NIS2 Directive (part 1): What is new in NIS2 and who does it apply to?
In 2016, the European Union introduced the Network and Information Security (NIS or NIS1) Directive. Its main objectives were to improve the cybersecurity capabilities of member states, strengthen collaboration among national cybersecurity authorities across Europe, and incorporate cybersecurity into organizations in key industry sectors.
The threat landscape is constantly evolving, so to address changes and emerging vulnerabilities since 2016, the European Union adopted the revised Network and Information Security Directive (NIS2) in January 2023.
In this two-part blog, we focus on the cybersecurity measures that the new directive imposes on European companies, specifically multi-factor authentication for the workforce. Here in part one, we provide an overview of the NIS2 Directive and in part two, review the requirements.
What is new in the NIS2 Directive?
NIS2 essentially has the same objectives as NIS, but it broadens and deepens the cybersecurity requirements that apply to companies. For example, NIS2:
- Increases the number of industry sectors that have to implement cybersecurity measures
- Elevates the role and responsibility of company management as related to cybersecurity
- Introduces new timelines for reporting significant security incidents
- Heightens the focus on security aspects of companies’ supply chains;
- Imposes stricter penalties in case of non-compliance
Who does NIS2 apply to?
From a geographical perspective, NIS2 applies across the European Economic Area, which consists of the 27 member states of the European Union, as well as Iceland, Liechtenstein, and Norway.
A European company is subject to NIS2 if it belongs to either a high criticality sector or other critical sectors, and meets certain size requirements. In NIS2, Annexes I and II define high criticality sectors as well as other critical sectors.
High criticality sectors:
- Energy (electricity, oil, gas, district heating and cooling, and hydrogen)
- Transport (air, rail, water, and road)
- Health (including labs and research on pharmaceuticals and medical devices)
- Space
- Drinking water, wastewater (but only if it is the main activity)
- Public administration
- Digital infrastructure (telecom, DNS, TLD, data centres, trust services, cloud services)
- Banking and financial market infrastructure
- ICT service management in a business-to-business setting
Other critical sectors:
- Postal and courier services
- Waste management
- Digital service providers (search engines, online markets, social networks)
- Chemicals (production and distribution)
- Food (Production, processing, and distribution)
- Research
- Manufacturing (specifically, but not limited to, medical, computer, and transport equipment)
Regarding size, companies are in scope of NIS2 if they meet the definition of large or medium-sized enterprise as outlined in the European Commission’s recommendation concerning the definition of micro, small and medium-sized enterprises:
- A large entity is a company with at least 250 employees or with an annual revenue of at least €50M, or an annual balance sheet total of at least €43M.
- A medium-sized entity is defined as one with at least 50 employees or with an annual revenue (or balance sheet total) of at least €10M, but with fewer than 250 employees and no more than €50M annual revenue or €43M balance sheet total.
Small and micro enterprises (fewer than 50 employees and an annual revenue or annual balance sheet total of less than €10M) are excluded from the scope of NIS2, unless an exception applies.
Based on the industry sector and size, NIS2 classifies organizations as either an essential entity or important entity:
- Essential entities are large companies that are part of the sectors of high criticality
- Important entities are medium-sized enterprises operating in the sectors of high criticality, or large or medium-sized enterprises in other critical sectors.
Entity size | Number of employees | Revenue (€M) | Balance Sheet (€M) | Sectors of high criticality | Other critical sectors |
---|---|---|---|---|---|
Large | x ≥ 250 | y ≥ 50 | z ≥ 43 | Essential Entities | Important Entities |
Medium | 50 ≥ x > 250 | 10 ≥ y > 50 | 10 ≥ z > 43 | Important Entities | Important Entities |
Small | x < 50 | y < 10 | z < 10 | Out of scope | Out of scope |
However, there are some exceptions to these rules:
- In some sectors, entities are designated essential regardless of size. Examples are providers of public electronic communications networks, qualified trust service providers (e.g. issuers of qualified certificates, qualified timestamping services), top-level domain name registries, and DNS service providers.
- National authorities may also designate entities as essential or important irrespective of the above rules. An example would be when a disruption in service provision could have significant consequences for public safety, public security, or public health.
The main difference between essential and important entities is in the stringency of supervision and penalties in case of non-compliance. Essential entities will be proactively supervised to verify compliance with the NIS2 requirements. On the other hand, important entities are subject to ex-post supervision, meaning that they are reactively supervised. Authorities may impose sanctions if they conclude that an entity is non-compliant.
General cybersecurity measures under NIS2
NIS2 requires companies to invest in cybersecurity measures in the following areas:
- Security governance: Management of in-scope entities need to be actively involved in the cyber security management of their company and take responsibility regarding their cybersecurity maturity. Management must ensure risk assessments are conducted, approve cybersecurity risk management measures, and oversee the implementation of these measures. To make sure management is sufficiently capable, they must follow training on cybersecurity risks and management practices, and also provide training to employees.
- Incident reporting: Every incident with significant impact should be notified by the essential and important entities without undue delay to the CISRT or competent authority in their Member state. Within 24 hours after the discovery of a cybersecurity incident, an early warning should be communicated. After 72 hours, the results of an initial assessment must be communicated, highlighting the incident’s severity and impact, and indicators of compromise. Upon request of the CSIRT, entities may be required to provide an intermediate report. After one month, a final report must be provided.
- Cybersecurity risk-management measures: Organisations must take security measures to manage the cyber risks to their ICT systems. These measures apply to:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity
- Supply chain security
- Security in network and information systems acquisition, development, and maintenance
- Policies and procedures to assess the effectiveness of cybersecurity risk-management
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and encryption
- Human resources security, access control policies, and asset management
- MFA or continuous authentication
Conclusion
Learn more about how to protect your workforce and safeguard data and applications from attack with our latest FIDO authenticator with fingerprint scan.