The European Commission has introduced a revised Network and Information Security Directive (NIS2) which will go into effect on October 17, 2024. It builds on the original cybersecurity regulatory framework of NIS1 and affects both public- and private-sector companies in critical infrastructure and/or services (KRITIS).
In this article, Nitro experts provide a comprehensive overview of NIS2 and helpful information on compliance requirements for this pending regulation. This article is not intended to constitute legal advice.
What is NIS2?
To get a strong understanding of NIS2, it’s important to grasp the stipulations of NIS1. NIS1 — also known as the NIS Directive — was “the first horizontal internal market instrument aimed at improving the resilience of network and information systems in the [European] Union against cybersecurity risks,” according to the European Commission. As digitalization increased, the Commission identified certain shortcomings of NIS1 and subsequently developed NIS2.
NIS2 applies to KRITIS companies that have over 50 employees or an annual turnover of €10 million. Because NIS2 expands the scope of entities included in the regulation, other organizations may be subject to the new rules even if they don’t bear those size or revenue qualifications. The entities within a covered organization’s supply chain may also fall under the scope of NIS2. Additionally, EU member states may issue their own extensions of the ruling.
With the introduction of NIS2, organizations are required to implement a range of security measures and reporting procedures — including risk management, supply chain security, and appropriate incident response. Its objectives are to enhance the resilience and incident response capabilities of public and private sectors, competent authorities, and the EU.
Who is impacted by NIS2?
NIS2 will impact an estimated 100,000 organizations throughout the EU in addition to ones that already fall under NIS1. The scope of sectors has gone from seven to 18, and includes:
- Transportation
- Banking
- Financial markets
- Drinking water
- Digital infrastructure
- Energy
- Health
- Postal and courier services
- Critical products manufacturing
- Waste water and waste management
- Public administration
- Space
- Research
- Digital services
- Food production, processing, and distribution
- Telecom
- Chemical manufacturing, production, and distribution
- Digital service providers
What does NIS2 require?
Below are the new requirements and obligations for organizations that fall within the scope of NIS2.
Stronger Risk Management
The directive presents a minimum list of security measures entities must take to minimize cyber risk, including but not limited to incident management, supply chain security, encryption, business continuity, and risk analysis policies. NIS2 specifically requires organizations to have plans that go into effect during and after an incident, such as backup measures, ensuring access to their IT systems, recovering data and systems, the procedure for a crisis response team, and more.
Stricter Reporting Processes
NIS2 intensifies the reporting obligations of entities if they experience a security incident. Organizations may have several bodies to which they need to report an incident, including their customers. Some incidents may fall into a category of breaches that require adherence to 24-hour notification deadlines.
Supply Chain Security
The directive requires organizations to ensure their suppliers and partners throughout their supply chains conduct risk management and adhere to certain policies as well. This change is what may affect many entities that are not directly within the scope of NIS2 but do business as members of the supply chain of such companies.
Management Accountability
NIS2 aims to hold company leadership responsible for their roles in cybersecurity and establishes penalties for failure to comply. Management must be trained on security measures and may be held liable — or even removed from management positions — should breaches occur.
What to do if you’re affected by NIS2
The first step for any organization that suspects it may fall into NIS2’s scope is to determine if they are impacted.
NIS2 changes the way organizations are classified into “essential” and “important” entities. Each category falls under different supervision and enforcement.
Essential Entities** (EE) | Important Entities** (IE) |
+250 +50ME | +50 +10M€ |
Energy, Transportation, Water and Wastewater, Financial Markets, Banking, Public Administration, ICT Services, Digital Infrastructure, Health, Space | Postal, Waste, Pharmaceutical, Chemicals, Manufacturing, Food Production, Digital Providers, Research |
You will then need to evaluate your existing security measures and policies to get a baseline understanding of how you may comply with NIS2. Research firm PwC recommends using a cybersecurity controls framework that maps “specific controls in operation within your business to each NIS2 clause to help inform you of areas where the organization cannot meet its NIS2 obligations at present.”
As part of your evaluation, you’ll want to consider if your EU member state plans to implement its own compliance requirements. For example, Germany plans to implement NIS2UmsuCG on October 1, 2024.
You should then test your tools and processes such as incident response, crisis management, business continuity and failover, and emergency procedures. Ultimately, it’s ideal to test any process that relates to your ability to comply with NIS2.
It’s also important to examine your organizational culture and approach to cybersecurity to ensure team members are aligned on compliance and management is doing its due diligence.
The consequences of NIS2 non-compliance
If they breach certain requirements, essential entities may be fined a maximum of at least €10,000,000 or a maximum of at least 2% of the total worldwide annual turnover in the previous financial year. Important entities may be fined a maximum of at least €7,000,000 or a maximum of at least 1.4% of the total worldwide annual turnover in the previous financial year.
How to stay NIS2-compliant with Nitro
Nitro is a PDF and eSign solution provider with a global footprint — specializing in supporting document security and compliance for EU-based organizations. We offer advanced document solutions that ensure the security and integrity of digital documents for both your organization and partners throughout your supply chain.
With Nitro, companies can implement stringent access controls, encryption, data redaction, and digital signatures — all of which are essential for maintaining compliance with NIS2's enhanced risk management and incident reporting obligations. These features help prevent unauthorized access and ensure the protection of sensitive information. Learn more about how Nitro supports NIS2 compliance in this blog.
Get in touch with one of our PDF and eSign experts to discover how we can help you or explore a free trial of Nitro.