NIS2 Compliance
Everything you want to know about the NIS2 guideline
December 12, 2024

Everything you want to know about the NIS2 guideline

Cyber threats are a reality that every organization faces today. With the introduction of the NIS2 Directive, the European Union is taking an important step to better manage these threats and protect critical sectors. But what exactly does this directive entail? And what does it mean for your organization? In this article, we’ll guide you through everything you need to know about NIS2 so that you’re well-prepared.

Table of Contents

  1. What is the NIS2 Directive?
  2. Who is covered under NIS2, and what obligations exist?
  3. When does NIS2 come into effect?
  4. How does NIS2 compliance work?
  5. Which sectors are covered under NIS2?
  6. Why is NIS2 important?
  7. How do I prepare my business for NIS2?
  8. What are the penalties for non-compliance with NIS2?
  9. What is the difference between NIS and NIS2?
  10. How does NIS2 affect my business?

NIS2 Basic for your organisation?

Find out how we help you become NIS2-compliant with a
hands-on approach.

I want to become NIS2 compliant

1. What is the NIS2 Directive?

The NIS2 Directive (Network and Information Systems Directive 2) is the updated version of the original NIS Directive from 2016. This legislation aims to enhance the digital resilience of critical infrastructures across Europe. The directive requires organizations in vital sectors to implement measures against cyber threats.

What sets NIS2 apart from its predecessor? It expands the scope, imposes stricter obligations, and introduces harsher penalties for non-compliance. The goal is to better protect Europe against a growing number of increasingly sophisticated cyberattacks.

2. Who is covered under NIS2?

The NIS2 Directive applies to two categories of organizations:

  • Essential Entities: These are large organizations in sectors like energy, transport, healthcare, and digital infrastructure. They have at least 250 employees, annual revenue exceeding €50 million, or a balance sheet total over €43 million.
  • Important Entities: Medium-sized organizations in critical sectors or large organizations in less critical sectors. These companies have at least 50 employees and annual revenue or balance sheet totals exceeding €10 million.
  • Organizations collaborating with essential or important entities: If you are a supplier or partner of these types of organizations, cybersecurity should also be a top priority for you. This is known as the waterfall effect, where NIS2-regulated organizations prefer to work with partners that meet at least NIS2 Basic standards. This approach raises the overall security standard across Europe.

3. When does NIS2 come into effect?

The NIS2 Directive officially takes effect on October 18, 2024. From this date, organizations are expected to comply with all the requirements outlined in the directive. While this deadline may seem far off, it is crucial to start preparations immediately. Achieving NIS2 compliance may require significant technical and organizational adjustments, which take time.

When will inspections begin?

Formal inspections for NIS2 compliance are expected to begin shortly after the directive comes into effect, depending on implementation by national governments and supervisory authorities in member states. Member states are responsible for setting up enforcement mechanisms and specific inspection processes. This could mean:

  • Immediate audits and inspections for organizations in critical sectors.
  • Monitoring of reporting obligations starting from the effective date.
  • Organizations that are not fully compliant may receive warnings or sanctions if insufficient progress is made.

4. How does NIS2 compliance work?

Achieving NIS2 compliance involves several key steps:

  1. Conduct a risk assessment: Identify key threats and vulnerabilities in your IT infrastructure.
  2. Implement technical measures: Such as firewalls, encryption, and monitoring tools.
  3. Develop incident response plans: Prepare to respond quickly to cyberattacks.
  4. Raise awareness within your organization: Provide training and awareness campaigns to educate employees about their role in cybersecurity.
  5. Meet reporting obligations: Report incidents within strict timelines to the competent authorities.
  6. Collaborate with competent authorities: Prepare for audits and inspections and provide necessary cybersecurity information.

The directive also requires organizations to appoint a cybersecurity point of contact, which can be an internal expert or an external partner.

Specific reporting requirements: Organisations covered by the NIS2 directive are committed to reporting specific information on security incidents. Any significant incident should be reported to the Centre for Cybersecurity Belgium (CCB) within 24 hours of discovery. A more detailed report follows within 72 hours, in which you describe the nature of the incident, its impact and the actions taken. In addition, it is advisable to submit an annual summary of all identified risks and the effectiveness of the security measures taken. These reports support authorities in analysing trends, improving overall security, and providing targeted support where needed.

Current risk to residual risk

5. Which sectors are covered under NIS2?

The NIS2 Directive expands its scope to a wide range of sectors deemed essential or important to society. Below is an overview of the key sectors:

Essential sectors

  • Energy: Electricity grids, oil, and gas suppliers.
  • Transport: Aviation, railways, shipping, and road transport.
  • Healthcare: Hospitals, pharmaceutical companies, and laboratories.
  • Water Management: Drinking water suppliers and wastewater management.
  • Digital Infrastructure: Internet providers, data centers, and cloud services.
  • Banking: Banks and financial institutions.
  • Public Administration: Government institutions and public services.

Important sectors

  • Food: Large food producers and distributors.
  • Chemical Industry: Manufacturers and suppliers of chemicals.
  • Aerospace: Satellite operators and supporting infrastructures.
  • Media and Telecommunications: TV and radio broadcasters, telecommunications companies.

The aim is to protect sectors vital to the daily functioning of society.

6. Why is NIS2 important?

Cyberattacks are an increasing threat, including ransomware, phishing, or DDoS attacks. The consequences can be severe: financial damage, reputational loss, and disruptions to critical services.

With NIS2, the European Union aims to:

  • Strengthen the digital resilience of critical sectors.
  • Improve cooperation between countries and sectors.
  • Better protect citizens from cyber risks.
  • Encourage organizations to modernize their IT infrastructure.

Complying with the directive minimizes the risk of a successful cyberattack. More importantly, it’s an opportunity to instill confidence in your customers and partners.

7. How do I prepare my business for NIS2?

Meeting NIS2 requirements is no simple task, but a structured approach can simplify the process. Here are some steps to follow:

  1. Conduct a risk assessment: Analyze vulnerabilities in your IT infrastructure and identify potential threats.
  2. Develop an action plan: Determine the necessary measures to mitigate risks.
  3. Implement technical solutions: Install security systems such as firewalls, intrusion detection, and backup solutions.
  4. Train your staff: Ensure all employees understand cybersecurity risks and their role in minimizing them.
  5. Prepare an Incident Response Plan: Be ready to respond quickly and effectively to cyber incidents.
  6. Continuously monitor your systems: Use real-time monitoring tools to detect and neutralize threats promptly.

Collaborating with a cybersecurity expert is also recommended to ensure compliance with all directive requirements.

Voorbeeld NIS2 compliance

8. What are the penalties for non-compliance with NIS2?

Non-compliance with NIS2 can have serious consequences. Depending on the nature of the violation, penalties can reach up to €10 million or 2% of global revenue.

In addition to financial penalties, companies may face:

  • Reputational damage: Failing to meet cybersecurity standards can erode customer and partner trust, leading to revenue loss and reduced business opportunities.
  • Legal complications: Violations can result in legal disputes, including liability claims from customers or partners affected by inadequate security measures.
  • Operational disruptions: Non-compliance may lead to audits and inspections by authorities, consuming resources and potentially disrupting normal operations.
  • Suspension of activities: In extreme cases, a supervisory authority may temporarily halt business operations until compliance is achieved.

9. What is the difference between NIS and NIS2?

The NIS2 Directive is stricter and broader in scope compared to the original NIS Directive. Key differences include:

  • Broader scope: More sectors and organizations are covered.
  • Stricter obligations: Greater focus on reporting and collaboration.
  • Harsher penalties: Higher fines for non-compliance.
  • Supply chain security: Suppliers must also meet requirements.

10. How does NIS2 affect my business?

The NIS2 Directive directly impacts organizations classified as essential or important. However, even companies not directly falling under these categories may face indirect requirements due to the “waterfall effect.”

The waterfall effect explained

Essential and important entities subject to NIS2 are required to ensure their cybersecurity is in order. A key aspect of this is working only with partners and suppliers that also have a strong cybersecurity foundation. This means that even if your organization is not directly subject to the NIS2 Directive, your partners or clients may demand compliance with certain cybersecurity standards. This phenomenon is known as the “waterfall effect.”

NIS2 Basic: a minimum requirement

To meet the expectations of NIS2-regulated organizations, your business may need to achieve at least the NIS2 Basic level. This involves implementing fundamental cybersecurity measures to demonstrate that your organization takes digital security seriously. Obtaining NIS2 Basic certification can be crucial for maintaining existing collaborations and creating new opportunities.

Why acting proactively pays off

By investing in basic security measures now and potentially obtaining NIS2 Basic certification, you position your organization as a reliable partner. This not only strengthens customer and partner trust but also prepares you for future regulations and threats.

NIS2 Basic for your organisation?

Find out how we help you become NIS2-compliant with a
hands-on approach.

I want to become NIS2 compliant

More info on NIS2: CCB website.

Post Views: 27

All posts