NIS2 Directive: 5 Key takeaways

The NIS2 Directive came into force in January 2023, and member states were tasked with implementing NIS2 into national law by October 2024. Although there have been some delays in national laws, NIS2 is not going away. An estimated 160,000 companies plus their supply chain ecosystems will be impacted across the EU.

As someone who has been deeply involved with the NIS2 Directive, and data protection and compliance more generally, I've seen first-hand how the NIS2 Directive has the potential to transform cyber-resilience management across Europe and countries that fall under its extraterritorial application. The need for enhanced governance and accountability, implementation of robust risk-management, cybersecurity measures and improved supply chain security has never been clearer.

In this article, I want to go beyond the surface-level NIS2 discussions that fill our feeds. I will share a real-world perspective on what the Directive means for EU organisations and those serving the European market. This Directive is not just about meeting new requirements. It demands a strategic evaluation of how we approach cyber risks across the eighteen applicable high-criticality and other critical sectors, and their supply chains, including those not established within the EU.

We will explore my five key takeaways of NIS2, their significance for your organisation and how you can effectively address the challenges they present.

The Cyber Leadership Playbook

Align your CISO, GC, and board for smarter cyber risk management. Discover practical insights and strategies to bridge the gaps between security, legal, and board leadership.

Download herechevron_right

1. Strengthen governance and accountability in cybersecurity at the leadership level

The NIS2 Directive establishes clear responsibilities for senior management to ensure compliance with cybersecurity measures and reporting:

Key steps

• Active governance and accountability by leadership: Management bodies are assigned an active role. They will have the responsibility to approve the cybersecurity risk-management measures taken by their organisations and to oversee their implementation.
• Continuous assessment: There is a need for continuous evaluation and updating of cybersecurity strategies to respond to new threats.
• Severe penalties for non-compliance: Failure to comply with this Directive can lead to significant consequences, including:
  • Fines of up to €10million or a maximum of 2% of global turnover for essential entities.
  • Fines of up to €7million or 1.4% of global turnover for important entities.
  • Being forced to notify customers or service recipients about the nature and severity of the risk due to compliance failings.
  • Temporary prohibition of key figures like CEOs or legal representatives from exercising managerial functions.

Navigate NIS2 with confidence

Simplify NIS2 compliance and transform regulatory challenges into growth opportunities with our NIS2 IT Compliance Toolkit.

Book a demochevron_right

Beyond the financial penalties, non-compliance can lead to a loss of reputation for the organisation, resulting in reduced market penetration and negative media attention. If regulators report non-compliance, the associated negative media coverage can further damage the organisation's reputation.

Nils Müller, Partner, Privacy, Cyber & Tech at Eversheds Sutherland, emphasises the impact of NIS2’s requirements:

As a by-product of this, there is a real opportunity to weave cybersecurity into the fabric of your company’s operations: Integrating cybersecurity at leadership level will help align the function with broader business goals, fostering a culture of security awareness. This is essential for ensuring your organisation reduces cyber incidents effectively while supporting business continuity and resilience.

2. Implement effective, up-to-date and proportionate cybersecurity measures

Under the NIS2 Directive, organisations must now implement minimum cybersecurity measures while considering the state-of-the-art.

Key steps

• Cybersecurity measures: Entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, with reference to relevant European and international standards.
• Cost-effectiveness and risk alignment: They need to do so with reference to relevant European and international standards, the cost of implementation, and the level of security proportionate to the risks posed.
• Comprehensive requirements: Entities are mandated to consider 10 requirements outlined in Article 21, which include risk analysis, incident response, business continuity, cybersecurity training, cryptography, and multi-factor authentication.

Nils recommends mapping a control library to these measures:

Steps for compliance

1. Classification assessment: Organisations must first determine if they qualify as essential or important entities by conducting a thorough assessment. This involves analysing sector involvement, staff numbers, financial thresholds, and group structures.

2. Sector inclusion: It's crucial to understand the broad scope of sectors included under NIS2. For example, entities in the digital infrastructure sector with more than 50 employees may be classified as important entities, regardless of financial metrics. As a high-level guide:

• Important entities: These are medium-sized enterprises with at least 50 employees, and either a EUR 10 million annual turnover or a EUR 10 million balance sheet total. They should expect reactive monitoring and periodic audits.
• Essential entities: These are large enterprises with more than 250 employees and either EUR 50 million in annual turnover or a EUR 43 million balance sheet. The regulatory authorities will proactively monitor these sectors of high criticality.

Whether you are an essential or important entity, meeting the requirement for cost-effective, state-of-the-art cybersecurity measures is a complex but vital process. Beyond ensuring the handling and prevention of security incidents, adhering to this regulation will help your organisation use innovative security practices in everyday operations. This will directly and positively impact long-term business continuity and resilience.

Your step-by-step guide to NIS2

Download our NIS2 checklist for the actionable steps your organisation can take to comply and elevate your cyber security resilience.

Access the checklistchevron_right

3. Strengthen supply chain security by ensuring all partners meet high cybersecurity standards

Supply chain security is a huge challenge for the ecosystem. There is growing cyber inequity between organisations that are cyber resilient and those that are not. Large highly regulated organisations have demonstrated gains in cyber resilience, but the same is often not true for smaller less regulated organisations. This means that smaller organisations are increasingly unable to prevent critical operational disruption from a cyber incident, often incur larger financial loss when seeking to recover, and find compliance with customer contractual obligations very difficult.

The result is targeted attacks on the supply chain, which often have less mature cybersecurity risk management and attack response measures. Bad actors then use this access to target larger entities that rely on these suppliers for products or services.

Addressing cybersecurity weaknesses within supply chains is a crucial mandate under the NIS2 Directive. This pain point of supply chain due diligence will only increase as large organisations contractually impose NIS2 onto their direct supply chains.

So, how can your organisation proactively approach this challenge?

Key steps

• Contractual commitments: Direct suppliers or service providers should ready themselves for these contractual obligations. Essential and important entities should ensure they have adequate contractual terms and conditions in place to help the entity with compliance. A good example would be adherence to new breach notification requirements and reporting.
• Comprehensive strategy: Essential and important entities should enhance their current supply chain programs to ensure compliance with the Directive and ensure their supply chain can achieve and demonstrate their own compliance.

Nick Frost, Co-founder and Chief Product Officer at Cyber Risk Management Group, reminds us, "Securing the supply chain is probably one of the biggest challenges organisations and security functions face.” But if we look to find a positive with the impact of NIS2; by embedding cybersecurity standards into supply chain contracts, you ensure consistent security practices, mitigate vulnerabilities, and reduce cyber incident disruptions. Ultimately, a proactive approach to the NIS2 Directive will strengthen your reputation and customer trust, positioning your organisation as a leader in cybersecurity diligence.

4. Ensure timely and effective reporting for significant cybersecurity incidents

Your organisation’s role in managing cybersecurity incidents takes on a new level of urgency and importance under the NIS2 Directive. As an essential or important entity, you must now follow stringent reporting obligations when a significant cybersecurity incident is detected:

Key steps

• Immediate early warning: Within 24 hours of detecting a significant incident, you must issue an early warning to your government’s Computer Security Information Response Team (CSIRT) or the competent authority. This initial alert is crucial as it sets the stage for a coordinated response.
• Detailed incident notification: Follow up the early warning with a detailed incident notification within 72 hours. This step goes beyond mere compliance; it involves providing a clear and comprehensive overview of the incident to aid authorities in understanding and effectively responding to the situation.
• Ongoing communication: Your responsibility doesn’t end with these initial notifications. Continue to provide updates as requested by the CSIRT or competent authority, keeping them fully informed as the situation evolves.
• Final report: Within 30 days, a final report is due. This report should not only recap the incident but also offer insights and recommendations to prevent future occurrences.

Again, there is a positive long-term outcome: your organisation will develop an enhanced cybersecurity framework. By preparing effectively so you can adhere to these reporting obligations, you are doing more than following protocol. You are actively protecting your organisation – and your customers and partners - and bolstering its resilience against cyber threats.

5. Ensure compliance for non-EU-based entities serving the EU market

The NIS2 Directive doesn't only apply to EU established entities; it reaches out globally with extra territorial application, mandating requirements and obligations for international entities that offer services within the EU market. This move ensures that any entity, regardless of its geographical location, adheres to stringent cybersecurity norms if it serves the EU market. It also means that EU entities cannot contract out of their obligations by leveraging non-EU partners who do not need to adhere to the NIS2 requirements.

Key steps

• Who is affected: NIS2 casts an extra-territorial wide net, much like the GDPR, and applies to:
• DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces and search engines and social networking services platforms. If your services reach into the EU, you are on the radar.
• Importantly, direct suppliers who are not established inside the EU, such as UK businesses, but which supply EU essential or important entities, will also need to satisfy those customers that they are operating to NIS2 standards.
• Requirements for non-EU entities: Particularly for entities like those in the UK (post-Brexit), it may be a contractual obligation and a competitive advantage to prove that your operations meet NIS2 requirements. This isn't just about compliance; it's about ensuring that your services are trusted by customers and partners within the EU market.
• Appointing an EU representative: Much like the GDPR, if your business doesn’t have a physical presence in the EU, but offers services within the EU, appointing a local representative is mandatory. This representative will facilitate your compliance processes and act as a point of contact with EU authorities.

Advice to non-EU businesses

• Contractual clarity: If you are a supply chain partner to an applicable EU essential or important entity, then ensure your NIS2 contractual obligations and the processes (and people) you will need to implement to deliver on them are agreed.
• Strategic advantage: Compliance with NIS2 should not only be seen simply as a regulatory hurdle but as a strategic advantage in the competitive EU market for supply chain organisations. If you can proactively demonstrate NIS2 compliance, that should be an advantage in securing new commercial opportunities inside the EU, because you lessen that compliance burden for your potential customers.

The NIS2 advantage: transforming challenges into opportunities

By setting a new standard in cybersecurity, the NIS2 Directive ensures that above and beyond a compliance exercise, cybersecurity becomes an integral part of an evolving organisational cybersecurity strategy that places an increasing focus on operational resilience.

Before your executives and board members can lead on NIS2, they must develop expertise and best practices. The NIS2 training courses available through the Diligent One Platform provide a comprehensive understanding of the directive, offering guidance on compliance obligations and key provisions, and include practical tools like a preparation checklist to ensure thorough readiness. As you prepare to meet its ongoing requirements and obligations, concentrate on developing a robust framework that not only meets immediate compliance needs but also improves long-term resilience across your supply chain.

Get armed with everything you need to easily map, manage, and demonstrate your NIS2 compliance with a scalable method for managing future risks. Find out more about our NIS2 Toolkit and book a demo here.