A Comprehensive Overview of the NIS 2 Directive

Introduction

Network and information systems have become a key feature of our everyday lives, and given the increasing digital interconnectedness in society and cross-border data transfers, there has been an increased likelihood of cyber threats. This requires the EU member states to have a coordinated approach to deal with such cyber threats. For this purpose, the European Parliament and the Council of Europe introduced Directive (EU) 2022/2555, commonly known as the Network and Information System (NIS 2) Directive, concerning measures for a high common level of cybersecurity across the EU. NIS 2 Directive aims to improve the functioning of the EU’s internal market and protect the EU’s critical infrastructure against cyber threats. It replaced its predecessor,  the Directive (EU) 2016/1148, commonly known as the Network and Information System (NIS 1) Directive. The purpose of this replacement was to address Europe's increasing cyber threat exposure by introducing a wider scope, clarifying regulations, and stronger supervision tools. The NIS 2 Directive entered into force on January 16, 2023, and the EU member states were required to incorporate its provisions into national law by October 17, 2024.

Application and Scope of NIS 2 Directive

The NIS 2 Directive applies to the entities designated as “essential entities” and “important entities.” It differentiates between these entities based on factors such as their size, sector, and criticality. Additionally, Annexes I and II of the NIS 2 Directive provide a list of high-criticality sectors and other critical sectors, respectively.

To simplify, essential entities are those that provide services critical to the functioning of society and the economy, and a disruption in their operations would have significant adverse impacts. Whereas, important entities are not considered as fundamental as essential entities, as a disruption in their services would not have as severe and widespread consequences as compared to those of essential entities. However, it is noteworthy that sector-specific EU regulations imposing equivalent cybersecurity requirements or incident notification obligations will always take precedence over the NIS 2 Directive.

The following tables provide a snapshot of whether an entity belonging to a high-criticality sector (listed in Annex I) or other critical sector (listed in Annex II) will qualify as an essential or important entity under the NIS 2 Directive.

Annex I: Sectors of High Criticality

Annex II: Other Critical Sectors

All the large-sized entities (entities having >= 250 employees or more than 50 million revenue) and medium-sized entities (entities having 50-249 employees or more than 10 million revenue) belonging to the following sectors are considered important entities:

1. Postal and courier services
2. Waste management
3. Manufacture, production, and distribution of chemicals
4. Production, processing, and distribution of food (wholesale distribution, industrial production, and processing of food)
5. Manufacturing (in-vitro diagnosis medical devices, computers, electronic, optical products, electrical equipment, machinery, motor vehicles, trailers, semi-trailers, and other transport equipment)
6. Digital providers (online marketplaces, online search engines, and social networking services platform providers)
7. Research (research organizations)

However, the small and micro entities belonging to the above-stated sectors are not covered within the scope of the NIS 2 Directive.

Key Obligations Under the NIS 2 Directive

1. Registration of Entities

NIS 2 Directive mandates registration with the relevant competent authorities for a comprehensive range of entities essential to the digital ecosystem. This encompasses domain DNS service providers, TLD name registries, and entities offering domain name registration services. Furthermore, the obligation extends to infrastructure and platform providers, including cloud computing service providers, data center service providers, content delivery network providers, managed service providers, and managed security service providers. Finally, providers of prominent online platforms, specifically online marketplaces, online search engines, and social networking services, are also subject to this registration mandate.

These entities are required to submit the following information to the competent authorities for registration purposes:

1. Entity Identification: the entity’s name;
2. Sector Classification: the entity’s relevant sector, subsector, and whether the entity belongs to a high-criticality sector (Annex I) or other critical sectors (Annex II);
3. Establishment Location: the address of the entity’s main establishment and its other legal establishments in the EU or, if not established in the EU, of its designated representative in the EU;
4. Contact Information: The entity’s up-to-date contact details, including email addresses and telephone numbers, and where applicable, its representative designated;
5. Service Area: The name of the EU member state(s) where the entity provides services; and
6. Technical Details: the entity’s IP ranges.

2. Implementation of Cybersecurity Risk Management Measures

Essential and important entities must adopt appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks and protect their network and information systems. These measures should also help the entities in preventing and minimizing the impact of cybersecurity incidents on users of their services. To assess the proportionality of these measures, the entities shall take into account the following factors:

1. Degree of entity’s exposure to the risks
2. Entity’s size
3. Likelihood of incident occurrence
4. The severity of the incident, including its societal and economic aspects

The directive also outlines minimum cybersecurity risk management measures that essential and important entities need to implement. These measures include incident handling procedures, business continuity and crisis management mechanisms, supply chain security, cyber hygiene practices, cybersecurity training, access control policies, the use of encryption and multi-factor authentication, etc. The NIS 2 Directive obligates the management bodies of essential and important entities to oversee the implementation of their cybersecurity risk management measures and can be held liable for infringement of such measures. Moreover, to ensure compliance with cybersecurity risk management measures, the EU member states may require essential and important entities to employ ICT products, services, or processes that are certified under European cybersecurity certification schemes. The use of such certified products, services, and processes allows the protection of stored, transmitted, or processed data from unauthorized storage or access, accidental loss or destruction, cyber vulnerabilities, etc.

3. Reporting Significant Cybersecurity Incidents

Essential and important entities are required to report significant cybersecurity incidents to the Computer Security Incident Response Team (CSIRT) or, where applicable, the competent authority without undue delay, and within specified timeframes. It is important to note that CSIRTs are established within a competent authority. Their job includes precisely monitoring and analyzing national cyber threats, offering real-time monitoring support to essential and important entities on request, and promptly issuing warnings and information on cyber threats and incidents.

Under the NIS 2 Directive, an incident is considered “significant” if it has caused or has the potential to:

1. cause severe operational disruption of the services or financial loss for the concerned entity;
2. affect other natural or legal persons by causing considerable material or non-material damage.

The essential and important entities have the following reporting obligations for significant cybersecurity incidents:

1. Early Warning Obligation: Within 24 hours of becoming aware of the incident, submit an early warning indicating suspicion of unlawful or malicious causes behind the incident or its potential cross-border impact.
2. Incident Notification Obligation: Within 72 hours of becoming aware of the incident, submit an incident notification with an initial assessment of its severity, impact, and available indicators of compromise, updating the information as needed.
3. Final Report Obligation: No later than one month after the incident notification, submit a final report detailing the incident's severity and impact, the likely threat or root cause that triggered the incident, applied/ongoing mitigation measures, and any cross-border impact.

Essential and important entities shall also, where appropriate, inform the recipients of their services without undue delay of these significant cybersecurity incidents that are likely to adversely affect the provision of the services.

Penalties for Non-Compliance

While individual EU member states will establish the specific penalties for violating their national implementing legislation for the NIS 2 Directive, the directive mandates that these penalties must be effective, proportionate, and dissuasive. This ensures a consistent baseline for enforcement across the EU. In addition, when enforcing the NIS 2 Directive, authorities must respect due process and consider the specifics of each case. Key factors that should be weighed include the severity and duration of the violation, any past offenses, the harm caused, the perpetrator’s intent, efforts to remedy the violation, adherence to best practices, and the level of cooperation with authorities.

Though essential and important entities are subject to comply with the same cybersecurity requirements, different rules apply to these two categories when it comes to the power given to competent authorities to audit these entities and issue fines. In essence, essential entities face more proactive and intensive supervision and enforcement measures due to their critical importance, while important entities are subject to similar measures but with a focus on ex-post supervision and slightly less extensive enforcement powers.

Upon failure to take appropriate cybersecurity risk management measures and report significant cybersecurity incidents, essential and important entities are subject to administrative fines having the following thresholds:

1. Essential entities could be subject to administrative fines of a maximum of at least €10 million or of a maximum of at least 2 % of the total global annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
2. Important entities could face administrative fines of a maximum of at least €7 million or of a maximum of at least 1.4 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.

Furthermore, the competent authorities are also empowered to impose sanctions on these entities by temporarily suspending their certification or authorization and imposing a temporary prohibition on the exercise of managerial functions by any natural person discharging managerial responsibilities at the respective entity. However, these sanctions are subject to appropriate procedural safeguards, such as the right to an effective remedy and a fair trial, the presumption of innocence, and the rights of the defense.

Practical Next Steps for Businesses

Businesses should take the following measures to comply with the NIS 2 Directive:

1. Immediately assess whether the NIS 2 Directive applies to your organization. You can make this assessment by evaluating whether your organization qualifies as an essential or important entity as per the NIS 2 Directive and understanding your obligations accordingly.
2. If the directive is relevant, promptly determine if your organization needs to register with the competent authority. Initiate this process early.
3. Compare and critically analyze your organization’s current cybersecurity risk management framework against NIS 2 Directive requirements. Actively implement any necessary enhancements to proactively close any cybersecurity gaps.
4. Develop processes to comply with reporting obligations for significant security incidents
5. Monitor local laws of the EU member states transposing the NIS2 Directive.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data+AI. Owing to its unified data intelligence, controls, and orchestration across hybrid multicloud environments, several of the world's most prestigious corporations rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.

This Data Command Center is equipped with several individual modules and solutions designed to ensure compliance with all major obligations an organization is subject to under the NIS 2 Directive. These include automated breach management, third-party risk management, data security posture management, and others, which can all be leveraged to set up automated monitoring systems that provide deep insights in real-time from the centralized dashboard, allowing for proactive detection and responses to any potential threats.

Furthermore, the centralized dashboard provides a comprehensive overview of the organization's obligations and compliance activities, thus ensuring that all data processing or transfer is consistent with each individual user's consent status and relevant to regulatory requirements.

Request a demo today to learn more about how Securiti can help you comply with the NIS 2 Directive’s requirements as well as nearly all major data protection and privacy regulations globally.