The Most Important Points from the NIS2 Directive

What Is NIS2?

The European directive NIS2 requires organizations to strengthen the cyber resilience of critical and important companies. The directive now affects a significantly broader range of entities than before: companies that are part of a supply chain must also comply. Non-compliance can result in substantial fines.

As digitalization accelerates, so does the risk of successful cyberattacks. Organizations must therefore implement comprehensive protective measures, including the continuous review of cybersecurity standard procedures and ongoing employee awareness training.

Which Companies Need to Implement NIS2?

The European Union works to ensure that critical organizations across its member states are better protected against cyberattacks. In 2016, it introduced the NIS1 directive ("Network and Information Security") with strict security requirements.

The new NIS2 Directive has been in force throughout the EU since January 2023, replacing its predecessor. It significantly expands the scope of affected organizations and, in addition to critical infrastructure, now includes important industries and -- under certain conditions -- smaller companies that operate as suppliers.

The EU divides organizations affected by the NIS2 Directive into two categories: "Essential" and "Important." The "Essential" category has been expanded considerably compared to the original NIS regulations, while the "Important" group has been newly defined. Organizations with at least 50 employees and annual revenue exceeding 10 million euros are directly affected:

• Essential entities: These include critical infrastructure operators whose failure would have severe consequences for public welfare. NIS2 defines eleven sectors, including energy and water supply, transportation, finance and banking, healthcare, and public administration. These sectors have a major impact on national security and must be protected accordingly.
• Important entities: Organizations in seven additional sectors are classified as particularly important: postal and courier services, waste management, food, chemicals, digital services (e.g., search engines, online marketplaces, cloud services, social networks), industry (e.g., manufacturing of machinery, vehicles, and data processing equipment), and research.

NIS2 May Also Be Mandatory for Small Companies

NIS2 generally does not apply to companies with fewer than 50 employees and annual revenue of up to ten million euros. However, there are exceptions where company size is irrelevant. Providers of DNS services, TLD name registries, and public electronic communications networks and services must comply with NIS2 regardless of their size.

Small and medium-sized companies can also be affected if they supply services or materials to organizations directly subject to the NIS2 Directive. In such cases, they often need to implement the same security measures to avoid supply chain compliance gaps. For example, an automotive manufacturer may require its suppliers to meet specific cybersecurity standards to maintain its own compliance with the EU directive.

The Implementation of NIS2

Organizations covered by NIS2 must implement appropriate and proportionate technical and organizational measures to reduce the security risks to their network and information systems. The goal is to minimize the potential impact of security incidents on their own services and the recipients of those services. They are also required to continuously assess their systems to ensure security at all times.

The directive specifies various minimum requirements, including:

• Developing concepts and procedures for risk analysis and information security
• Establishing measures to manage security incidents
• Creating backup management and disaster recovery plans, including crisis management
• Ensuring security with direct vendors and service providers
• Developing vulnerability disclosure strategies
• Training employees in cybersecurity
• Implementing cryptography and encryption procedures

When implementing NIS2, organizations should prioritize the following steps:

• Developing risk analysis and security policies for all information systems
• Assessing their own risk management practices
• Implementing a procedure for handling security incidents
• Setting up backup and crisis management systems
• Establishing a reporting system
• Training employees in cybersecurity
• Ensuring the security of the supply chain, including direct suppliers and service providers

turingpoint's ISMS Portfolio

We can help you meet regulatory requirements and strengthen your organization's operational security through various frameworks.

Our offerings:

• ISMS Based on ISO/IEC 27001:2022
• ISMS Based on the NIST Framework
• Custom ISMS