NIS2 compliance for IT security managers 

The NIS2 Directive is a new law that adds extra cybersecurity responsibilities for companies working in EU countries. Under this directive, businesses will need to keep their IT systems running smoothly, report any security issues, and give their staff cybersecurity training.

As the penalties for failing to comply with these obligations can be significant, it is worth taking a closer look at this topic and adequately preparing your organisation for the upcoming changes. Who is affected by NIS2? When does it take effect, and how can you prepare for its implementation? You will find answers to these and other questions in the article below.

What is NIS2?

The new directive dubbed NIS2 (where “NIS” stands for Network and Information Security) is actually an amendment to the current law concerning the protection of digitally processed data. It replaces the previous directive from 2016, expanding its scope and introducing more stringent requirements.  

The EU aims to strengthen its cyber resilience by implementing a uniform standard of security for networks and information systems in the member states. The new law aims to increase the resilience of organisations to cyberattacks, and thus reduce the risk of disruptions to the functioning of key services and infrastructure in EU countries.

The directive sets out cybersecurity objectives and the obligations imposed on organisations subject to NIS2 in this context. However, it does not contain detailed guidelines on the methods and solutions by which companies should ensure the security of processed data, giving them some freedom of action in this regard. It is worth remembering, however, that the measures taken by individual entities must be proportionate to the identified threats.

NIS2 – key changes at a glance

The most important general changes introduced by NIS2 include:

• Wider scope – The new law covers a much larger number of organisations than before. Previously, 11 sectors were subject to the directive; NIS2 increases this number to 18 and lowers the qualification thresholds for companies operating within them.
• Supply chain security – Businesses are tasked with ensuring cybersecurity throughout their entire supply chain, and cyber risk management becomes mandatory for them.
• Employee training – Company employees should be trained on the threats that await them in the digital world.
• Management accountability – Boards of directors and senior managers will now be held personally liable for damages caused by failure to comply with cybersecurity management requirements.
• Incident reporting – Companies are required to report security breach incidents to the relevant national authorities.
• National CSIRTs – Member states are required to designate a national Computer Security Incident Response Team (CSIRT). These national units will work together closely across the EU.

What’s the goal of the new laws?

The legislative changes introduced by NIS2 are a response to the expanded range of digital threats that have emerged in Europe in recent years. Cyberattacks are becoming more frequent and sophisticated. NIS2 aims to better prepare organisations and society to cope with the growing cyber threats, while ensuring the continuity of infrastructure and services that are crucial for the proper functioning of the state.

Making the rules consistent across the EU is also intended to facilitate cooperation between member states and increase the effectiveness of data protection efforts. This will enable a faster and more effective response to incidents, exchange of threat information, and coordination of actions at the European level.

The NIS2 directive – who is affected?

All organisations (both private and public) operating within the European Union and providing essential services to the market are required to comply with the new directive.

The NIS2 Directive introduces a distinction between two categories of entities – essential and important. These are large and medium-sized organisations operating in sectors of fundamental importance to the functioning of society and the economy (listed below). The size of the enterprise determines which category it falls into.

The directive will apply to most companies (for details see here) that meet  or exceed the following requirements:

• employ between 50 and 250 people,
• have annual turnover between 10 and 50 million euros and a total annual balance sheet between 10 and 43 million euros.

Note that there are exceptions, though. A company may be subject to the NIS2 directive regardless of its size if it plays an important role in one of the key sectors for the functioning of the state.

NIS2 essential entities

This group includes entities operating in sectors of critical importance for the proper functioning of the country, namely:

• Energy: Generation, transmission, and distribution of electricity, natural gas, oil, heat, and hydrogen.
• Transport: Air, rail, water, and road transport, as well as operators of transport infrastructure.
• Banking: Credit and investment institutions.
• Financial market infrastructures: Securities exchanges, central securities depositories, clearing houses, payment and settlement systems.
• Health: Hospitals, providers of medical services, manufacturers and distributors of medical devices, laboratories.
• Drinking water: Supply of drinking water.
• Digital infrastructure: Providers of digital services (e.g., cloud services, internet search engines, e-commerce platforms), providers of public electronic communications networks, domain name registry (DNS) services, trust service providers (e.g., electronic signature, electronic seal).
• Public administration: Central and regional administration.
• Space sector: Satellite system operators, launch service providers, manufacturers of space equipment.
• Production, processing, and distribution of food: Food producers, food processors, food distributors.
• Postal services: Postal operators providing universal services.
• Waste management: Entities involved in the collection, transport, recovery, and disposal of waste.

NIS2 important entities

These are sectors that also have significant importance for society and the economy, although the potential disruption of their operations would have less severe consequences than in the case of essential entities. This group encompasses:

• Postal and courier services: Providers of postal and courier services other than universal postal services.
• Manufacturing of certain critical products: Production of chemicals, medical devices, computer, electronic and optical equipment, machinery and equipment, motor vehicles, trailers and semi-trailers, other transport equipment.
• Digital services: Providers of digital services (e.g., social media platforms, video-sharing platforms, information exchange platforms), data center management service providers, internet service providers, providers of public electronic communications networks, domain name registry (DNS) services, trust service providers (e.g., electronic signature, electronic seal).
• Research and development: Entities conducting research and development in areas of key importance for national or economic security.

Is your company subject to NIS2?

The new law will require companies to self-identify, meaning businesses must self-assess their applicability to the NIS2 regulations. 

To help you with this assessment, we have prepared a short questionnaire that takes into account the most important classification elements. Answer three simple questions and get clarity on your NIS2 obligations:

NIS2 compliance – cybersecurity requirements

Entities subject to the new law will be required to implement a range of “technical, operational and organisational” measures related to cybersecurity and incident reporting.

Measures must be appropriate and proportionate

It’s crucial that these measures are “appropriate and proportionate,” meaning they will vary for specific businesses, and organisations must assess themselves what level of protection is appropriate in the context of the cyber risk they face.

As stated in the directive itself: “When assessing the proportionality of these measures, due account shall be taken of the entity’s degree of exposure to risk, the size of the entity, and the likelihood and severity of incidents, including their social and economic impact.”

NIS2 – essential cybersecurity measures

The new regulations clearly define the scope of minimum actions that companies must take to ensure compliance with NIS2. These include:

• Developing a policy for risk analysis and information systems security
• Incident handling.
• Ensuring business continuity, e.g., backup management and restoration of normal operations after an emergency, and crisis management.
• Ensuring supply chain security, including security aspects related to the relationships between each entity and its direct suppliers or service providers.
• Ensuring security in the process of acquiring, developing, and maintaining networks and information systems, including handling vulnerabilities and their disclosure.
• Developing policies and procedures for assessing the effectiveness of cybersecurity risk management measures.
• Maintaining basic cyber hygiene practices and conducting cybersecurity training.
• Developing a policy and procedure for the use of cryptography and, where appropriate, encryption.
• Ensuring the security of human resources, access control policies, and asset management.
• Where appropriate, using multi-factor or continuous authentication, secure voice, text, and video connections, and secure internal communication systems in emergency situations.

NIS2 – When does it take effect?

The directive will be transposed into the national law of member states by October 17, 2024. Companies must “self-assess their applicability to the new regulations, and if so, report this fact to the national register of entities subject to the directive. Companies providing digital services have until January 17, 2025, to do so, while others have until April 17, 2025.

Ignoring NIS2? The penalties can be severe

Depending on the company’s classification, failure to fulfil the obligations imposed by NIS2 can result in administrative fines of up to 10 million euros or 2% of the total annual turnover (for essential entities) and 7 million euros or 1.4% of the total annual turnover (for important entities).

Importantly, in addition to financial penalties, other sanctions may also be imposed on companies, such as:

• An order to take specific actions to remedy the infringement and ensure compliance with the directive.
• The issuance of binding instructions on how to implement specific security measures.
• Commissioning a security audit.
• Ordering the notification of customers about threats in the event of a personal data breach.
• Temporary suspension of the entity’s activities.
• Prohibition from participating in public tenders.

The penalties imposed will depend on the severity of the consequences of the infringement, and their amount is to be adjusted to the size and financial capabilities of the entity – so that the sanctions are effective but not ruinous.

NIS2 – Where to start and what to focus on

How to start preparing your organisation for NIS2 compliance?

The best place to begin is by determining your baseline. To do this, analyse the information systems your company uses, then determine their importance for business continuity and identify weaknesses and potential threats to which they are exposed.

Based on this, you’ll be able to determine whether it’s necessary to introduce additional protective measures and potentially modify the company’s existing security procedures.

The new law emphasises the importance of continuous monitoring for ensuring information system security. So it’s not enough to configure the systems once – it’s necessary to continuously analyse their operation, detect potential threats, and optimise settings, thereby increasing their effectiveness in maintaining security.

It’s also crucial to establish procedures for handling security incidents, which can threaten the continuity of your systems and the entire organisation. Of course, such events can be more or less significant and carry different levels of risk. The actions taken should always be adequate to the threat that has arisen – the changes introduced by NIS2 impose an obligation on organisations to report incidents to the relevant national authorities. Therefore, it’s worth verifying each time whether an incident qualifies for such a report.

FOTC specialists will help you achieve NIS2 compliance

If your company is affected by NIS2, but the topic seems too complicated and you don’t know where to start implementing changes, contact our specialists. FOTC engineers will help you migrate your infrastructure to the Google Cloud, where system continuity is guaranteed and the stringent security standards fully meet the requirements imposed by NIS2.

Our services can help you achieve NIS2 compliance, and include:

• Company Migration to Google Workspace – This service meets all the security requirements needed in enterprises subject to special restrictions regarding the protection of processed information. Data is encrypted both at rest and in transit, and system continuity is ensured by an SLA of 99.9999%.
• Google Workspace Security Monitoring – This service keeps you informed about any serious threats that have occurred in your company’s Google Workspace instance. FOTC specialists monitor the security of the service 24/7, and properly configured alerts enable immediate preventive actions. Our engineers have also developed strict procedures for handling security incidents.
• Training for Users and Administrators – We share our extensive experience in securing clients’ cloud infrastructure by conducting training sessions for Google Workspace administrators and users.
• Google Workspace Security Audit – Conducted by FOTC engineers, this audit allows you to determine the baseline security settings of your Google Workspace instance in terms of its protection against data leaks, cyberattacks, and malicious employee actions. The verification includes a detailed analysis of up to 237 risk points within eleven key areas.