Prepare your business for NIS 2

Frequently Asked Questions

• What is the NIS 2 Directive?

  The NIS 2 Directive, an upgrade to the original EU Network and Information Systems (NIS) Directive of 2016, aims to establish a higher common level of cybersecurity across the EU. It extends and strengthens the cybersecurity requirements for a wider range of sectors, digital services, and company sizes to better address the evolving threats and vulnerabilities in network and information systems.

• Who needs to comply with the NIS 2 Directive?

  Compliance with the NIS 2 Directive is mandatory for “Essential” and “Important” industries as well as publicly administered services like water and waste management. These includes traditional critical industries such as energy, transportation, banking, and health care, but also extends to digital services providers like cloud services, online marketplaces, and data center services. The Directive also extends to smaller companies, including any company with at least fifty employees or €10M in annual turnover.

• What are the main objectives of the NIS 2 Directive?

  The Directive's primary objectives are to bolster the security of network and information systems across the EU, ensure a consistent level of cybersecurity preparedness, and foster cooperation among member states. It aims to reduce fragmentation in how cybersecurity threats are managed across the EU, enhance national capabilities, and establish a collaborative information sharing environment, ultimately improving the resilience of critical infrastructures against cyberattacks.

• What are the key cybersecurity requirements of NIS 2?

  Companies and institutions that fall under the purview of NIS 2 must maintain robust security policies, conduct regular vulnerability assessments and audits, and ensure data integrity and system availability. Regulated organizations must also adopt incident handling and business continuity plans to maintain operations during and after a cyberattack.

• How does NIS 2 affect supply chain security?

  NIS 2 requires regulated organizations to scrutinize and manage the cybersecurity risk associated with third-party vendors and service providers by making sure they also follow security best practices. This involves regular assessments of their vendors and service providers, monitoring of their security practices, and including contractual obligations that mandate compliance with cybersecurity standards.

• What are the incident reporting requirements under NIS 2?

  The Directive requires regulated organizations to report significant cybersecurity incidents within 24 hours of detection to facilitate a swift response, followed within 72 hours by a more detailed incident report. Prompt reporting is necessary to enable national and EU-wide coordination of responses to large scale cyber incidents and provide affected customers and partners with transparency on the progress of mitigation and recovery efforts.

• What penalties does NIS 2 impose for non-compliance?

  The NIS 2 Directive sets out strict, potentially costly financial and criminal sanctions for non-compliance. These are similar to the sanctions imposed by GDPR, depending on the severity and duration of the infringement, the nature and volume of the data compromised, and the actions taken by the targeted organization to mitigate the damage. Company executives can be held personally subject to financial and criminal penalties in cases of gross negligence regarding compliance.

• How does NIS 2 differ from GDPR?

  While GDPR primarily protects personal data and privacy, NIS 2 focuses on securing network and information systems from cyber risks. Although both regulations share common elements such as incident reporting and risk management, NIS 2 is broader in scope, covering more industry sectors and business sizes and not exclusively focusing on the protection of the private data of EU resident.

• What steps should organizations take to prepare for NIS 2 compliance?

  Organizations should start by assessing their current cybersecurity posture and identifying gaps vis-à-vis NIS 2 requirements. This includes updating or developing new cybersecurity policies and procedures, ensuring adequate risk management practices are in place, and enhancing incident response capabilities. Training and awareness programs should be rolled out to educate staff about the new regulations and the importance of compliance. Consulting with cybersecurity experts and legal advisors can also provide insight into the specific obligations and how best to meet them.

• When is the deadline for NIS 2 compliance?

  The exact compliance deadlines for NIS 2 will vary, as the Directive needs to be transposed into national law by each EU member state within a given period after its adoption. The deadline for EU countries to define their own laws and regulations based on NIS 2 is 18 October 2024. Organizations should monitor the implementation timelines in their respective countries to ensure compliance by the required deadline. Engaging with national authorities can provide clarity on specific timelines and any country-specific additional requirements.