The NIS 2 directive, or Network and Information Security 2, represents a major evolution in strengthening cybersecurity across the European Union. Adopted to address an increasing number of cyber threats, this directive must be applied in each EU member state starting October 17, 2024. It aims to reinforce the cybersecurity and cyber-resilience levels of a wide range of critical infrastructures and essential European services. But how are European states managing to meet NIS 2 requirements? What obstacles are they facing? This article offers a detailed overview of the current NIS 2 transposition and its implications for nations and businesses.
Context and Objectives of NIS 2
The NIS 2 directive is an improved version of the first NIS directive, which sought to harmonize cybersecurity requirements in the EU. With the evolution of cyberattacks from state and para-state origins, it became necessary to strengthen the security of networks and information systems. NIS 2 objectives include increasing the resilience of critical infrastructures, clarifying corporate responsibilities in cybersecurity, and extending the scope to new economic sectors.
Key Differences Between NIS 1 and NIS 2
NIS 2 distinguishes itself from NIS 1 in several important aspects. First, it broadens its scope from 10 to 18 affected sectors, integrating domains such as healthcare, energy, finance, and even transportation. Additionally, it eliminates the “OSE” (Essential Service Operators) designation in favor of two entity categories: essential and important entities. Finally, it imposes stricter reporting obligations and new non-compliance sanctions.
Unlike NIS 1, the new directive assigns direct responsibility to corporate leadership. Executives are now required to ensure their organization’s compliance with NIS 2. This means personally supervising cybersecurity strategies, participating in audits, and being able to justify measures taken to prevent cyberattacks.
Cybersecurity Requirements Under NIS 2
Security Obligations for Businesses
Companies affected by the NIS 2 directive must implement a series of security strategies to protect their information systems. These actions aim to guarantee proactive risk management, particularly through network and system security, and by monitoring suppliers and subcontractors.
Network Architecture Protection
NIS 2 requires businesses to strengthen their network and system security to minimize intrusion and destabilization risks. It specifically recommends network segmentation and controlled remote access. Implementing attack detection systems, using firewalls, and conducting regular vulnerability tests are also recommended. In Germany, companies like Siemens have implemented advanced threat analysis and detection systems to comply with NIS 2 cybersecurity requirements. (Source : siemens.com).
Incident Reporting Obligations
One of the directive’s primary requirements is the strict incident reporting obligation. Entities subject to NIS 2 must report any major incident to competent authorities within 24 hours, enabling rapid and coordinated responses to cyberattacks. In Belgium, the Belgian Cyber Security Center (CCB) has established a digital platform facilitating incident notifications and requesting assistance from the Cyber Emergency Response Team (CERT) (Source : cert.be).
Compliance and Audits Under NIS 2
To prove NIS 2 compliance, organizations will need to undergo regular audits. These audits will verify that cybersecurity measures are correctly implemented and meet the standards established by the directive.
Note that an ISO 27001 certified entity is not automatically compliant with the new directive. However, as specified on the Orange Cyberdéfense website, “ISO 27001 certification provides a good governance framework covering a large part of its requirements.”
NIS 2 Transposition Across Europe
How to Measure EU Member States’ Progress?
NIS 2 transposition is not uniform across member states. Some countries have been preparing for months or even years, while others are only beginning the process late. To measure member countries’ progress, several aspects must be considered:
Legislative progress (bill publication, adoption)
Transposition timeline
Competent authority designation
Identification of essential and important entities
Training and awareness
Incident notification mechanisms
Country-Specific NIS 2 Transposition Focus
Belgium
In Belgium, NIS 2 transposition is advancing rapidly. The bill was voted on in April 2024, and practical implementation details are being finalized. The Belgian Cyber Security Center (CCB) has established a reference framework based primarily on the ISO 27001 standard to ensure compliance of relevant entities. This is the “CyberFundamentals” approach, which offers a series of concrete measures to reduce the risk of computer attacks. It allows an organization to access different security levels, from Small to Essential, depending on threat severity. Additionally, the CyFun Self-assessment Tool enables verification of NIS 2 compliance against recommended measures.
Starting from the directive’s application on October 18, 2024, most entities will have five months to register on the SafeonWeb site (two months for those in certain information and communication technology sectors). The first mandatory company assessment must occur 18 months after the law’s entry into force. Finally, CyberFundamentals or ISO 27001 certification must be obtained by the concerned entity within 36 months of the national NIS 2 transposition. (Source : CCB)
Germany
Germany has adopted a more progressive approach to compliance. The country has published several draft law versions, but complete transposition is planned for 2025. The German regulatory framework relies on the KRITIS law, which establishes measures for critical infrastructure security and resilience, and the BSI Act, which assigns supervision to the Federal Office for Information Security (BSI).
France
In France, the National Cybersecurity Agency (ANSSI) is leading NIS 2 transposition through a participatory approach involving all stakeholders.
However, the legislative text has not yet been adopted: it was presented to Parliament on October 15, 2024, just days before the national directive transposition deadline. Uncertainties remained regarding the integration of local authorities into security requirements. ANSSI organized consultations in May 2024 with professional organizations affected by the directive and local government elected official associations. These aimed to clarify the scope of concerned entities and applied security measures. Increasing the “cyber maturity level of local authorities” emerged as a priority with NIS 2, as did harmonizing IT security at the territorial level.
Croatia is among the most advanced countries in NIS 2 transposition, with a draft law already adopted. In February 2024, the Croatian Cyber Security Act (CSA) came into effect, partially transposing the new Directive. By February 2025, competent authorities must notify organizations concerned by this law. These organizations will then have one year to comply with CSA measures. (Source : Wavestone)
Hungary
In Hungary, the NIS 2 directive was transposed in May 2023 following the adoption of Law 23 of 2023 on cybersecurity certification and supervision. Under the Hungarian legislation transposing NIS 2, national organizations had until June 30, 2024, to register as essential entities (EE) or important entities (IE) (Source : DLA Piper). Before October 18, 2024, NIS 2-concerned organizations must implement security measures corresponding to their information systems‘ criticality level and pay the SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) surveillance fee.
Legal and Administrative Challenges of Transposition
Legislative Complexity of NIS 2
NIS 2 transposition presents a complex legal challenge for member states. The directive requires an in-depth revision of national legislative frameworks, which can be time-consuming and politically sensitive. Differences between countries’ legal systems also make harmonizing cybersecurity requirements difficult. According to an analysis by Mayer Brown, legislative framework fragmentation in the EU constitutes a major obstacle to NIS 2’s homogeneous implementation. (Source : Mayer Brown, Analyse 2024)
Leadership Responsibility
NIS 2 imposes personal responsibility on business leaders, requiring them to justify cybersecurity measure implementation. This evolution aims to ensure cybersecurity is a top management priority but also introduces additional complexities. For small businesses, it can represent a significant burden. A recent Ivanti study of 3,000 business leaders and IT and security professionals worldwide found that “The majority (55%) of IT/security professionals believe their non-IT leaders do not have a good understanding of vulnerability management concepts.” This is confirmed by “47% of non-IT leaders who admit they do not have a very good level of understanding of the concept.” The hope is that NIS 2 transposition will pave the way for more training and awareness among leadership.
Conclusion: A Crucial but Laborious Standardization
NIS 2 directive transposition is a complex process requiring concerted efforts from all EU member states. Legislative process fragmentation, challenges related to increased leadership responsibilities, and the expansion of covered sectors make implementation difficult. However, the directive is essential for improving the resilience of Europe’s critical infrastructures against growing cyber threats.
Although countries do not show the same level of advancement and are not ready at the same time, they must be prepared by April 2025 to deliver their list of essential and important entities to the European Commission. The question remains whether these concentrated efforts in such a short timeframe will guarantee enhanced, sustainable, and ultimately uniform cybersecurity across the continent.
Download the infographic
Frequently Asked Questions about the NIS 2 Directive
What is the NIS 2 Directive?
The NIS 2 directive is a European directive aimed at harmonizing and strengthening cybersecurity across member states. It seeks to protect the security of networks and information systems by establishing a new framework for more robust cybersecurity. Adopted in October 2024, this European directive aims to elevate protection levels by combating increasing cyber threats through improved coordination between member countries and heightened security requirements for critical infrastructures.
What are the Impacts of NIS 2?
The impacts of the NIS 2 directive on businesses are significant. It imposes increased cybersecurity obligations, including reinforced security measures and more rigorous risk management for concerned entities. The required level of IT security is high, with mandatory incident reporting, regular audits, and compliance with international standards such as ISO 27001. This approach enables better preparation against continuously escalating cyber threats.
How to Prepare for NIS 2?
To prepare for NIS 2 compliance, it is essential to establish a plan including risk assessment, employee training, and implementing management measures adapted to new obligations. Essential entities must also ensure they follow a national strategy to strengthen their cybersecurity and meet the standards imposed by the directive. Training is crucial to guarantee that all stakeholders understand their responsibilities and the security measures to be implemented.
Who is Affected by NIS 2?
The NIS 2 directive concerns a broad range of entities across 18 sectors, including essential service operators, companies in critical sectors such as energy, healthcare, and finance, and certain local authorities. Additionally, it applies to third-country companies operating within the European Union, with each member state’s national agency responsible for identifying the concerned entities.
What are the Sanctions under NIS 2?
The NIS 2 directive introduces a strict sanctions regime for compliance infractions. Companies failing to meet cybersecurity obligations may be subject to significant fines. Leadership responsibility is also engaged, with potential sanctions including fines based on a percentage of turnover, in accordance with each member state’s national law. These sanctions aim to ensure companies respect the established security standards.
When Does NIS 2 Take Effect?
The NIS 2 directive officially comes into force in October 2024. Member states must transpose the directive into their national legislation by this date, although some countries will provide additional time without sanction risk, such as France. Each country must publish corresponding legislation in the official journal, ensuring all concerned entities respect the new cybersecurity requirements within the specified timeframe.
How Does NIS 2 Enhance Cybersecurity?
The NIS 2 directive strengthens cybersecurity by imposing harmonized rules for all member states, targeting a higher overall protection level. It establishes specific security measures for critical infrastructures, improves data protection, and ensures public safety. The directive seeks to reduce cybersecurity risks by requiring regular audits, better coordination between member states, and clear measures to manage cyber threats and reinforce information system resilience.
Why is the NIS 2 Directive crucial for cybersecurity?
The NIS 2 Directive (Network and Information Security) came into effect on January 16, 2023, within the European Union, replacing the initial NIS Directive of 2016. This updated regulation addresses the growing and diversifying cyber risks. It applies to thousands of Essential Entities (EE) and Important Entities (IE) across Europe, spanning 18 sectors of varying criticality (healthcare, public administration, transport, water, waste management, etc.). Its transposition into national laws by October 17, 2024, is vital to counter increasingly severe cyber crises. However, NIS 2 also represents a significant challenge, as companies of all sizes must meet stringent security requirements or face substantial financial penalties.
Main objectives of the NIS 2 Directive
Enhancing European coordination
NIS 2 aims to bolster the overall level of cybersecurity across the European Union by further securing the networks and information systems of thousands of organizations and essential infrastructures. This harmonization of cybersecurity levels involves sharing expertise in cyber defense and ensuring coordination among EU member states, especially during cyberattacks. Such efforts aim to guarantee a swift and unified response to cyber crises and enhance risk identification.
This European cooperation takes shape through the creation and management of various exchange networks:
EU-CyCLONe
The European Cyber Crises Liaison Organization Network (EU-CyCLONe) was established to study and respond to large-scale incidents in a coordinated manner. Introduced alongside NIS 2, its purpose is to ensure the regular exchange of relevant information among member states and EU institutions. EU-CyCLONe notably works to develop a shared understanding of significant cybersecurity incidents and crises and to coordinate their management. (Source : NIS 2 Directive)
CSIRT Network
Established in 2016 under the original NIS Directive, the CSIRT Network (Computer Security Incident Response Teams Network) brings together representatives from EU member states and the CERT-EU (Computer Emergency Response Team). Meeting three times a year, the network aims to strengthen trust among member states and promote rapid and effective operational cooperation.
NIS Cooperation Group
Launched in 2017 under Article 11 of the NIS Directive, the NIS Cooperation Group includes representatives from EU member states, the European Commission, and ENISA. Its objectives include:
Supporting and facilitating strategic cooperation between member states,
Encouraging information exchange and mutual trust,
Raising overall cybersecurity maturity and national capabilities through training and tools.
The directive requires affected entities to implement measures to strengthen operational resilience. This entails being prepared to handle cybersecurity incidents by developing and testing incident management and business continuity plans in advance. Establishing technical and organizational processes is critical, including deploying secure solutions and designating trained teams. These measures are essential to mitigate the impact of cyberattacks on organizations.
Entities subject to the NIS 2 Directive
Essential Entities (EE) and Important Entities (IE): What’s the difference?
Around 10,000 European public and private organizations must comply with the NIS 2 Directive. These entities are divided into two categories: Essential Entities (EE) and Important Entities (IE), operating within either critical or highly critical sectors. This classification tailors regulatory obligations to the size and criticality of the entities, influencing the severity of penalties. However, each country defines specific identification criteria. In France, for instance:
Essential Entities (EE) largely include large companies in highly critical sectors.
Important Entities (IE) primarily encompass medium-sized organizations in highly critical sectors and entities within critical sectors.
This classification replaces the former designation of “OES” (Operators of Essential Services).
Critical and highly critical sectors
The following sectors are designated as highly critical:
Les secteurs classés comme hautement critiques sont :
Energy
Transport
Banking
Financial market infrastructures
Healthcare
Drinking water
Wastewater
Digital infrastructure
IT service management
Public administration
Space
Critical sectors include:
Postal and courier services
Waste management
Chemical manufacturing, production, and distribution
Food production, processing, and distribution
Manufacturing
Digital providers
Research
Unlike NIS 1, central administrations of member states and certain local authorities now fall under the NIS 2 scope. (Source : Mon Espace NIS 2)
Key Requirements of the NIS 2 Directive
Risk Management
Risk management is at the core of the NIS 2 Directive. Article 21 of the European regulation outlines a series of measures that entities must implement, such as:
Policies for risk analysis and information system security;
Incident handling and business continuity measures, including backup management, disaster recovery, and crisis management;
Supply chain security, including measures ensuring security in relationships with direct suppliers or service providers;
Security in the acquisition, development, and maintenance of networks and information systems, including vulnerability management and disclosure;
Policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
Basic cyber hygiene practices and cybersecurity training;
Policies related to cryptography, including encryption where applicable;
Human resource security, access control policies, and asset management;
In case of significant cybersecurity incidents, entities are required to notify the national authorities responsible for implementing NIS 2 as quickly as possible. Specific notification procedures are defined by national laws, along with what constitutes a “significant incident.” Typically, organizations have 24 hours to inform authorities of an incident.
Here is the list of competent authorities per EU member state, listed as the main point of contact for NIS 2 entities:
Germany
BSI (Bundesamt für Sicherheit in der Informationstechnik)
Training organizational leaders is a key requirement under NIS 2. Cybersecurity measures within organizations must be approved and monitored to ensure effectiveness. Leaders must undergo specific training on NIS 2 compliance, cybersecurity standards, and risk management to make informed decisions.
Furthermore, employees at all levels should be made aware of these practices to ensure that proper cybersecurity measures are applied throughout the organization.
Achieving Compliance with the NIS 2 Directive
Organizational and Technical Measures
To achieve compliance, organizations should follow a clear roadmap that includes:
Audits,
Risk mapping,
Identifying involved teams,
Training and awareness programs,
Deploying security tools and strategies aligned with their criticality level.
These organizational and technical measures should be integrated into a well-defined plan, subject to regular updates and controls.
The French National Cybersecurity Agency (ANSSI) plays a crucial role in transposing the NIS 2 Directive into French law. ANSSI also assists businesses in achieving compliance by providing resources through its “Mon Espace NIS 2 platform. Organizations can use these resources to determine their regulatory obligations and classification.
ENISA’s Role in Europe
At the European level, the European Union Agency for Cybersecurity (ENISA) offers extensive resources on NIS 2, including infographics detailing key requirements like incident reporting.
Unlike NIS 1, the NIS 2 Directive imposes significant financial penalties for non-compliance, which can reach up to €10 million or 2% of an organization’s annual turnover. These penalties are tailored to the criticality level and size of the organization.
The European Context of the NIS 2 Directive
Transposition of the Directive Across Member States
The transposition of the NIS 2 Directive varies across EU member states. Some countries, such as Belgium, Croatia, and Hungary, have already incorporated the directive into their national legislation. However, others, like France and Germany, are facing delays despite their advanced cybersecurity maturity:
France presented its draft NIS 2 law on October 15, 2024, just two days before the deadline.
Germany plans to finalize the transposition by early 2025.
These delays create uncertainty for entities that must prepare for compliance. In France, the National Cybersecurity Agency (ANSSI) has announced a three-year grace period during which non-compliant organizations will not face sanctions.
Conclusion: A Shared Cybersecurity Challenge
The NIS 2 Directive is essential for raising cybersecurity standards across the EU. By adopting technical, legal, and organizational measures, Essential Entities (EE) and Important Entities (IE) can not only comply with regulatory requirements but also strengthen their operational resilience against cyberattacks. While achieving compliance is challenging, it also represents an opportunity to build sustainable cybersecurity maturity and contribute to the collective security of European nations.
FAQ on the NIS 2 Directive
What is the NIS 2 Directive?
Adopted in October 2024, the NIS 2 Directive is the EU’s updated framework for strengthening cybersecurity in networks and information systems. Building on the first NIS Directive, it addresses growing cyber threats and aims to harmonize security requirements across Europe, ensuring a high level of cybersecurity and operational resilience for critical infrastructures.
What are the key challenges of NIS 2?
As cyberattacks increase and societies become more reliant on digital technologies, NIS 2 seeks to establish a robust framework for improving security in vital sectors such as finance, energy, healthcare, and others. By enforcing this directive, the EU aims to achieve higher cybersecurity standards, better defend against cyber threats, and protect essential services.
How can organizations prepare for NIS 2?
Organizations should follow a national compliance roadmap, including risk analyses and implementing technical and organizational measures to enhance cybersecurity. Training leaders and security teams is critical for understanding the new regulatory requirements. Platforms like France’s “Mon Espace NIS 2” provided by ANSSI help guide organizations through the compliance process.
Quelles sont les obligations imposées par NIS 2 ?
La directive NIS 2 impose aux entités régulées des obligations claires pour garantir un niveau élevé de cybersécurité. Parmi ces obligations, les entités doivent mettre en œuvre des mesures techniques, juridiques et organisationnelles proportionnées aux risques cyber identifiés. Elles doivent également signaler tout incident de sécurité majeur à l’autorité compétente, souvent l’ANSSI en France. En cas de non-respect de ces obligations, des sanctions peuvent être imposées, y compris des sanctions financières pouvant aller jusqu’à un pourcentage du chiffre d’affaires global. Ces exigences visent à harmoniser la sécurité des réseaux à l’échelle européenne.
What are the obligations under NIS 2?
The directive mandates that regulated entities implement proportional technical, legal, and organizational measures based on identified cyber risks. They must also report significant security incidents to the relevant authority (such as ANSSI in France). Non-compliance can result in penalties, including financial sanctions of up to a percentage of global turnover.
Who is affected by NIS 2?
NIS 2 applies to a wide range of entities, including Essential Entities (EE) and Important Entities (IE). These categories encompass critical sectors like healthcare, energy, transport, and digital services, as well as local governments and postal services. The primary criteria include the entity’s size, turnover, and societal importance, with the directive expanding its scope to ensure greater security throughout the supply chain.
What are the impacts of NIS 2 on businesses?
The directive imposes stringent cybersecurity requirements on businesses, requiring investments in security measures, employee training, and rigorous incident management processes. While challenging, these measures enhance security, protect organizational data, and improve resilience against cyber threats. They also provide a competitive advantage by building trust among partners and clients.
The NIS 2 Directive marks a significant advancement in cybersecurity and cyber-resilience in Europe. In the face of escalating cyber threats, it is essential for affected entities to achieve compliance to protect their critical infrastructures. What are the stakes of NIS 2? After its entry into force in Europe, what are the next steps towards compliance with the directive? Here is an overview of the upcoming actions that organizations and EU Member States must undertake to meet the requirements of the NIS 2 Directive.
Why Is Compliance Crucial?
The obligation to comply with the NIS 2 Directive concerns thousands of European organizations operating in 18 sectors deemed critical or highly critical. As cyber warfare intensifies cybersecurity risks, this new Directive mandates the strengthening of protection measures for networks and information systems and an improvement in risk management. Non-compliance can not only lead to substantial fines but also compromise the security of essential services and the reputation of organizations. This is the case for companies in the finance sector, which, in the event of a cyber crisis and operational shutdown, can lose the trust of their clients. According to the International Monetary Fund’s (IMF) “Global Financial Stability Report” published in April 2024, this can lead to a 5% decrease in deposits over several months, potentially triggering significant liquidity problems.
Understanding the Requirements of the NIS 2 Directive
What’s New in the Scope
The NIS 2 Directive significantly expands its scope compared to NIS 1. Large companies, but also medium-sized enterprises and certain critical entities, such as ICT service providers and digital infrastructures, must comply with new strict obligations. This extension aims to ensure a more homogeneous level of cybersecurity across Europe, notably by including public administrations.
Key Cybersecurity Obligations
The NIS 2 Directive mandates the implementation of technical and organizational security measures, including the securing of networks and systems, risk management measures, and supply chain security. Each entity is responsible for mapping its risks, further securing its information system, and promptly informing the competent authorities in case of a security incident via dedicated channels.
High Fines
Unlike NIS 1, the new Directive exposes critical organizations to high fines in case of non-compliance. These can reach up to 10 million euros or 2% of the worldwide annual turnover for so-called essential entities, and up to 7 million euros or 1.4% of the turnover for so-called important entities.
Step 1: Identify as an Essential or Important Entity
By January 17, 2025, organizations concerned by NIS 2 must declare themselves as an Essential Entity (EE) or Important Entity (IE) to the national authority responsible for implementing the Directive.
As a reminder, these two categories of entities expand the scope and replace the status of OES (Operator of Essential Services). They differ by the degree of criticality, the size, and the turnover of the organization. The penalties incurred by non-compliant essential entities will also be more significant.
As specified on the “Mon Espace NIS 2” website, “the mechanisms for identifying entities concerned by the NIS 2 directive will be specified through the process of transposing the directive into national law.” It is therefore up to each EU Member State to draw up the list of essential and important entities in the country. In France, ANSSI will soon provide more information on the subject.
However, according to the website of the Belgian Cybersecurity Centre (CCB), certain criteria already allow defining the two categories:
An organization constituting a large enterprise (as per the Commission Recommendation 2003/361/EC of May 6, 2003) and providing at least one service listed in Annex I is an essential entity;
Except for exceptions, an organization constituting a medium-sized enterprise as per the Recommendation and providing at least one service listed in Annex I is an important entity;
An organization constituting a large or medium-sized enterprise as per the Recommendation and providing at least one service listed in Annex II is an important entity.
In Hungary, critical organizations had until June 30, 2024, to declare themselves. All companies exceeding the Hungarian definition of small enterprises are concerned (those employing at least 50 people or whose annual turnover exceeds 3.9 billion HUF, or 10 million euros).
The country therefore does not distinguish between EEs and IEs. However, companies must classify their information systems according to the security levels “basic,” “significant,” or “high” to adapt the cybersecurity measures to be implemented. (Source: Open Kritis).
Step 2: Assessment of Risks and Existing Systems
Vulnerability Analysis
The first step to comply with the NIS 2 Directive is to analyze the vulnerabilities of current networks and systems. Entities must conduct a thorough assessment of potential flaws that could compromise the security of critical information. This includes identifying entry points that could be exploited by cyber attackers, notably through supply chain auditing.
Indeed, software vulnerabilities are a boon for many cyber attackers, and the resurgence of supply chain attacks perfectly illustrates this. These exploit flaws present in systems, processes, or tools linking a supplier or subcontractor to a target organization. Often, attackers target the least secure entity, making it a particularly devastating and sophisticated cyberattack.
A striking example: the SolarWinds attack, discovered in December 2020, with the infiltration of malware into updates of the Orion network management software. Approximately 18,000 clients, including U.S. government agencies and sensitive companies, were affected.
This underscores the importance of favoring software designed according to a “Secure by Design” approach, which allows for studying potential vulnerabilities of a product or service from the design phase to reduce risks.
Mapping of Assets and Critical Infrastructures
Next, it is crucial to map assets and critical infrastructures. This mapping allows for a clear visualization of the resources to protect and to assess their level of risk. The NIS 2 Directive requires essential entities to know their infrastructures precisely to better secure them. For companies in the telecommunications sector, mapping data centers and networks allows for identifying and monitoring the most sensitive elements.
In the financial sector, cyber risk is a major danger according to the European Central Bank (ECB). The very structure of the sector, characterized by the concentration and interconnection of institutions around key services (payments, settlements, central deposits), increases risks. Dependence on a limited number of critical IT providers also adds to the vulnerability of the banking system, as does the possibility of contagion of a problem from one institution to another.
Step 3: Implementation of Technical and Organizational Security Measures
Strengthening Security Policies
Strengthening security policies is a key obligation of the NIS 2 Directive. Companies must implement strict security policies, notably concerning data access and incident management. This may involve access control policies based on the principle of least privilege, ensuring that each employee has access only to the information necessary for their work.
Deployment of Multi-Factor Authentication Solutions
The use of multi-factor authentication solutions is also required to strengthen the security of information systems. This measure ensures that only authorized individuals can access sensitive systems. By combining multiple authentication methods, such as passwords, one-time codes, and security tokens, companies can significantly reduce the risks of cyber intrusion.
Step 4: Preparation for Incident Reporting
Notification Deadlines and Steps
Incident reporting is another important requirement of the NIS 2 Directive. In the event of a cybersecurity incident, entities are required to inform the competent national authorities without undue delay. The details of the processes and deadlines vary from one country to another.
In France, ANSSI specifies that the notification must be sent within 24 hours.
In Belgium, the process includes three steps; following a significant incident, the organization must:
– Send an initial early warning within 24 hours
– Send an incident notification within 72 hours
– And finally, a final report within 1 month from the incident.
Respecting these deadlines is essential to ensure a coordinated response to incidents and prevent future cyberattacks.
In Croatia, however, where the transposition of NIS 2 into national legislation has already taken place, no obligation for incident notification within 24 or 72 hours is specified.
Training Teams on Alert Protocols
To ensure effective incident notification, it is essential to train teams on alert protocols. Employees need to recognize an incident and master the steps to react quickly, first by alerting the competent authorities. Good preparation reduces reaction time and limits the impact of incidents, particularly on business continuity. Implementing crisis simulations can be beneficial to ensure that each employee knows their role in case of a cyberattack.
Step 5: Awareness and Training of Personnel
The Importance of Cybersecurity Culture
Strengthening the cybersecurity culture within the entity is a central element today to face cyber threats, beyond compliance with the NIS 2 Directive. This means that every employee, regardless of their position in the organization and their job, understands the importance of IT security and knows how to act at their level to protect data. This reduces risks related to human errors, often the origin of cyber incidents.
Article 20 of the new European Directive even requires companies to implement regular internal training programs. These should cover best practices in cybersecurity, such as access and password management, phishing recognition, or incident response. Regular training maintains a high level of vigilance among staff. Executives are also subject to a more specific training obligation, so they can properly oversee decisions made regarding cybersecurity in the organization.
Step 6: Accountability of Top Management
The Role of Leaders in NIS 2 Compliance
Top management plays a crucial role in compliance with the NIS 2 Directive. Leaders are tasked with approving cybersecurity policies, supervising their implementation, and ensuring that sufficient resources are allocated to secure information systems. The NIS 2 Directive further holds leaders accountable by making them directly responsible for security and cyber-resilience shortcomings.
High Sanctions in Case of Non-Compliance
In case of non-compliance with NIS 2 requirements, both technically and organizationally with training, sanctions can be severe. Essential entities may be fined up to 10 million euros or 2% of annual turnover. For important entities, fines can reach up to 7 million euros or 1.4% of annual turnover. In addition to financial penalties, administrative sanctions may be imposed, such as the temporary suspension of critical activities. This financial and administrative accountability is intended to ensure that cybersecurity is a strategic priority for European organizations.
Step 7: Collaboration with Authorities and the Sector
Cooperation with National Authorities
Cooperation with national cybersecurity authorities, such as ANSSI in France, is essential to ensure effective compliance. These organizations have been designated in each country to ensure the implementation and monitoring of NIS 2, supporting the entities concerned. They serve as reference points regarding all the rules to be applied and can issue recommendations.
Participation in Peer Evaluations
The initial aim of the NIS 2 Directive is to harmonize the overall level of cybersecurity within the European Union and to strengthen European cooperation on the subject. To this end, peer evaluations are planned to ensure that companies comply with the highest security standards. Member States will have to submit to these regularly: as specified on the CCB’s website, “The European Union Agency for Cybersecurity (ENISA) will publish a ‘Cybersecurity State of the Union’ every two years; and a European database on vulnerabilities will be established.”
Participating in these evaluations will allow companies to benefit from constructive feedback and strengthen their resilience to cyber threats.
Step 8: Audits and Continuous Monitoring
Internal and External Audits
To ensure continuous compliance with the NIS 2 Directive, companies must conduct regular internal and external audits. These audits verify that technical and organizational security measures are properly implemented and meet regulatory requirements. An external audit can provide an objective view of weaknesses to be corrected. Member States also have the option to carry out regular external audits, conduct inspections, or even order the production of certain documents by the organization.
Why Act for NIS 2 Compliance?
Compliance with the NIS 2 Directive, besides being a regulatory obligation, offers many advantages. It allows the company to improve its resilience to cyberattacks, enabling a quicker response to incidents and minimizing impacts on its operations.
The Upcoming Deadlines
Here are the main European deadlines for the implementation of the NIS 2 Directive:
October 17, 2024:
Deadline for transposing NIS 2 into national legislation of Member States To date, only three European countries have completed the exercise.
January 17, 2025:
• Declaration of concerned entities to the competent national authorities. • Notification of the rules and measures adopted by Member States to the European Commission.
– April 17, 2025:
Submission of the list of EEs and IEs from each Member State to the European Commission.
FAQ on NIS 2 Compliance
What are the steps for achieving compliance with the NIS 2 Directive?
The key steps for compliance with the NIS 2 Directive include risk assessment, implementation of technical and organizational security measures, preparation for incident notification, awareness and training of personnel, accountability of top management, collaboration with authorities, and conducting regular audits. Each step of the compliance plan is essential to raise the level of network security and ensure the protection of critical infrastructures.
How to Prepare for NIS 2?
To prepare for the NIS 2 Directive, companies must follow several steps: assess risks, implement security measures, and train personnel. It is important to know if you are affected by the directive based on your sector of activity. Preparation for compliance also includes raising awareness among top management and cooperation with national authorities.
Who is Affected by NIS 2 Compliance?
The NIS 2 Directive applies to essential and important entities, covering various sectors such as energy, transport, health, digital infrastructures, and financial services. Organizations, whether public or private, are required to comply with these new cybersecurity obligations, depending on their size and sector of activity. To check if your organization is concerned, consult Annexes I and II of the NIS 2 Directive.
What are the Stakes of Compliance with NIS 2?
The stakes of the NIS 2 Directive are mainly related to the security of networks and information systems, cybersecurity, and the protection of critical infrastructures. Strengthening security measures is mandatory to face increasing cyber risks. The directive aims to harmonize the level of cybersecurity within the European Union and improve the resilience of essential services against cyber threats.
What are the Sanctions Related to NIS 2 Non-Compliance?
The sanctions provided by the NIS 2 Directive are strict for entities that do not meet their obligations. The sanction regime includes fines of up to 10 million euros or 2% of the company’s worldwide annual turnover for essential entities. In addition to fines, administrative sanctions may be applied, such as warnings or binding instructions to remedy shortcomings. It is therefore crucial to comply with the directive’s obligations to avoid unnecessary sanctions.
How to Raise the Level of Cybersecurity?
To raise the level of cybersecurity, robust security measures must be applied, such as multi-factor authentication, incident management, and securing the supply chain. The NIS 2 Directive also recommends cybersecurity strategies such as business continuity and continuous staff training. Good risk management is essential to strengthen the organization’s overall cybersecurity.
What is the Impact of NIS 2 on Companies?
The impact of the NIS 2 Directive is significant, especially for those operating in critical sectors. It is also significant for small organizations, which must mobilize additional resources. Indeed, this involves investments in time, resources, and training to improve the security of information systems and protect critical infrastructures against cyber threats.
With the forthcoming application of the NIS 2 Directive in Europe, essential service operator (OES) and operator of vital importance (OIV) are preparing for new obligations to strengthen their cybersecurity. A new name for essential service operator (OES) The creation...
These European-wide cybersecurity regulations are unprecedented. There are many requirements to ensure that European organisations can demonstrate a common high level of IT security. Companies will have to comply, and quickly. Here are the main changes in the new NIS2...
