window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');
DataHub Consulting, Experts in Analytics, Business Intelligence, and Compliance 1200 627

Written by

Date

13 July 2024

Category

The EU NIS 2 Directive (Network and Information Systems) is a cornerstone of the European Union’s (EU) cybersecurity strategy, designed to enhance the security and resilience of critical infrastructure. In the EU NIS cybersecurity ules were introduced in 2016. With the introduction of NIS 2, the directive has been updated to address evolving cybersecurity threats and improve the overall framework. This blog will delve into the essential aspects of NIS 2, including its objectives, scope, impact, and practical implementation. Organization that are considered mid to large entities will need to comply with NIS 2.

NIS 2 is the updated version of the original NIS Directive, established in 2016. It aims to strengthen cybersecurity across the EU by setting out a framework for member states to enhance the security of their network and information systems. The directive applies to both public and private sectors, focusing on operators of essential services (OES) and digital service providers (DSPs). The goal is to ensure a high level of security and resilience across critical infrastructures, including energy, transport, banking, financial market infrastructures, health, water supply, and digital infrastructure.

NIS 2 Directive came into force in 16th January 2023 but the EU member states have until 17 October 2024 to enact the directive.

NIS 2 has several key objectives that build upon the foundations of the original directive:

  • Enhanced Security Requirements
    NIS 2 introduces stricter security requirements for OES and DSPs, ensuring they implement appropriate and proportionate security measures.
  • Incident Reporting
    It mandates a more robust incident reporting mechanism to ensure timely and effective responses to cybersecurity incidents.
  • Harmonization
    The directive seeks to harmonize cybersecurity standards and practices across member states to reduce fragmentation.
  • Expanded Scope
    It broadens the scope of entities covered, including more sectors and types of services critical to the economy and society.
  • Strengthened Cooperation
    NIS 2 enhances cooperation between member states and the EU to foster a more coordinated response to cybersecurity threats.

The supervisory authority under NIS 2 varies by member state but generally involves a national competent authority (NCA) responsible for overseeing the implementation and enforcement of the directive. These authorities ensure compliance with NIS 2, coordinate incident response, and facilitate cooperation among stakeholders. Examples include the National Cyber Security Centre (NCSC) in the UK and the Federal Office for Information Security (BSI) in Germany.

While NIS 1 laid the foundation for cybersecurity in the EU, NIS 2 builds upon it with significant enhancements and changes to address the evolving cyber threat landscape. Here are the key differences:

1. Expanded Scope

  • NIS 1: Focused primarily on operators of essential services (OES) such as energy, transport, banking, and healthcare, as well as digital service providers (DSPs) like online marketplaces, search engines, and cloud computing services.
  • NIS 2: Broadens the scope to include additional sectors and services that are deemed essential or important. This includes:
    • Essential Entities: Energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, public administration, and space.
    • Important Entities: Postal and courier services, waste management, chemicals, food production, manufacturing of medical devices and critical products, among others.

2. Stricter Security Requirements

  • NIS 1: Required OES and DSPs to take appropriate and proportionate security measures based on risk assessment.
  • NIS 2: Mandates more stringent and specific security measures. Entities must implement comprehensive risk management practices, including:
    • Incident Prevention: Measures to prevent cyber incidents from occurring.
    • Incident Detection and Response: Systems to detect and respond to incidents promptly.
    • Continuity of Services: Ensuring the continuity and availability of essential services.
    • Supply Chain Security: Emphasis on securing the supply chain to mitigate risks posed by third-party vendors.

3. Enhanced Reporting Obligations

  • NIS 1: Required entities to report significant incidents to the relevant national authorities.
  • NIS 2: Introduces more detailed and stringent reporting obligations. Entities must:
    • Report significant incidents promptly and comprehensively.
    • Provide additional information on the nature, cause, and impact of incidents.
    • Include information on any mitigation measures taken or planned.

4. Stronger Supervision and Enforcement

  • NIS 1: Established national competent authorities to oversee the implementation and enforcement of the directive.
  • NIS 2: Strengthens the supervisory framework with:
    • Increased Powers for Authorities: National authorities are granted broader powers to enforce compliance, including the ability to conduct audits and inspections.
    • Stricter Penalties: Introduction of harsher penalties for non-compliance, including significant administrative fines.
    • Peer Reviews: Implementation of peer reviews among member states to ensure a harmonized approach and to learn from best practices.

5. Improved Cooperation and Information Sharing

  • NIS 1: Encouraged cooperation among member states through the creation of the Cooperation Group and the CSIRTs Network.
  • NIS 2: Enhances these cooperation mechanisms:
    • Cooperation Group: Plays a more active role in strategic cooperation and information exchange.
    • CSIRTs Network: Strengthened to improve operational cooperation, including joint responses to cross-border incidents.
    • EU-CyCLONe: Establishment of the European Cyber Crises Liaison Organisation Network to support coordinated management of large-scale cybersecurity incidents at the EU level.

The key components of NIS 2 include:

  • Security Measures
    Organizations must implement technical and organizational measures to manage risks and protect their network and information systems.
  • Incident Reporting
    Entities are required to report significant incidents to the relevant authorities promptly.
  • Risk Management
    A risk-based approach is emphasized, requiring organizations to assess and mitigate cybersecurity risks.
  • Supply Chain Security
    NIS 2 stresses the importance of securing the supply chain, including third-party service providers.
  • Cooperation and Information Sharing
    Enhanced mechanisms for cooperation and information sharing between member states and the EU.

NIS 2 applies to all member states of the EU, covering organizations that operate within the EU’s territory. It has a broad territorial scope, encompassing entities that provide essential services or digital services within the EU, regardless of where the organization is headquartered.

Although the UK is no longer an EU member, UK businesses can still be affected by NIS 2 if they operate within the EU or provide services to EU customers. The UK has its own cybersecurity regulations, but companies must comply with NIS 2 requirements when engaging with the EU market.

Organizations within the EU must comply with the enhanced security and incident reporting requirements of NIS 2. This includes implementing robust cybersecurity measures, conducting risk assessments, and reporting significant incidents to the relevant authorities. Non-compliance can result in significant penalties and reputational damage.

Non-EU organizations that provide essential or digital services within the EU must also comply with NIS 2. This means implementing similar security measures and incident reporting protocols as EU-based entities. The directive ensures that these organizations are held to the same standards, promoting a unified approach to cybersecurity.

With the EU NIS 2 Directive organizations are classified by the industry or sector. Business entities an be categorized as Essential or Important. This classification is based on the criticality of the services they provide and their potential impact on the economy, society, and public security if disrupted.
So lets have a look at the differences between essential and important entities:

Key Differences

Impact Level
The main difference lies in the potential impact of their disruption. Essential entities affect broader and more critical aspects of public life and the economy, whereas important entities have a narrower scope of impact.

Regulatory Intensity
Essential entities are held to higher standards and more comprehensive regulatory scrutiny, reflecting their higher criticality. Important entities, while regulated, have comparatively lighter obligations.

Sector Inclusion
The sectors considered essential are typically those that, if compromised, would result in immediate and severe consequences for public health and safety, while important entities belong to sectors where disruptions would cause inconvenience and economic disruption but are less likely to pose immediate threats to life and critical societal functions

Essential Entities

Higher Criticality
Essential entities are those whose disruption would have a significant impact on public safety, public health, and economic and societal activities. These entities typically provide services that are crucial for the functioning of the economy and society.

Stricter Obligations
Essential entities are subject to more stringent cybersecurity requirements and regulatory oversight. They must implement advanced security measures, regularly assess risks, and ensure robust incident response capabilities.

Sectors Covered:

  • Energy (electricity, gas & oil, and hydrogen)
  • Drinking water
  • Waste water
  • Transportation (air, rail, water, road)
  • Banking
  • Financial services
  • Digital infrastructure (Internet nodes; DNS service providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; providers of public electronic communication networks and public electronic communication services)
  • ICT service management
  • Governments (central, as well as regional, the latter only risk-based, but excluding defense or national security and law enforcement, as well as the judiciary, parliaments, and central banks)
  • Healthcare (hospitals, laboratories, manufacturers of medical devices, pharmaceuticals etc)
  • Space

Important Entities

Moderate Criticality
Important entities, while still crucial, have a lower potential impact compared to essential entities. Disruptions in their services would be significant but not as devastating.

Lighter Obligations
These entities face less stringent cybersecurity requirements. They must still implement security measures and report incidents, but the regulations are not as rigorous as those for essential entities.

Sectors Covered:

  • Postal and courier services
  • Waste management and management
  • Accounting companies
  • Digital providers (online marketing, online search engines and social networking platforms)
  • Research organisations (excluding education)
  • Production and distribution of chemicals;
  • Wholesale and industrial food production and processing;
  • Manufacturing of Electrical equipment, Motor vehicles, Machinery and equipment

The EU NIS 2 Directive has a profound impact on businesses, requiring them to invest in cybersecurity infrastructure and processes. Key impacts include:

  • Increased Costs
    Like with compliance with the EU GDPR a gap analysis would be undertaken to identify where the organization is currently against NIS 2, and the measures to be put in place on an action plan be be compliant. The cost would be dependant on the gap analysis. If the organisation is ISO 27001 certified then the gaps and cost will be minimal.
  • Operational Changes
    Businesses may need to alter their operational practices to align with NIS 2 requirements. Embedded the higher level of security into the operations of the business is essential. Operational staff may need to have awareness training as part of the implantation.
  • Enhanced Security Posture
    Adhering to NIS 2 can improve an organization’s overall security posture, reducing the risk of cyber incidents.
  • Legal and Regulatory Scrutiny
    Companies face increased scrutiny from regulatory authorities, necessitating robust compliance strategies. Audits could be introduced especially for Essential entities.

The implementation of NIS 2 is a significant undertaking for businesses, requiring a comprehensive approach to cybersecurity. Here’s a step-by-step guide to help businesses navigate the process:

1. Understand the Scope and Requirements

Identify Applicability: Determine if your business falls under the essential or important entities defined by NIS 2. Sectors such as energy, transport, health, digital infrastructure, and more are included.

Familiarization with Requirements: Review the specific security measures and reporting obligations outlined in NIS 2. These include risk management, incident handling, supply chain security, and timely incident reporting.

2. Conduct a Risk Assessment (Gap Analysis)

Evaluate Current Security Posture: Perform a thorough risk assessment of your existing network and information systems. Identify vulnerabilities, potential threats, and the impact of various cyber incidents.

Prioritize Risks: Based on the assessment, prioritize the risks that need immediate attention. Focus on those that could significantly impact the continuity and security of your services.

3. Develop and Implement a Cybersecurity Strategy

Create a Comprehensive Plan: Develop a cybersecurity strategy that addresses the identified risks. This plan should include technical and organizational measures tailored to your specific risk profile.

Deploy Security Controls: Implement necessary security controls such as firewalls, intrusion detection systems, encryption, and access management. Ensure these measures are appropriate and proportionate to the risks identified.

4. Strengthen Incident Response Capabilities

Establish an Incident Response Team: Form a dedicated incident response team (IRT) that is trained and equipped to handle cybersecurity incidents effectively.

Develop Incident Response Plans: Create detailed incident response plans that outline the steps to be taken in the event of a cyber incident. Ensure these plans include communication protocols, containment strategies, and recovery processes.

Conduct Drills and Simulations: Regularly conduct incident response drills and simulations to test the effectiveness of your plans and to train your team. This helps in identifying gaps and improving response strategies.

5. Secure the Supply Chain

Assess Suppliers and Partners: Evaluate the cybersecurity practices of your suppliers and partners. Ensure they meet the security standards required by NIS 2.

Incorporate Security in Contracts: Include cybersecurity requirements in contracts with suppliers and partners. This ensures they are legally bound to comply with your security policies.

Monitor and Audit: Continuously monitor and audit the security practices of your supply chain. This helps in identifying and mitigating risks that may arise from third-party relationships.

6. Establish Reporting Mechanisms

Set Up Reporting Channels: Establish clear channels for reporting cybersecurity incidents to the relevant national authorities. Ensure your team is aware of the reporting procedures and timelines mandated by NIS 2.

Create Internal Reporting Processes: Develop internal processes for incident reporting and documentation. This includes maintaining records of incidents, responses, and lessons learned.

7. Engage with Supervisory Authorities

Build Relationships: Develop a proactive relationship with the designated national supervisory authorities. This can facilitate smoother compliance and quicker resolution of any issues that arise.

Participate in Peer Reviews: Engage in the peer review process introduced by NIS 2. This can provide valuable insights and help in benchmarking your cybersecurity practices against other entities.

8. Educate and Train Employees

Cybersecurity Awareness: Implement ongoing cybersecurity awareness programs for all employees. This helps in creating a security-conscious culture within the organization.

Specialized Training: Provide specialized training for staff involved in managing and implementing cybersecurity measures. This ensures they have the necessary skills and knowledge to handle their responsibilities effectively.

9. Monitor and Update

Continuous Monitoring: Implement continuous monitoring of your network and information systems to detect and respond to threats in real-time.

Regular Reviews and Updates: Periodically review and update your cybersecurity policies and practices. This ensures they remain effective in the face of evolving threats and changing regulatory requirements.

10. Allocate Resources

Budget for Cybersecurity: Ensure adequate budget allocation for cybersecurity measures. This includes investments in technology, training, and personnel.

Leverage External Expertise: Consider engaging external cybersecurity experts or consultants to assist with the implementation and maintenance of your cybersecurity strategy.

Under NIS 2, data breaches and significant cybersecurity incidents must be reported to the relevant national authorities without undue delay. The directive specifies timelines and protocols for incident reporting, ensuring that authorities can respond promptly and effectively. Reporting includes providing detailed information about the incident, its impact, and the measures taken to mitigate it.

Q: What sectors are covered by NIS 2?

A: NIS 2 covers a broad range of sectors, including energy, transport, banking, health, water supply, and digital infrastructure. Refer to the section above entitled: The difference between essential and important entities.

Q: What are the penalties for non-compliance?

A: Penalties vary by member state but can include substantial fines and other administrative sanctions.

Q: How does NIS 2 improve cybersecurity?

A: By setting higher security standards, mandating incident reporting, and enhancing cooperation across the EU, NIS 2 significantly strengthens cybersecurity resilience.

Q: Do small businesses need to comply with NIS 2?

A: NIS 2 primarily targets medium and large-sized entities, but small businesses involved in critical sectors may also be affected.

NIS 2 represents a significant step forward in enhancing the EU’s cybersecurity framework. By expanding the scope, increasing security requirements, and fostering better cooperation, the directive aims to protect critical infrastructure from evolving cyber threats. Businesses operating within the EU or serving EU customers must prioritize compliance with NIS 2 to ensure they meet these rigorous standards.

For a comprehensive understanding of NIS 2, refer to the official directive text available on the European Union’s legislative website: EUR-Lex – 52020PC0823 – EN – EUR-Lex (europa.eu)).

Specific NIS 2 articles relevant to this blog include:

  • Article 1: Scope and Objectives
  • Article 2: Definitions
  • Article 3: Security Requirements
  • Article 4: Incident Reporting
  • Article 5: Supervisory Authorities
  • Article 6: Cooperation and Information Sharing
  • Article 7: Penalties and Enforcement

By adhering to these articles, organizations can ensure they are fully compliant with NIS 2 and contribute to a more secure and resilient EU digital landscape.

Datahub are experts in global Data Protection laws and Cyber Security

Contact Our Team


If you are interested in knowing more about the Network and Information Systems (NIS) Directive , or want to review your CyberSecurity or Data Protection within your organization, what are the next steps!

It wouldn’t cost you anything to start a conversation with our compliance team where we have experts in data protection and cybersecurity. Over a coffee we can get an understanding of your IT security landscape, advise on best practice, and provide guidance on the directive.

Contact us: Contact us | DataHub Consulting
Datahub Consulting Website: Data Consultancy Services | Datahub Consulting
Datahub Cybersecurity Website: Cybersecurity | Datahub Consulting

Find out how we can help

We do not employ salespeople; our team are all experienced technical specialists that can talk you through any of our services.

Contact us