NIS 2 Compliance Deadline Approaches: What You Need To Know

On Oct. 17, the Network and Information Security 2 Directive takes effect. This means that relevant entities in industries such as energy, transport, water, healthcare, and digital infrastructure that carry out activities within the E.U. must comply with the relevant legislation.

NIS 2, which was approved by the European Parliament in November 2022, aims to establish a consistent, minimum cybersecurity baseline across all E.U. member states, involving mandatory security measures and reporting procedures.

Organisations subject to the NIS 2 Directive must adopt “measures to manage the risks posed to the security of network and information systems” they use to provide their services, and must “prevent or minimise the impact of incidents on recipients of their services and on other services.”

However, according to a survey by data protection software provider Veeam, 66% of businesses operating within the E.U. will miss the compliance deadline. Indeed, 90% have faced security incidents in the last year that compliance with the directive would have prevented.

In light of this, TechRepublic has created the following guide breaking down what liable entities need to know about complying with NIS 2.

What is the NIS 2 Directive?

The NIS 2 Directive is a legislative act that applies to medium to large-sized entities that provide services or infrastructure deemed “critical for the economy and society” within the E.U. It is designed to achieve a high common level of cyber security across the bloc.

NIS 2 builds on NIS 1, which was adopted in the E.U. in 2016. NIS 1 applies to “operators of essential services,” which have been identified by each member state, as well as all major “digital service providers,” such as online marketplaces, search engines, and cloud service providers. Member states also set their own non-compliance penalties.

NIS 1 asks that eligible organisations:

1. Secure their network and information systems with measures appropriate to their risk levels.
2. Ensure service continuity by taking measures to prevent and minimise the impact of security incidents.
3. Notify the regulator of any “significant” or “substantial” incident within 72 hours of becoming aware of it.

Operators of essential services’ compliance with NIS 1 are monitored by audits conducted by authorities, while digital service providers are not audited but could be investigated following an incident that suggests non-compliance.

How is NIS 2 different from NIS 1?

Building on the original directive, NIS 2 expands its scope across critical sectors including energy, healthcare, transport, and digital infrastructure and introduces stricter cybersecurity requirements. It also covers organisations with at least 50 employees, meaning that many who were exempt from NIS 1 must now comply with NIS 2.

Furthermore, the provisions of NIS 2 differ from NIS 1 in several ways:

• Supply chain risks must be covered in risk assessments, as attacks that exploit them are rising.
• Root-cause analysis is now necessary after incidents, rather than just reactive measures.
• Business continuity and disaster recovery plans that minimise disruptions are a primary focus.
• Security audits, including pen-testing and vulnerability assessments, must be conducted regularly to ensure systems meet the updated security standards.
• Regulators have stronger enforcement powers, such as random audits and on-site inspections.

So-called “management bodies” in “essential” and “important” entities must approve and oversee the cybersecurity risk-management measures their companies have implemented, and they can now be held personally liable for infringements. According to Article 20, they must also receive regular cybersecurity training.

NIS 2 also has updated incident reporting rules. The computer security incident response team or other industry-specific regulators must be notified of any incident that has, or could have, a “significant impact” on a business’s services — such as causing severe operational disruption, financial loss, or considerable damage to other natural or legal persons. This encompasses more incident types than NIS 1 did.

Incidents must first be reported through an initial alert to regulators within 24 hours, followed by a detailed report within 72 hours, and then both intermediate and final reports within a month. Service recipients will also need to be notified of any impact to their services, and the entity should assist with mitigating it.

What are the minimum requirements for risk management measures in NIS 2?

The precise NIS 2 regulations that a company must comply with depend on factors such as their size, risk exposure, severity of potential incidents, and the cost of implementing security technologies.

However, the following 10 risk-management measures are recommended in the legislation as a minimum:

1. Policies on risk analysis and information system security.
2. Incident response plans.
3. Business continuity, such as backup management and disaster recovery.
4. Supply chain security.
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling.
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
7. Basic cyber hygiene practices and security training.
8. Policies regarding the use of cryptography and encryption.
9. Human resources security, access control policies, and asset management.
10. Multi-factor authentication or continuous authentication solutions.

Who must comply with NIS 2?

NIS 2 applies to organisations classified as either “essential” or “important” entities that operate within the E.U. — they do not have to be headquartered in the block. Essential entities face stricter requirements than important entities.

Essential entities are large organisations that fall into one of the following industries:

• Energy.
• Transport.
• Banking.
• Financial market infrastructure.
• Healthcare.
• Drinking and waste water.
• Digital infrastructure.
• Managers of IT services.
• Aerospace.
• Government services.

Digital infrastructure encompasses some of the digital service providers that had lighter-touch regulations with NIS 1, like cloud service providers but also data centre service providers.

Important entities are medium organisations in the industries listed above, and medium or large organisations in one of the following industries:

• Digital providers.
• Postal and courier services.
• Waste management.
• Food.
• Chemicals.
• Research.
• Manufacturing.

Digital providers encompass online search engines, online marketplaces, and social networks, which may have been designated “digital service providers” under NIS 1 or “gatekeepers” under the Digital Markets Act.

Large organisations will have either a minimum of 250 employees or an annual turnover of at least €50 million and a balance sheet total of at least €43 million. Medium organisations have either at least 50 employees or an annual turnover and balance sheet total of €10 million or more.

Each E.U. member state has until April 17, 2025 to produce a list of the essential and important entities within their jurisdiction that must comply with NIS 2.

The compliance of essential entities will be scrutinised both before and after an incident, whereas important entities will only be reviewed after an incident occurs.

What are the noncompliance penalties for NIS 2?

After the compliance deadline passes, eligible organisations that do not abide by NIS 2 could be fined the following:

• Essential entities: up to €10 million or 2% of its annual global turnover, whichever is highest
• Important entities: up to €7 million or 1.4% of its annual global turnover, whichever is highest.

If a security incident resulting from non-compliance with NIS 2 leads to a personal data breach, the entity will not be fined under both the NIS 2 and GDPR regimes.

How can a business comply with NIS 2?

The first thing executives that operate in the E.U should do is determine if the business qualifies as either essential or important under NIS2 2, as not all member states have published a list of applicable entities within their jurisdiction yet. Essential and important entities will be required to register with the E.U. Agency for Cybersecurity.

Regardless of whether the company is subject to the directive, conducting a risk assessment is a crucial step. NIS 2 mandates that businesses adopt a risk-based approach to managing cybersecurity defences. Yet, given the growing prevalence of cyber attacks, such assessments are an important consideration for even non-applicable entities.

SEE: Security Risk Assessment Checklist

As well as internal vulnerabilities, companies should include those within their supply chains as part of the risk assessment. Third parties are popular targets because many companies rely on the services, providing threat actors with multiple entry points in just a single attack. Article 21 requires that companies oversee the quality of the products and cybersecurity practices of their suppliers and service providers.

Entities that must comply with NIS 2 must develop and enforce comprehensive cybersecurity policies. These should cover measures for incident detection, response, and recovery, as well as regular security audits to ensure compliance with Article 21. There are a number of specific measures mentioned in the directive that can be applied, like multi-factor authentication, cybersecurity training, and access controls for confidential data.

Procedures to meet the strict 24-hour reporting requirements for significant incidents must be implemented, and management bodies tasked with overseeing compliance should be appointed. NIS 2 places specific legal liability on executives for non-compliance.

Member states can also introduce their own cybersecurity and reporting requirements beyond NIS 2, so it is important to research these carefully. So far, these have been published by Belgium, Croatia, Greece, Hungary, Latvia, and Lithuania.

Companies can enlist external cybersecurity firms or use specialised compliance tools to navigate the complexities of NIS 2, such as PwC, WithSecure, Advisera, Wavestone, and Bureau Veritas.

What do policy experts think of NIS 2?

While NIS 2 intends to improve the cyber security of E.U. businesses, enabling them to prevent and mitigate the impacts of cyber attacks, not all policy experts believe it is being rolled out correctly.

Companies have not been given enough time to comply

Chris Gow, the head of E.U. Public Policy at Cisco, thinks businesses have not had enough time to comply with NIS 2 since it was first announced in 2020. “To be effective and realistic, the incident reporting and security measures for NIS 2 should be practical and achievable,” he told TechRepublic in an email.

“Covered entities should be given until 18 April 2027 to implement the Cybersecurity Measures. During that time, regulators would not enforce these measures but could engage with organisations to understand their roadmap for meeting the controls.”

Indeed, Tim Wright, partner and technology lawyer at law firm Fladgate, said that, despite the impending deadline, the implementation status of different member states throughout the bloc varies.

The Veeam study highlighted a number of reasons why businesses may not be fully compliant with NIS 2 at this stage. Nearly a quarter of IT managers are hampered by technical debt, 23% cite a lack of leadership understanding, and 21% said an insufficient budget was holding them back. In fact, 40% reported decreased IT budgets since NIS2 was proclaimed effective in January 2023.

Respondents also rank NIS 2 compliance as lower in urgency than ten other issues, including the skills gap, profitability, and digital transformation

Wright told TechRepublic in an email: “At one end of the scale, countries such as Belgium, Croatia, Hungary and Latvia have already adopted NIS2-compliant legislation, whilst at the other end, countries such as Bulgaria, Estonia, and Portugal appear to have made little to no progress in the transposition process.”

He added that the Directive will only be effective if it is delivered consistently across all member states. Wright said: “NIS2 should make the EU a harder target, but determined adversaries will keep probing for weaknesses. The directive’s success depends on how well it is implemented and whether it can foster a true culture of cybersecurity, not just compliance.”

Low thresholds for incident alerts may lead to over-reporting

Gow also highlighted that the thresholds for reporting cyber incidents are two low, for example, citing the example of requiring disclosure for cloud service disruptions lasting just over 10 minutes. “If thresholds are not set correctly, companies may over-report minor incidents, diverting often scarce resources from actual incident response and overwhelming regulators with non-critical reports,” he said.

NIS 2 does not align with other international security standards

The E.U. policy expert added that NIS 2 does not align well with other international security standards, making compliance especially challenging for multinationals. Gow said: “For a large company like Cisco, adapting to multiple standards is complex and resource-intensive; but for smaller entities, it could be prohibitively burdensome, potentially stifling innovation and competitiveness.

“Divergent standards or national schemes limit their ability to do business cross-border in the EU, creating barriers that can hinder their growth.”