and 4(2) of Directive (EU) 2022/2555, also known as the NIS 2 Directive, can be broken down into the following 7 key points. 

1. Draft cybersecurity policies

All entities and businesses that are under NIS2 scope must have well-documented policies for network security, incident handling, supply chain security, cryptography, and access control.

Furthermore, businesses have to make sure that each policy is being approved by their senior management or risk management officials. The policies also have to be regulated, reviewed, and updated after any incidents or significant changes in the organization. 

2. Implement risk management

The NIS2 Directive prioritized risk management as its core. It does not end there; consider it a good practice to adopt a strategic risk management framework like NIST SP 800-300 or ISO 31000 to get an effective roadmap. 

Conduct business impact analyses (BIAs) to quantify how downtime or breaches could affect critical processes (think financial losses or reputational damage) and rigorously use vulnerability scanning tools and penetration testing tools to make sure nothing is missed.  

What should an ideal risk treatment plan contain? 

To comply with the directive, the risk treatment plans must include objectives, implementation timelines, and residual risk management. Address risks based on their severity and likelihood. The treatment plans can be broken down into three parts:

1. Objectives: Clearly define what success looks like—for example, reducing ransomware exposure by 50% over 12 months.
2. Implementation timelines: Create Gantt charts or use project management software like Asana or Jira to track milestones.
3. Residual risk management: Not all risks can be eliminated. Mitigate remaining risks by purchasing cyber insurance or building redundancies into critical systems.

3. Conduct efficient incident handling

Under NIS2, incident handling must be swift, coordinated, and well-documented. Create a tiered system for classifying incidents:

• Level 1: Minor issues (e.g., phishing attempts that didn’t succeed).
• Level 2: Significant threats (e.g., malware detected but contained).
• Level 3: Major crises (e.g., ransomware attack or data breach).

Use an incident response platform to automate detection, categorization, and response. Standardize the way incidents are logged using templates that include:

• Nature of the incident (e.g., DDoS, insider threat).
• Actions taken (containment measures, forensic investigations).
• Lessons learned (what went wrong and how to prevent recurrence).

Furthermore, make sure that the Disaster Recovery Plan goes beyond system backups. For example, if a ransomware attack locks all the servers, do you have air-gapped backups or immutable storage solutions like AWS S3 Object Lock?

4. Focus on supply chain security

Supply chain security is about taking control of external risks. Track all third parties using tools like Sprinto or LogicGate to maintain an updated vendor inventory that is updated with the respective vendors’:

• Security certifications (e.g., ISO 27001, SOC 2).
• Compliance with contractual obligations.
• Risk assessments (e.g., whether they conduct penetration tests).

NIS2 also outlines that the vendor or supplier contract should abide by an internal policy that includes minimum cybersecurity standards with regular audit requirements. The suppliers must also notify the business within 24 hours of a breach with proper incident reporting procedures. 

5. Align with popular regulatory standards 

One of the best parts about the NIS2 Directive is that it lets organizations map its requirements to popularly recognized standards like ISO 27001, SOC 2, NIST CSF, etc. So, if a business is already compliant with a few frameworks, they’re at an advantage here. 

Here’s some help:

Framework	Mapping to NIS2
ISO 27001:2022	6.1, 6.1.2, 6.1.3, 6.2, 8.2, 8.3, A5.7, A.5.19, A.5.20, A.5.21
BE-CyFun® 2023	Basic: ID.GV-4.1, ID.RA-5.1
	Important: ID.BE-4.1, ID.GV-4.2, ID.RA-5.2, ID.RA-6.1, ID.RM-1.1,
	ID.RM-2.1, ID.RM-3.1, ID.SC-2.1, ID.SC-3.1, PR.AC-7.1, DE.CM-6.2, RS.MI-1.1
	Essential: ID.RA-5.3, ID.SC-1.1, PR.AC-1.5, DE.AE-4.1
NIST CSF v2.0	ID.RA-01, ID.RA-02, ID.RA-03, ID.RA-04, ID.RA-05, ID.RA-06, GV.RM-03,
	ID.RM-01, GV.RM-06, GV.RR-03, ID.IM-01, ID.IM-02, ID.IM-03, ID.IM-04
FI-Kybermittari	CRITICAL-2, RISK-1, RISK-2, RISK-3, RISK-4, RISK-5, THIRD-PARTIES-2,
	WORKFORCE-3, WORKFORCE-4
ETSI EN 319 401	REQ 5, Clause 6.3
EL – Ministerial Decision 1027/2019	Article 4 – paragraphs 3, 4
Cybersecurity Handbook	Part A: 2, Self-assessment tool: 1.15, 1.16, 1.17, 1.18, 1.19
CEN/TS 18026:2024	OIS-01, RM-01, RM-02, RM-03
ES – Royal Decree 311/2022	Article 7, Article 14

(Source: Enisa, EU Agency for Cybersec)

6. Assign roles and accountability

The NIS2 directive mandates that all entities within its scope assign clear roles and accountability practices for proper risk governance. Having clearly defined roles also makes incident handling easier since there is no time for confusion during a crisis.

Ensure segregation of duties

Prevent conflicts of interest by ensuring tasks are divided. For instance, the person who configures firewalls should not be the one auditing them. Similarly, a CISO should have oversight but not operational responsibility.

Do businesses need role-specific training?

Absolutely, yes, provide customized training programs for each role. For example, a SOC analyst might need threat-hunting skills, while a compliance officer might focus on regulatory requirements.

7. Monitor and review compliance

Compliance isn’t a destination; it’s an ongoing journey. As the threat landscape evolves, policies and security controls need to evolve, too. What is implemented now might not be relevant a year later. 

To cope with this, NIS2 highlights the need for periodic reviews, independent audits, and tools for automated monitoring. 

How do I automate the monitoring of my security infrastructure with NIS2 compliance?

For starters, one needs infrastructure monitoring services /software like Datadog or Sentry to monitor network traffic, detect anomalies, and flag potential threats in real-time. But, these won’t conduct checks against NIS2 compliance requirements. That’s where tools like Sprinto step in. 

Sprinto bridges the gap by automating compliance checks and monitoring all the controls under NIS2 while incorporating evidence from vendors, suppliers, incident management platforms, vulnerability scanners, etc. 

NIS2 guidelines around reporting obligations

The NIS2 directive offers very specific directions around incident reporting. For example, it lays down guidelines on when and how an organization must provide warnings and notifications in case of any incidents. Here’s how it should be done:

1. Early warning (within 24 hours)

Issue an early warning to the relevant stakeholders and authorities. This warning informs all parties about the type of incident, which systems are affected, and the nature of threats or risks; it also acts as a precursor for fast acknowledgment by the authorities and the stakeholders so that the affected parties may start assessing and appraising the potential implications.

2. Incident notification (within 72 hours)

Within 72 hours of detecting the incident, a more detailed report must follow. This notification should expand on the early warning, including:

• A timeline of events leading up to the incident.
• Preliminary findings regarding its cause and scope.
• Immediate mitigation measures were undertaken to contain the issue.
• Any suspected links to broader threats or vulnerabilities, such as third-party supplier involvement.
• Templates for documentation and pre-assigned escalation roles can greatly streamline this process, ensuring nothing critical is overlooked.

3. Final report (within one month or upon resolution):

The final stage involves submitting a comprehensive report detailing the process. This report should highlight:

• Root cause analysis and how the incident was resolved.
• Lessons learned and steps taken to prevent recurrence.
• Evidence of recovery and restoration efforts, including system testing and validation.

Assessing your current state: Should you consider an NIS2 compliance assessment?

If you fall under the NIS2 scope, meaning you operate your business in the EU region, you should definitely consider doing an NIS2 compliance assessment to determine your current standing. This will not only help you identify gaps in your cybersecurity measures but also give you a ballpark of how much more there is to be done. 

What is the best way to assess your current state against the security controls of the NIS2 directive? A GRC tool. 

A GRC (Governance, Risk, and Compliance) automation tool like Sprinto provides a holistic dashboard for assessing your NIS2 compliance status. 

With Sprinto, you can easily map your existing controls to NIS2 requirements, track due tests, and ensure all critical security measures are in place. The platform’s intuitive interface makes it simple for you to align policies, document evidence, and monitor ongoing compliance efforts without the need for manual tracking or additional tools. 

Bonus: If you’re already compliant with other frameworks like SOC 2 or ISO 27001, Sprinto helps you significantly reduce the time and effort you need to get NIS 2 certified. See a quick demo to see how Sprinto can get you NIS2 certified in record time. 

Frequently asked questions

1. What is the NIS2 directive?

The NIS2 Directive is the updated version of the original NIS Directive (2016), issued by the European Union to strengthen the cybersecurity posture of its member states. It aims to enforce stricter compliance measures, including supply chain security and risk management practices.

2. Who does the NIS2 Directive apply to?

The NIS2 directive is applicable for entities with operations in the EU, regardless of their headquarters location, if they meet the size or sector requirements. It defines its scope as essential entities and important entities:

• Essential entities: Organizations operating in critical sectors such as energy, transport, health, financial markets, and digital infrastructure.
• Important entities: Businesses providing services like postal services, manufacturing of critical products, and digital services (cloud providers, online marketplaces).
  

3. How much time does it take to implement NIS2?

The time required to implement NIS2 will depend on your organization’s size, sector, and existing cybersecurity posture. A ballpark estimate would be:

• Small to Medium Organizations: 6-12 months.
• Large Enterprises: 12-24 months or longer for complex infrastructures.

Here’s a better breakdown:

Phase	Duration
Assessment and Planning	1-3 months
Implementation	6-12 months
Testing and Observing Effectiveness	1-3 months
Compliance Maintenance	Ongoing

4. What are the penalties for non-compliance with NIS2?

Penalties for non-compliance with NIS2 directive can include:

• Fines: Up to €10 million or 2% of the organization’s global annual turnover, whichever is higher.
• Operational restrictions: Suspension of activities or services.
• Legal Consequences: Directors and managers can face individual accountability for failing to meet compliance obligations.