The NIS 2 Directive marks a significant advancement in cybersecurity and cyber-resilience in Europe. In the face of escalating cyber threats, it is essential for affected entities to achieve compliance to protect their critical infrastructures. What are the stakes of NIS 2? After its entry into force in Europe, what are the next steps towards compliance with the directive? Here is an overview of the upcoming actions that organizations and EU Member States must undertake to meet the requirements of the NIS 2 Directive.
Why Is Compliance Crucial?
The obligation to comply with the NIS 2 Directive concerns thousands of European organizations operating in 18 sectors deemed critical or highly critical. As cyber warfare intensifies cybersecurity risks, this new Directive mandates the strengthening of protection measures for networks and information systems and an improvement in risk management. Non-compliance can not only lead to substantial fines but also compromise the security of essential services and the reputation of organizations. This is the case for companies in the finance sector, which, in the event of a cyber crisis and operational shutdown, can lose the trust of their clients. According to the International Monetary Fund’s (IMF) “Global Financial Stability Report” published in April 2024, this can lead to a 5% decrease in deposits over several months, potentially triggering significant liquidity problems.
Understanding the Requirements of the NIS 2 Directive
What’s New in the Scope
The NIS 2 Directive significantly expands its scope compared to NIS 1. Large companies, but also medium-sized enterprises and certain critical entities, such as ICT service providers and digital infrastructures, must comply with new strict obligations. This extension aims to ensure a more homogeneous level of cybersecurity across Europe, notably by including public administrations.
Key Cybersecurity Obligations
The NIS 2 Directive mandates the implementation of technical and organizational security measures, including the securing of networks and systems, risk management measures, and supply chain security. Each entity is responsible for mapping its risks, further securing its information system, and promptly informing the competent authorities in case of a security incident via dedicated channels.
High Fines
Unlike NIS 1, the new Directive exposes critical organizations to high fines in case of non-compliance. These can reach up to 10 million euros or 2% of the worldwide annual turnover for so-called essential entities, and up to 7 million euros or 1.4% of the turnover for so-called important entities.
Step 1: Identify as an Essential or Important Entity
By January 17, 2025, organizations concerned by NIS 2 must declare themselves as an Essential Entity (EE) or Important Entity (IE) to the national authority responsible for implementing the Directive.
As a reminder, these two categories of entities expand the scope and replace the status of OES (Operator of Essential Services). They differ by the degree of criticality, the size, and the turnover of the organization. The penalties incurred by non-compliant essential entities will also be more significant.
As specified on the “Mon Espace NIS 2” website, “the mechanisms for identifying entities concerned by the NIS 2 directive will be specified through the process of transposing the directive into national law.” It is therefore up to each EU Member State to draw up the list of essential and important entities in the country. In France, ANSSI will soon provide more information on the subject.
However, according to the website of the Belgian Cybersecurity Centre (CCB), certain criteria already allow defining the two categories:
- An organization constituting a large enterprise (as per the Commission Recommendation 2003/361/EC of May 6, 2003) and providing at least one service listed in Annex I is an essential entity;
- Except for exceptions, an organization constituting a medium-sized enterprise as per the Recommendation and providing at least one service listed in Annex I is an important entity;
- An organization constituting a large or medium-sized enterprise as per the Recommendation and providing at least one service listed in Annex II is an important entity.
In Hungary, critical organizations had until June 30, 2024, to declare themselves. All companies exceeding the Hungarian definition of small enterprises are concerned (those employing at least 50 people or whose annual turnover exceeds 3.9 billion HUF, or 10 million euros).
The country therefore does not distinguish between EEs and IEs. However, companies must classify their information systems according to the security levels “basic,” “significant,” or “high” to adapt the cybersecurity measures to be implemented. (Source: Open Kritis).
Step 2: Assessment of Risks and Existing Systems
Vulnerability Analysis
The first step to comply with the NIS 2 Directive is to analyze the vulnerabilities of current networks and systems. Entities must conduct a thorough assessment of potential flaws that could compromise the security of critical information. This includes identifying entry points that could be exploited by cyber attackers, notably through supply chain auditing.
Indeed, software vulnerabilities are a boon for many cyber attackers, and the resurgence of supply chain attacks perfectly illustrates this. These exploit flaws present in systems, processes, or tools linking a supplier or subcontractor to a target organization. Often, attackers target the least secure entity, making it a particularly devastating and sophisticated cyberattack.
A striking example: the SolarWinds attack, discovered in December 2020, with the infiltration of malware into updates of the Orion network management software. Approximately 18,000 clients, including U.S. government agencies and sensitive companies, were affected.
This underscores the importance of favoring software designed according to a “Secure by Design” approach, which allows for studying potential vulnerabilities of a product or service from the design phase to reduce risks.
Mapping of Assets and Critical Infrastructures
Next, it is crucial to map assets and critical infrastructures. This mapping allows for a clear visualization of the resources to protect and to assess their level of risk. The NIS 2 Directive requires essential entities to know their infrastructures precisely to better secure them. For companies in the telecommunications sector, mapping data centers and networks allows for identifying and monitoring the most sensitive elements.
In the financial sector, cyber risk is a major danger according to the European Central Bank (ECB). The very structure of the sector, characterized by the concentration and interconnection of institutions around key services (payments, settlements, central deposits), increases risks. Dependence on a limited number of critical IT providers also adds to the vulnerability of the banking system, as does the possibility of contagion of a problem from one institution to another.
Step 3: Implementation of Technical and Organizational Security Measures
Strengthening Security Policies
Strengthening security policies is a key obligation of the NIS 2 Directive. Companies must implement strict security policies, notably concerning data access and incident management. This may involve access control policies based on the principle of least privilege, ensuring that each employee has access only to the information necessary for their work.
Deployment of Multi-Factor Authentication Solutions
The use of multi-factor authentication solutions is also required to strengthen the security of information systems. This measure ensures that only authorized individuals can access sensitive systems. By combining multiple authentication methods, such as passwords, one-time codes, and security tokens, companies can significantly reduce the risks of cyber intrusion.
Step 4: Preparation for Incident Reporting
Notification Deadlines and Steps
Incident reporting is another important requirement of the NIS 2 Directive. In the event of a cybersecurity incident, entities are required to inform the competent national authorities without undue delay. The details of the processes and deadlines vary from one country to another.
In France, ANSSI specifies that the notification must be sent within 24 hours.
In Belgium, the process includes three steps; following a significant incident, the organization must:
– Send an initial early warning within 24 hours
– Send an incident notification within 72 hours
– And finally, a final report within 1 month from the incident.
Respecting these deadlines is essential to ensure a coordinated response to incidents and prevent future cyberattacks.
In Croatia, however, where the transposition of NIS 2 into national legislation has already taken place, no obligation for incident notification within 24 or 72 hours is specified.
Training Teams on Alert Protocols
To ensure effective incident notification, it is essential to train teams on alert protocols. Employees need to recognize an incident and master the steps to react quickly, first by alerting the competent authorities. Good preparation reduces reaction time and limits the impact of incidents, particularly on business continuity. Implementing crisis simulations can be beneficial to ensure that each employee knows their role in case of a cyberattack.
Step 5: Awareness and Training of Personnel
The Importance of Cybersecurity Culture
Strengthening the cybersecurity culture within the entity is a central element today to face cyber threats, beyond compliance with the NIS 2 Directive. This means that every employee, regardless of their position in the organization and their job, understands the importance of IT security and knows how to act at their level to protect data. This reduces risks related to human errors, often the origin of cyber incidents.
Article 20 of the new European Directive even requires companies to implement regular internal training programs. These should cover best practices in cybersecurity, such as access and password management, phishing recognition, or incident response. Regular training maintains a high level of vigilance among staff. Executives are also subject to a more specific training obligation, so they can properly oversee decisions made regarding cybersecurity in the organization.
Step 6: Accountability of Top Management
The Role of Leaders in NIS 2 Compliance
Top management plays a crucial role in compliance with the NIS 2 Directive. Leaders are tasked with approving cybersecurity policies, supervising their implementation, and ensuring that sufficient resources are allocated to secure information systems. The NIS 2 Directive further holds leaders accountable by making them directly responsible for security and cyber-resilience shortcomings.
High Sanctions in Case of Non-Compliance
In case of non-compliance with NIS 2 requirements, both technically and organizationally with training, sanctions can be severe. Essential entities may be fined up to 10 million euros or 2% of annual turnover. For important entities, fines can reach up to 7 million euros or 1.4% of annual turnover. In addition to financial penalties, administrative sanctions may be imposed, such as the temporary suspension of critical activities. This financial and administrative accountability is intended to ensure that cybersecurity is a strategic priority for European organizations.
Step 7: Collaboration with Authorities and the Sector
Cooperation with National Authorities
Cooperation with national cybersecurity authorities, such as ANSSI in France, is essential to ensure effective compliance. These organizations have been designated in each country to ensure the implementation and monitoring of NIS 2, supporting the entities concerned. They serve as reference points regarding all the rules to be applied and can issue recommendations.
Participation in Peer Evaluations
The initial aim of the NIS 2 Directive is to harmonize the overall level of cybersecurity within the European Union and to strengthen European cooperation on the subject. To this end, peer evaluations are planned to ensure that companies comply with the highest security standards. Member States will have to submit to these regularly: as specified on the CCB’s website, “The European Union Agency for Cybersecurity (ENISA) will publish a ‘Cybersecurity State of the Union’ every two years; and a European database on vulnerabilities will be established.”
Participating in these evaluations will allow companies to benefit from constructive feedback and strengthen their resilience to cyber threats.
Step 8: Audits and Continuous Monitoring
Internal and External Audits
To ensure continuous compliance with the NIS 2 Directive, companies must conduct regular internal and external audits. These audits verify that technical and organizational security measures are properly implemented and meet regulatory requirements. An external audit can provide an objective view of weaknesses to be corrected. Member States also have the option to carry out regular external audits, conduct inspections, or even order the production of certain documents by the organization.
Why Act for NIS 2 Compliance?
Compliance with the NIS 2 Directive, besides being a regulatory obligation, offers many advantages. It allows the company to improve its resilience to cyberattacks, enabling a quicker response to incidents and minimizing impacts on its operations.
The Upcoming Deadlines
Here are the main European deadlines for the implementation of the NIS 2 Directive:
October 17, 2024:
Deadline for transposing NIS 2 into national legislation of Member States
To date, only three European countries have completed the exercise.
January 17, 2025:
• Declaration of concerned entities to the competent national authorities.
• Notification of the rules and measures adopted by Member States to the European Commission.
– April 17, 2025:
Submission of the list of EEs and IEs from each Member State to the European Commission.
FAQ on NIS 2 Compliance
The key steps for compliance with the NIS 2 Directive include risk assessment, implementation of technical and organizational security measures, preparation for incident notification, awareness and training of personnel, accountability of top management, collaboration with authorities, and conducting regular audits. Each step of the compliance plan is essential to raise the level of network security and ensure the protection of critical infrastructures.
To prepare for the NIS 2 Directive, companies must follow several steps: assess risks, implement security measures, and train personnel. It is important to know if you are affected by the directive based on your sector of activity. Preparation for compliance also includes raising awareness among top management and cooperation with national authorities.
The NIS 2 Directive applies to essential and important entities, covering various sectors such as energy, transport, health, digital infrastructures, and financial services. Organizations, whether public or private, are required to comply with these new cybersecurity obligations, depending on their size and sector of activity. To check if your organization is concerned, consult Annexes I and II of the NIS 2 Directive.
The stakes of the NIS 2 Directive are mainly related to the security of networks and information systems, cybersecurity, and the protection of critical infrastructures. Strengthening security measures is mandatory to face increasing cyber risks. The directive aims to harmonize the level of cybersecurity within the European Union and improve the resilience of essential services against cyber threats.
The sanctions provided by the NIS 2 Directive are strict for entities that do not meet their obligations. The sanction regime includes fines of up to 10 million euros or 2% of the company’s worldwide annual turnover for essential entities. In addition to fines, administrative sanctions may be applied, such as warnings or binding instructions to remedy shortcomings. It is therefore crucial to comply with the directive’s obligations to avoid unnecessary sanctions.
To raise the level of cybersecurity, robust security measures must be applied, such as multi-factor authentication, incident management, and securing the supply chain. The NIS 2 Directive also recommends cybersecurity strategies such as business continuity and continuous staff training. Good risk management is essential to strengthen the organization’s overall cybersecurity.
The impact of the NIS 2 Directive is significant, especially for those operating in critical sectors. It is also significant for small organizations, which must mobilize additional resources. Indeed, this involves investments in time, resources, and training to improve the security of information systems and protect critical infrastructures against cyber threats.
