As the October 2024 deadline for EU member states to enact the NIS 2 Directive approaches, organizations doing business in Europe need to prepare for the major changes it will bring to cybersecurity compliance.
The purpose of this article is to explain the NIS 2 Directive, why it is necessary, the key updates from the original NIS Directive, and how businesses can prepare for compliance. To learn more about the Directive, download the Sophos NIS 2 Directive whitepaper.
What are NIS 2 directives?
The NIS 2 Directive is an evolution of the original Network and Information Systems (NIS) Directive, which was implemented to strengthen the cybersecurity posture of EU member states. The first NIS Directive, enacted in 2016, established guidelines to improve cybersecurity resilience across the EU. However, the increased sophistication and frequency of cyber attacks, particularly during and after the COVID-19 pandemic, has revealed the need for more stringent and comprehensive regulation.
Cyber threats have grown to industrial scale, with ransomware attacks being particularly prevalent. In June 2024, a Kremlin-linked hacking group called Qilin attacked Synnovis, a pathology laboratory used by the UK’s National Health Service. The hackers demanded a £40 million ransom, but when the NHS refused to pay, the hackers published the stolen data on the dark web.
Additionally, geopolitical tensions such as Russia’s invasion of Ukraine have highlighted the need for strong cybersecurity measures. The NIS 2 Directive aims to address these challenges by strengthening the security and resilience of important and vital organizations across the EU.
UK impact on non-EU businesses
It primarily targets EU member states, but also affects non-EU companies operating within the EU or providing services to EU organizations. While many national regulations are currently less extensive than the NIS 2 Directive, it would be wise to expect further changes to local laws as the EU legislative agenda develops further.
By proactively addressing the challenges outlined below, non-EU companies can better protect themselves and their customers from evolving cyber threats while avoiding harsh penalties for non-compliance.
Major changes from NIS to NIS 2
The NIS 2 directive introduces several significant updates and enhancements from the original NIS directive.
Expanded coverage: Essential and critical entities: NIS 2 categorizes entities into “essential” and “critical” based on sector and criticality. This expansion includes more sectors, such as wastewater, healthcare supply chain, postal and courier services, aerospace, public administration, and digital infrastructure. Supply chain and service providers: Organisations involved in the supply chain and those providing critical support services are now explicitly covered, highlighting the importance of protecting interconnected networks. Enhanced cybersecurity standards: Mandatory measures: Article 21 of the Directive outlines mandatory cybersecurity measures, including basic cyber hygiene, vulnerability management, supply chain security, encryption, asset management, access control, and zero trust security. Incident handling and reporting: The Directive mandates stricter incident reporting requirements, ensuring a timely and consistent response to cyber threats across the EU. Enhanced accountability and penalties: Senior management responsibility: Senior management can be held personally liable for non-compliance, highlighting the importance of management involvement in cybersecurity governance. Fines and sanctions: Organisations can face hefty fines of up to €10 million or 2% of global turnover if they fail to comply with the directive.
The NIS 2 Directive covers 18 sectors:
The following table shows how the sectors covered by the NIS 2 Directive have increased compared to the first NIS Directive.
Cybersecurity Compliance Implications
The NIS 2 directive will have a significant impact on how organizations approach cybersecurity compliance. Companies will have to take a proactive stance by integrating comprehensive risk management processes and adhering to the strict standards set out in the directive. The emphasis on mandatory measures and the possibility of severe penalties will require a thorough review and strengthening of existing cybersecurity practices.
Organizations will need to allocate sufficient resources to meet these requirements. According to John Noble, former director of the National Cyber Security Centre, who spoke at Sophos Spotlight: Understanding the NIS2 Directive and Cybersecurity Compliance, estimates suggest that companies subject to the original NIS Directive will need to increase their cybersecurity budgets by up to 12%, while newly targeted companies may need to increase their budgets by up to 22%.
Preparing for NIS 2 compliance
To ensure compliance with the NIS 2 directive, organizations should take the following steps:
Assess applicability: Determine whether your organization falls under the essential or critical entity category. This includes assessing the sector, criticality of your services, and the scope of your operations within the EU. Understand jurisdiction: Identify which EU member states have jurisdiction over your operations for the purposes of NIS 2. This is important for understanding your specific country requirements and reporting obligations. Implement cybersecurity risk management: Conduct a comprehensive risk analysis to identify potential cybersecurity threats and vulnerabilities. Implement the mandatory measures outlined in Article 21 and map them to appropriate security frameworks such as ISO 27001 or the NIST Cybersecurity Framework. Strengthen supply chain security: Focus on mitigating risks within your supply chain, especially with regard to software and service providers. This includes ensuring that third-party vendors comply with NIS 2 standards. Develop incident response plans: Formalize an incident response plan that includes clear protocols for reporting cyber incidents to the relevant national authorities. Ensure that significant incidents are reported within the 24-hour period specified in the Directive. Senior management involvement: Obtain formal senior management approval for your compliance strategy. Senior management involvement is essential to demonstrate a commitment to cybersecurity and ensure the necessary resources are allocated.
The NIS2 Directive marks a major step forward in strengthening the cybersecurity resilience of organizations across Europe. By understanding the important updates and taking proactive steps to ensure compliance, businesses can better protect themselves against the growing threat of cyber attacks.
As the October deadline approaches, it is imperative that senior executives and IT security professionals make NIS 2 compliance a priority, leveraging resources such as Sophos’ white paper to help guide their efforts.