Understanding NIS2: What IT Leaders Need to Know

The revised Network and Information Security (NIS2) Directive is a European Union cybersecurity regulation designed to ensure the resiliency of what is defined as “essential” and “important” entities against cyberattacks. It builds on the 2016 NIS Directive, expanding its scope and updating its requirements to address modern security threats.

By October 17, 2024, all EU Member States are required to implement NIS2 within their national laws. At this point, companies that meet the definitions of “essential” or “important” under the new directive will be required to comply with the new requirements. With NIS2, many more companies will be required to become and maintain compliance. The new directive added several categories of essential entities and created the “important” category as well.

All organizations that meet these requirements are held to the same standards and may be required to register themselves with regulators in the Member States where they do business. Additionally, they will need to update security policies, procedures, and staff training to meet the new requirements. Companies that were previously subject to and compliant with NIS1 will also need to perform updates to comply with new requirements, such as updated incident reporting timelines and a focus on supply chain security.

The NIS2 update also expands the potential consequences for non-compliance, providing the regulation with additional enforcement. Regulators can impose various penalties on non-compliant organizations, and executives can be held personally responsible for gross negligence. To avoid these penalties, organizations should prioritize NIS2 compliance, which may require allocating additional resources to IT departments.

Key Changes from NIS1 to NIS2

NIS2 is a significant update to the 2016 NIS1 directive. The three main areas of change are an expanded scope, additional required security controls, and expanded penalties for non-compliance.

Expanded Scope

One of the most significant changes is the expanded scope. NIS1 defined “essential” entities, which included the following:

  • Energy
  • Transport
  • Finance
  • Health
  • Digital infrastruture

The new NIS2 directive adds a few industries to this list, including:

  • Public administration
  • Space
  • Wastewater

Additionally, the NIS2 Directive defines “important” entities, which are held to the same requirements but have lower penalties for non-compliance. The new important entities category generally includes the following industries:

  • Digital providers
  • Chemicals
  • Research
  • Foods
  • Postal services
  • Manufacturing
  • Waste management

Within these industries, the size of an organization also comes into play. Organizations with more than 250 employees and over 50 million Euros in revenue or a balance sheet of 43 million Euros are included in the scope for essential entities. Companies with at least 50 employees and an annual turnover or balance sheet of at least 10 million Euros may be considered important entities. Additionally, Member States can include smaller companies that play a critical role within a country.

New Requirements

In addition to expanding the types of companies that are subject to the regulation, NIS2 introduces new security requirements for essential and important entities. The most significant new requirements include:

  • Risk Management: NIS2 requires organizations to manage their security risk by taking measures such as implementing incident response policies, enhancing supply chain and network security, and deploying data encryption and zero trust access management.
  • Corporate Accountability: NIS2 explicitly holds management responsible for the organization’s security posture. Managers must oversee, approve, and undergo training regarding the security controls that the organization has implemented.
  • Incident Reporting: NIS2 imposes strict incident reporting requirements, including an “early warning” notification that must be submitted within 24 hours of detecting a cybersecurity incident.
  • Business Continuity: NIS2 is focused on ensuring that providers of critical services can maintain operations in the face of cyberattacks. They must have business continuity plans that cover emergency procedures, system recovery, and creating a crisis response team.

Stricter Penalties

NIS2 provides regulators with various tools to compel compliance with these requirements. The three types of penalties permitted under the new regulation include the following:

  • Non-Monetary Penalties: National supervisory authorities have the power to compel non-compliant organizations to take certain actions. They can issue compliance orders and binding instructions, force companies to perform a security audit, or require an organization to send threat notifications to their customers.
  • Administrative Fines: Regulators can also issue fines to essential and important entities. Essential entities can incur fines of up to 10 million Euros or 2% of global annual revenue, Important entities, on the other hand, face potential penalties of 7 million Euros or 1.4% of global annual revenue.
  • Criminal Sanctions: In the event of gross negligence, Member State supervisory authorities can hold management personally liable in the wake of a security incident. They can order an organization to publicize its compliance violations and the person responsible for them. For essential entities with repeated violations, a manager can also be temporarily barred from management positions.

Steps for IT Leaders to Prepare for NIS2

NIS2’s expanding scope and increased regulatory requirements mean that many companies will need to implement new security controls and processes to achieve and demonstrate compliance with NIS2. Some key steps that IT leaders can take to prepare for NIS2 compliance and improve their security posture include the following:

  1. Perform a Risk Assessment: A risk assessment provides the organization with insight into current vulnerabilities and security and compliance gaps. This assessment should look at both internal and external risks and provide visibility into the issues the organization needs to address to achieve compliance.
  2. Establish a Security Governance Framework: Achieving and maintaining compliance with NIS2 and other regulations requires a robust governance strategy. The governance strategy should include plans for meeting compliance requirements, establish protocols for risk management and incident response, and assign accountability at all organizational levels.
  3. Implement Security Measures: Based on the risk assessment, the organization should implement controls to close identified gaps and improve the corporate security posture. For example, the organization may implement multi-factor authentication (MFA), data encryption, and regular vulnerability assessments.
  4. Supply Chain Security: NIS2 mandates that an organization fully understands the security risks of its supply chain. Companies should assess existing supply chain risks, develop strategies for managing risk exposure, and establish close relationships with partners.
  5. Incident Response and Reporting: After a security incident, NIS2 requires an “early warning” within 24 hours, an initial assessment before 72 hours, and a full report within a month. Well-defined incident response plans are essential to contain and remediate the incident and meet reporting requirements.
  6. Business Continuity: NIS2’s primary focus is ensuring that cyberattacks don’t interrupt important services. Organizations covered by the directive should have business continuity places in place — including secure backup and recovery procedures — to ensure that they can quickly and securely recover from a cyberattack.
  7. Collaboration and Information Sharing: Information sharing can enhance threat detection, response, and remediation by sharing data about new and emerging cyberattack campaigns. NIS2 encourages information sharing with authorities, incident response teams, and other organizations to improve the security posture of the industry as a whole.
  8. Compliance Documentation and Auditing: Document all efforts to achieve and maintain compliance with NIS2, including the security controls, policies, and procedures implemented. This documentation should be regularly reviewed to identify potential risks and security gaps.
  9. Training and Awareness: Educate employees about security responsibilities under NIS2 and best practices for protecting against cyber threats. Training should be performed regularly to ensure that employees are up-to-date on the latest threats and how to mitigate them.

Zero Trust Model and NIS2 Compliance

The zero trust security model was designed to eliminate implicit trust within an organization’s security architecture. It mandates that every access request be explicitly verified against least privilege access controls. These access controls provide users with only the privileges needed for their role, and explicit verification reduces the risk of unauthorized access to sensitive resources.

Preamble 89 of the NIS2 directive specifically instructs organizations to adopt zero trust principles, along with other elements of basic cybersecurity hygiene. Zero trust aligns with the goals of NIS2 because preventing unauthorized access dramatically reduces the risk of data breaches or security incidents that prevent essential or important entities from providing critical services.

Implementing zero trust requires cybersecurity solutions that support and enforce its key principles. Zero trust network access (ZTNA) is an invaluable part of a zero trust architecture that applies least privilege access management for access to an organization’s network and various network-connected systems and services.

Benefits of NIS2 Compliance

NIS2 compliance is expected to be required for over 160,000 companies that operate within EU Member States. Those companies that achieve compliance with the requirements outlined in NIS2 may reap certain benefits, such as:

  • Improved Resilience: NIS2 is designed to enhance the resiliency of important service providers against cyberattacks. Implementing its requirements reduces the risk that an organization will experience a significant cybersecurity incident and the potential damage that it might suffer.
  • Better Incident Response: NIS2 creates requirements for incident response and establishes deadlines for reports to regulators. Robust incident response processes are essential for compliance and also help to reduce the cost and impact of incidents on the organization.
  • Enhanced Customer Trust: NIS2 defines minimum requirements for protecting an organization against attack. Achieving compliance can improve customer trust by providing reassurance that important services will be available when needed.
  • Compliance Penalty Avoidance: NIS2 lays out an array of potential penalties that can be levied against non-compliant organizations and their management. For organizations subject to the directive, compliance is essential to avoid these potential penalties.

Challenges and Considerations for IT Leaders

The expanded scope of NIS2 expands the responsibilities for IT leaders. Most organizations must maintain compliance with multiple regulations, and NIS2, with its strict requirements and tight incident reporting deadlines, increases this burden. This is especially true in the wake of a security incident when reporting to another regulator consumes additional resources when they are already in short supply.

Managing NIS2 compliance among other responsibilities requires a proactive approach to risk management and compliance. Staying aware of the evolving cybersecurity threat landscape and proactively deploying security controls to manage emerging threats reduces the risk of an organization suffering a reportable security incident. IT leaders should also establish and regularly test incident response processes to ensure that they can rapidly resolve security issues and comply with breach notification rules.

The new challenges and requirements of NIS2 compliance can overwhelm overstretched and resource-constrained security teams. However, the strict new penalties included in the updated directive leave little room for non-compliance. IT leaders should consider how best to streamline and scale security and compliance operations via automated and security convergence to ensure that they can meet NIS2 and other compliance requirements.

Proactively work toward compliance

NIS2 is one of the EU’s most significant cybersecurity laws and is designed to ensure the resilience of important services against cyberattacks. For the over 100,000 companies subject to the regulation, NIS2 lays out a variety of security requirements and allows regulators to penalize non-compliant companies and executives.

While lawmakers still have several months left to enact the legislation in Member State laws, IT leaders should proactively work toward compliance to ensure that they are prepared when the new laws do go into effect. In addition to achieving compliance, efforts to enhance an organization’s security posture and resiliency also reduce an organization’s exposure to cyberattacks and simplify compliance with other regulations.

IT leaders seeking NIS2 compliance need security tools that provide the visibility and enforcement capabilities required by the regulation. Cato SASE Cloud offers complete visibility across an organization’s entire IT environment, supporting risk assessment and supply chain risk management. With Cato’s advanced security offering, which includes access security, organizations can easily implement zero trust — as mandated by NIS2 — and identify, block, and respond to attempted cyberattacks against their IT assets.