What is the NIS2 Directive and how to prepare for it?

The NIS2 introduces a significant change in the way organizations that must comply with their cybersecurity obligations are classified, which we discuss in detail in the following section.

Whereas the NIS Directive differentiated between operators of essential services and digital service providers, leaving it to each EU Member State to decide which entities fall into these categories, NIS2 seeks greater uniformity and clarity. Organizations are now divided into essential and important entities, using criteria such as the sector in which they operate, their size, and their annual turnover. This classification is clearer and more uniform at the European level, reducing inconsistencies in application by individual states.

This regulation significantly broadens its scope of action compared to the previous version, mainly by identifying new sectors considered as ‘high criticality’ or ‘critical’. These sectors are fundamental to day-to-day activities and their disruption could have a severe impact on economic and social life.

This extension has resulted in many more organizations being subject to compliance with these measures.

The main objective of this directive is to raise security standards across the EU and to achieve this, specific risk assessment criteria have been introduced, as well as increased requirements for security measures and risk management.

One of the key aspects is the focus on supply chain security, as any vulnerability in the supply chain can compromise the security of the entire ecosystem.

Incident management is also strengthened, requiring stricter incident reporting procedures and the need for rapid and accurate reporting.

This encourages the development of a robust incident reporting framework and promotes greater public-private collaboration, improving responsiveness and resilience to potential cyber threats.

NIS2 imposes more severe financial penalties as a deterrent for organizations that do not comply with risk management or reporting measures.

These can range from 1.4% to 2% of total annual global turnover depending on the size of the company.

This updated directive has considerably broadened the scope of application compared to the original 2016 version. In addition, the NIS2 introduces a new classification that divides the sectors of application into two categories:

1. High-criticality sectors:
   1. Energy
   2. Transport
   3. Banking
   4. Financial market infrastructure
   5. Health
   6. Water
   7. Digital infrastructure
   8. ICT service management
   9. Public administration entities
   10. Space
2. Other critical sectors:
   1. Postal and courier services
   2. Waste management
   3. Chemical manufacturing, production and distribution
   4. Food production, processing, and distribution
   5. Manufacturing
   6. Digital suppliers
   7. Research

In addition to the classification by sector, this directive also introduces an additional classification of specific entities:

• Essential:
  • Large entities in high criticality sectors (annual turnover over 50 million euros).
  • Certification authorities, top-level domain registrars, and DNS providers, regardless of the size of the company.
  • Medium to large telecommunications providers (revenues over 10M).
  • Public administration institutions.
  • Any entity belonging to a very critical or critical sector defined as ‘essential’ by a Member State.
  • Entities defined as critical according to Directive (EU) 2022/2557.
• Important:
  • Medium-sized entities (revenues of 10 to 50 million) in highly critical sectors.
  • Medium and large entities in other critical sectors.
  • Any entity defined by a Member State as ‘significant’.

The category to which each entity belongs has important practical implications, as the activities of those classified as ‘essential’ will be subject to much stricter and proactive supervision, such as random raids, essential security checks, and requests for proof of compliance.

In fact, in case of non-compliance with the NIS2, critical entities may face a fine of up to EUR 10 million or 2% of their annual global turnover.

Entities classified as ‘significant’ are subject to slightly less stringent controls, but may face penalties of up to €7 million or 1.4% of turnover.

In order to comply with all of the above, here are the recommended steps to follow:

• Pre-assessment: a comprehensive analysis of the company’s cybersecurity risks about the requirements of the directive should be conducted, which identifies gaps between the company’s current practices and the obligations imposed by the NIS2.
• Management policies: develop policies, procedures, and plans aligned with the directive’s standards and implement the relevant actions identified in the diagnostic.
• Awareness and training: foster a security culture within the organization, as well as provide ongoing training for employees on security and best practices.
• Detection and response: establish effective mechanisms for early detection of any threats and security incident response plans.
• Testing and upgrades: all systems and their components should be regularly updated and patched to ensure that they remain resilient to cyber-attacks.
• Monitoring and collaboration: continuously monitor systems to be able to detect and respond to potential threats, as well as maintain active collaboration with relevant cybersecurity agencies.