A Guide to the NIS2 Directive

The Network and Information Security (NIS) directive has existed since 2016, when it was established as the first comprehensive cybersecurity directive of the European Union. Since its debut, there have been plenty of changes to the world of IT security — and NIS compliance needs to reflect the new challenges of today’s cybersecurity landscape.

To accommodate rapidly evolving cyber threats, the EU announced a NIS2 directive proposal in 2022. NIS2 aims to build on the requirements of NIS, broadening the scope of the original cybersecurity directive. By covering additional services, increasing reporting requirements, and strengthening other areas of cybersecurity, NIS2 is the EU’s answer to cybersecurity in post-COVID-19 Europe. 

Let’s take a closer look at the EU NIS2 directive — and how organizations can comply with the updated EU regulations.

Contents

What Is the NIS2?
Does the NIS2 Affect Your Organization?
Why Was NIS2 Developed?
What's Changing in NIS2?
Adoption Timeline for NIS2 And Next Steps
Meeting NIS 2.0 Head-On with Solutions from SSH Communications Security

What is the NIS2?

The NIS2 aims to make the cybersecurity of EU states stronger and more uniform, with requirements for compliance beginning in 2024. Under the new NIS2 directive proposal, a wide range of new organizations will now need to take steps to ensure compliance — expanding on the number of organizations that were subject to the requirements in the original NIS compliance directive of 2016.

According to the NIS2 directive proposal, any organizations that provide an “essential function” will require NIS2 compliance. This is because the primary objective of the NIS2 directive is to better protect organizations that are critical to economic and social development in the EU. By safeguarding themselves against cyber attacks, organizations (both businesses and non-profit institutions) can mitigate the risk of data compromise, which can threaten security, cost money, and damage trust.

Does the NIS2 Affect Your Organization?

Understanding the requirements of the NIS2 directive is important for any essential organization in the European Union — whether you’re a government organization or non-profit. Even certain businesses must comply with NIS2 guidelines. 

If your organization is a party to existing NIS compliance requirements, then it will continue to abide by NIS2 compliance. The original NIS directive established a significant range of organizations that were considered “essential”.  

These core industries are called ‘Sectors of high criticality’ and include: 

• Banking (and other financial institutions)
• Health and healthcare (including pharmaceuticals, medical devices and research)
• Transportation 
  • Air
  • Rail
  • Water
  • Road
• Energy 
  • Electricity
  • District heating and cooling
  • Oil
  • Gas
  • Hydrogen
• Water suppliers 
  • Drinking water
  • Waste water
• Digital service providers
  • Providers of online marketplaces
  • Providers of online search engines
  • Providers of social networking services platforms
• ICT service management (business-to-business)
  • Managed service providers
  • Managed security service providers
• Digital infrastructure 
  • Internet Exchange Point providers
  • DNS service providers, excluding operators of root name servers
  • TLD name registries
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Trust service providers
  • Providers of public electronic communications networks
  • Providers of publicly available electronic communications services
• Public administration (central and regional)
• Space

In addition to these original organizations, the NIS2 directive adds new organizations under its umbrella of “essential services”. These are called ‘other critical sectors’ and include, but are not limited to:

• Production, processing and distribution of food
• Manufacturers of critical products 
• Manufacture of medical devices and in vitro diagnostic medical devices
• Manufacture of computer, electronic and optical products
• Manufacture of electrical equipment
• Manufacture of machinery and equipment
• Manufacture of motor vehicles, trailers and semi-trailers
• Manufacture of transport equipment
• pharmaceuticals and healthcare equipment)
• Food manufacturers
• Postal and courier services
• Waste management
• Public electronic communications providers
• Social networking sites (and other data center services)
• Research

Regardless of where in the EU an organization is located, the NIS2 directive requires security compliance to avoid retributive fees. It’s important to note that even some organizations outside the EU must comply with the NIS2 directive if they provide essential services for an EU member state. 

Whether your organization is already meeting the demands of the original NIS, or is brand new to NIS compliance, it’s important to understand how NIS2 works, why it was developed, and how to comply. 

Why Was NIS2 Developed? 

Although NIS has been an effective tool in protecting EU critical infrastructure, several areas of weakness have become known in the past few years. For example, the COVID-19 pandemic has revealed that the EU needs to set stricter security standards in a work environment that is increasingly remote and digitalized. 

In short, the NIS2 was developed to reduce the risk of cyberattacks by addressing some of the gaps in the original NIS protocol. More specifically, the NIS2 was designed to:

• Improve preparedness for collective cyber threats in the EU. When essential organizations operate with sufficient cybersecurity protections, everybody benefits. In an increasingly interconnected EU, NIS2 aims to increase joint situational awareness among essential organizations. With collective preparedness, organizations can quickly communicate with each other and identify threats before they can expand to other victims. Additionally, the NIS2 includes a joint response protocol in case of a major multi-faceted cyberattack. 

• Increase resilience against cyberattacks. Resilience against cyber attacks is as important as defense. When a cyberattack occurs, the affected organization must resume essential services as quickly and securely as possible. The NIS2 directive outlines increased measures for resilience against cyberattacks, to minimize vulnerabilities and improve cyber defense. 

• Establish streamlined resilience standards with stricter penalties. The third and final core objective of the NIS2 directive is to streamline resilience to cyberattacks. Regardless of the type of organization, every essential service must possess the same capabilities to defend itself against threats. The original NIS directive allowed for flexibility with many of its resilience requirements, which created vulnerabilities — especially in smaller businesses. The new NIS2 directive outlines stricter penalties and tougher security measures to reduce these inconsistencies. 

What’s Changing in NIS2? 

As the NIS2 becomes the new standard, it’s important for all essential organizations to understand what’s changing. Some of the most notable changes included in the NIS2 directive include: 

• Expanding the range of essential services. With an expanded range of essential services, the NIS2 directive operates on a scale much larger than its predecessor. As organizations become increasingly interconnected, NIS2 essential services also operate across a wider range of industries. From food and water production to postal services and aerospace technology, previously underregulated organizations must now comply with NIS2. 

• Essential entities are regularly assessed for their security posture, important entities most likely only after a significant threat or incident occurred
• Staff headcount and financial ceilings determining enterprise categories. NIS2 appliest to medium-sized enterprises (SMEs) as well, in addition to those that are larger. A company is considered an SME if it employs more than 50 but fewer than 250 persons and it has an annual turnover exceeding EUR 10 million but not exceeding EUR 50 million, and/or an annual balance sheet total exceeding EUR 10 million but not exceeding EUR 43 million.
• Subcontractors, the supply chain, consultants managed service (security) providers along with their software and libraries are now part of the scope

• The end of OESes. An OES is a category of essential service unique to France. OESes are organizations that must be protected from cyber threats due to their significant impact on the functioning of France’s economy, society, or defense. With the NIS2 directive, OESes are eliminated as a category — instead, more uniform categories are announced. Across EU countries, essential entities (EEs) will be distinguished from important entities (IEs) to establish their level of security requirements.

• Greater incident response obligations. With the NIS2 directive, managers for essential organizations are given more responsibility in complying with NIS2 requirements. Instead of delegating all responsibility to an IT team, senior management must proactively oversee compliance with NIS2 regulations. The NIS2 has also changed other details of its incident response protocol — including a shortened window for notifying the necessary parties of disruptions and greater transparency in alerting users to cyber threats. 

• Stricter fines and penalties. Cybersecurity is of vital importance to the functioning of a cohesive EU economy. To increase compliance with these critical directives, NIS2 outlines stricter fines and penalties for noncompliance. More severe fines for high-level management offer an evidence-based way to improve compliance and resilience. 

• Encouragement to share threat and vulnerability intelligence and use knowledge and experience to enhance capabilities to assess, monitor, defend and respond to cyber threats between organizations.

Adoption Timeline for NIS2 and Next Steps

For organizations currently under NIS compliance, security spending is projected to increase under NIS2. For organizations that aren’t currently under the supervision of NIS, the percentage of security spending is expected to increase even more.

Implementation of NIS2 is not yet official in the European Union. In early 2022, the provisional text of the NIS2 directive was written and agreed upon by EU member states. On November 15, 2022, the NIS2 directive was adopted by the European Parliament and the European Council. It is unlikely that EU states will adopt NIS2 into law until 2024. This gives organizations some control over their adoption timeline — and allows them to budget for increased cybersecurity spending. 

However, given the changes that need to be made in many organizations to meet these new NIS2 requirements, it is crucial that you begin the transition toward compliance sooner rather than later.

Meeting NIS 2.0 Head-On with Solutions from SSH Communications Security 

With the expansion of industries that need to adhere to NIS2, we at SSH are here to lend our long-standing expertise in secure communications and access management.

• For industries in manufacturing, transportation, energy, waste management and water supply, we have PrivX OT that is a digital gatekeeper of secure access to remote maintenance and sites. 
• For Managed Service Providers, we have PrivX MSP that handles access to customer environments under management for MSPs.
• For finance, banking and insurance we offer our Zero Trust Suite, a complete access management solution to critical IT environments that allows companies to migrate to passwordless and keyless secrets management.
• For securing human-to-human business communication, we offer the Deltagon Suite that allows encrypted emails, document signing, information collecting using forms and secure workspaces for sensitive information.

You can also get in touch with us for more information.