SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What is the NIS 2 Directive? A European Approach to Cybersecurity

Cybersecurity Assessments

As technology continues to evolve and embed itself more into society, regulations to govern its use and protect consumers are struggling to keep up in parts of the world. But not so in the European Union (EU), where they’ve recently made progress on a wave of new cyber legislation—among those is the NIS 2 Directive.

Otherwise known as the Network and Information Systems Directive 2, this decree is the successor to 2016’s NIS Directive—which is now known as NIS 1—and outlines an EU-wide approach to cybersecurity. As Member States must adopt and publish the measures necessary to comply with NIS 2 by October 17, 2024, it’s important to grasp what’s changed in the update to the directive and that’s where we can help.

As cybersecurity experts with a global footprint, we make a point to keep apprised of all the latest developments that may affect our clients—the NIS 2 Directive included. In this article, we’ll break down what’s different in the NIS 2 relative to NIS 1, why it’s important to comply, and how you can get started in achieving compliance.

What are the Differences Between NIS 1 and NIS 2?

 

Given that its primary goal is to enhance the resilience of EU critical infrastructure and digital service providers against cyber threats, there had to be some updates made to the NIS 2 from the original NIS 1.

We’ve outlined five key takeaways as follows:

1. New, Wider Scope of Coverage

 

Before understanding anything else, it’s important to understand who is subject to the directive’s mandates, particularly because NIS 2 has expanded its scope beyond that of NIS 1 to include more sectors and entities. These included organizations are classified as either Essential or Important:

Essential Entities

Important Entities

Though there’s variance based on sector, Essential Entities are generally those that have:

  • 250 employees; and
  • Annual turnover of at least €50 million or an annual balance sheet of €43 million.

Though there’s variance based on sector, Important Entities are generally those that have:

  • 50 employees; and
  • Annual turnover of at least €10 million, or an annual balance sheet of €10 million.

Includes the following sectors:

  • Energy
  • Transport
  • Banking and financial markets
  • Health
  • Water (drinking and waste)
  • Digital Infrastructure and ICT Service Management
  • Public Administration
  • Space

Includes all the sectors listed under “Essential Entities” and within the size threshold for “important entities” PLUS the following:

  • Postal and courier services
  • Waste Management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing (e.g., of medical devices and various other equipment)
  • Digital providers such as online marketplaces, search engines, and social networks
  • Research

 

2. Enhanced Risk Management and Cybersecurity Requirements

 

NIS 2 now requires that Essential and Important Entities conduct regular risk assessments and adopt appropriate risk management practices to prevent and minimize the impact of cyber incidents.

Not only that, but the directive also sets out new and specific security measures and capabilities that entities must implement to safeguard their network and information systems, which include the use of:

  • Multi-factor authentication (MFA) or continuous authentication solutions;
  • Encryption;
  • Logging; and
  • Incident detection and response mechanisms.

3. Improved Incident Reporting and Cooperation

To facilitate the timely responses of coordinated collective actions in mitigating the effects of cyber threats, entities are also now required to report significant cyber incidents to national competent authorities promptly.

In a circling of the wagons of sorts, NIS 2 also further promotes collaboration among member states through the establishment of national authorities and a NIS Cooperation Group to facilitate information sharing, best practices exchange, and joint responses to cross-border cyber incidents.

4. Heightened Focus on Business Continuity and Resilience

Through these new mandates for more advanced and robust cybersecurity measures as well as the new obligations regarding incident reporting, it’s clear that the NIS 2 directive is aiming to not just minimize disruptions caused by cyber incidents at their points of origin, but also the ripple effect given these new measures that will help maintain the continuity of essential services.

5. Promoted Culture of Cybersecurity

In a similar vein, the new NIS 2 Directive also appears to be encouraging a proactive approach to cybersecurity across industries and sectors—by setting clear requirements and promoting best practices, the EU wants to foster a sweeping standard across the Union that sees cybersecurity prioritized and integrated into business operations.

As part of this initiative and to help promote a top-down approach to information security, NIS 2 mandates regular security awareness training for management and encourages organizations to train all employees as well.

 

What are the Penalties for Noncompliance with the NIS 2 Directive?

 

While the NIS 2 requirements for compliance are the same for both Essential and Important Entities, the supervision and penalties vary between the two:

  • Essential Entities:
    • Penalties for non-compliance can amount to €10,000,000 or 2% of the total annual worldwide turnover in the previous fiscal year—whichever amount is higher.
  • Important Entities:
    • Penalties for non-compliance can amount to €7,000,000 or 1.4% of the total annual worldwide turnover in the previous fiscal year—whichever amount is higher.

5 Helpful Steps in Achieving NIS 2 Compliance

 

Although the deadline for compliance is in October 2024, organizations required to comply with the NIS 2 Directive should begin to assess where they stand against the requirements now so you can implement the necessary controls you’ll need to ensure you have the appropriate safeguards in place in time.

To help point you in the right direction, here are 5 basic steps you can take to get started in your compliance with the NIS 2 Directive.

1. Understand the Scope and Requirements

First, you’ll need to determine whether your organization falls under the classification of an Essential or Important Entity.

Once you clarify that, you can then study any incident reporting obligations or compliance requirements outlined in the NIS 2 Directive that are relevant to your sector and operations as you plan your next moves.

2. Conduct a Risk Assessment

Given the new emphasis on continuity and minimizing greater disruption, don’t just perform a basic risk assessment—use the results to then identify and prioritize the following elements that could impact your delivery of essential services or digital services:

  • Critical network and information systems;
  • Potential vulnerabilities; and
  • Cyber, legal, and regulatory risks.

3. Implement Robust Controls

As we mentioned previously, NIS 2 has new requirements for technical and organizational measures so you’ll need to deploy and maintain:

  • Access controls and MFA;
  • Encryption;
  • Supply chain security;
  • Intrusion detection systems; and
  • Incident response plans.

You’ll also need to ensure policies, procedures, and controls are documented and aligned with the NIS 2 requirements.

4. Establish Incident Response Capabilities

In complying with the new incident response focus, you’ll need to develop and implement an incident response plan that includes procedures for detecting, understanding, reporting, and mitigating cybersecurity incidents promptly.

Ensuring management is aware of your plan and their role is not only important—given that they’re responsible for approving organizational cybersecurity risk-management measures, overseeing their implementation, and can be held liable for any related infringements—but it’s also mandatory.

That being said, you should also train all personnel on cybersecurity protocols, incident response procedures, and their roles and responsibilities.

5. Ensure Compliance and Continuous Improvement

Even when you believe your organization has made all the necessary implementations, you should continue to regularly monitor your compliance with the NIS 2 requirements and subsequent amendments through audits, assessments, and internal reviews. Document your findings and take corrective actions as necessary.

For the peace of mind that comes with external validation of your efforts and the confirmation of your compliance, consider engaging with an independent audit firm for an assessment of your organization’s cybersecurity posture against the NIS 2 requirements.

 

Other Cybersecurity Regulation Considerations in the EU

 

In its efforts to establish a unified approach to cybersecurity across the EU and enhance trust in the digital economy, the NIS 2 Directive requires a high level of cybersecurity preparedness, response capabilities, and cooperation among Member States and ensure the protection of critical infrastructure and services.

Compliance with this new regulation will be necessary by October 17, 2024, and if you’re interested in learning more about how Schellman can help with an independent assessment of your cybersecurity measures, contact us today.

In the meantime, make sure you’re up to date on other important and recent developments in the EU by reading our content on other new regulations in Europe:

About ROBERT TYLKA

Robert Tylka is a Principal at Schellman. With over 16 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In his portfolio, he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the financial services, information technology, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 500 and publicly traded companies, with a strong focus in the technology sector.