Organisations included in the NIS2 Directive include businesses and organisations that provide services which are essential for societal and economic activities.
Why NIS2 was developed
We know you can’t wait to dive into all that’s new with NIS2.
But before that…
We think we should start with some background information.
The EU’s first cybersecurity policy, the NIS Directive from 2016, needed an update to safeguard the EU from new cybersecurity threats. During the COVID-19 pandemic, the world experienced a rise in cyber-attacks, which led the European Commission to propose a new and improved NIS2 Directive.
“We’re particularly enthusiastic about the directive’s potential to harmonize cybersecurity measures across the EU, which is crucial for startups like ours that operate in a digitally connected environment. By adhering to NIS2, we’re not just working around a regulation; we’re actively participating in a movement that sets the stage for safer, more reliable digital experiences.” Oliver Goodwin, Owner, Synthesys AI Studio
The NIS2 Directive will fill the gaps in the original NIS Directive by adding new critical service sectors, strengthening security requirements, addressing supply chain security, and increasing reporting obligations and enforcement.
In October 2024, NIS2 will replace the original NIS Directive. The goal is that it will better prepare essential service providers to manage the cybersecurity risks of today.
NIS2 will replace the NIS directive. It requires more organisations to comply with stricter cybersecurity requirements.
But is your organisation considered essential for societal and economic activities?
Well, we all might think our business is essential – but in this case, we have to see what the NIS2 Directive says.
Does NIS2 affect your organisation?
Yes, this is the question everyone has right now.
It does if you work in one of the sectors that the original NIS applied to, or one of the sectors that the new NIS2 added to the list.
If you aren’t sure if that’s you don’t worry! We’ll help you figure it out in the next sections.
The original NIS Directive applied to organisations in the following sectors:
The new NIS2 Directive covers 18 different sectors with subsectors
NIS2 uses a lot of different terms to describe the sectors it applies to, so we’ll walk you through each of them one by one.
We’ll cut through the legal talk and tell you what you need to know.
First, let’s look at all 18 of the sectors NIS2 applies to.
The NIS2 Directive divides these sectors into two categories: highly critical and other critical. We’ll come back to why these categories matter later, but for now, just see if your organisation is included and where.
Highly critical entities in the NSI2 Directive
The following 11 sectors are considered highly critical in NIS2. With each sector, we’ve listed the subsectors and what they include. If you’re following along with the NIS2 Directive text, these sectors are listed under Annex 1.
1. ENERGY
Electricity
Includes:
- Electricity suppliers
- Distribution system operators
- Transmission system operators
- Producers
- Nominated electricity market operators
- Market participants providing aggregation, demand response, or energy storage services
- Operators and managers of a recharging point, which provides recharging services to end users, including in the name of and on behalf of a mobility service provider
District heating and cooling
Includes operators of district heating or cooling.
Oil
Includes:
- Operators of oil transmission pipelines
- Operators of oil production, refining, and treatment facilities, storage, and transmission
- Central stockholding entities
Gas
Includes:
- Supply undertakings
- Distribution system operators
- Transmission system operators
- Storage system operators
- LNG system operators
- Natural gas undertakings
- Operators of natural gas refining and treatment facilities
Hydrogen
Includes operators of hydrogen production, storage, and transmission.
2. TRANSPORT
Air
Includes:
- Air carriers used for commercial purposes
- Airport managing bodies, airports, and entities operating ancillary installations within airports
- Traffic management control operators providing air traffic control (ATC) services
Rail
Includes:
- Infrastructure managers
- Railway undertakings, including operators of service facilities
Water
Includes:
- Inland, sea, and coastal passenger and freight water transport companies – not including the individual vessels operated by those companies
- Managing bodies of ports, including their port facilities and entities operating works and equipment contained within ports
- Operators of vessel traffic services (VTS)
Road
Includes:
- Road authorities responsible for traffic management control – excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity
- Operators of Intelligent Transport Systems
3. BANKING
Includes credit institutions
4. FINANCIAL MARKET INFRASTRUCTURE
Includes:
- Operators of trading venues
- Central counterparties (CCPs)
5. HEALTH
Includes:
- Healthcare providers
- EU reference laboratories
- Entities carrying out research and development activities of medicinal products
- Entities manufacturing basic pharmaceutical products and pharmaceutical preparations
- Entities manufacturing medical devices considered to be critical during a public health emergency
6. DRINKING WATER
Includes suppliers and distributors of water intended for human consumption – excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.
7. WASTE WATER
Includes undertakings collecting, disposing, or treating urban waste water, domestic waste water, or industrial waste water – excluding undertakings for which collecting, disposing of, or treating urban, industrial, or domestic waste water is a non-essential part of their general activity.
8. DIGITAL INFRASTRUCTURE
Includes:
- Internet Exchange Point providers
- DNS service providers, excluding operators of root name servers
- TLD name registries
- Cloud computing service providers
- Data centre service providers
- Content delivery network providers
- Trust service providers
- Providers of public electronic communications networks
- Providers of publicly available electronic communications services
9. ICT SERVICE MANAGEMENT (BUSINESS-TO-BUSINESS)
Includes:
- Managed service providers
- Managed security service providers
10. PUBLIC ADMINISTRATION
Includes:
- Public administration entities of central governments
- Public administration entities at a regional level
- Member States may apply NIS2 to: (a) public administration entities at the local level; (b) education institutions, in particular where they carry out critical research activities
- Does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences
11. SPACE
Includes operators of ground-based infrastructure – owned, managed, and operated by states or by private parties – that support the provision of space-based services – excluding providers of public electronic communications networks.
Next, we’ll look at the other critical sectors listed in NIS2. If you were already listed above, you won’t be listed again.
Other critical entities in the NIS2 Directive
The NIS2 Directive defines 7 other critical sectors. Here they are below, along with the subsectors and descriptions of what the subsectors include. By the way, these are under Annex 2 of the NIS2 Directive if you want to brush up on your legal jargon.
1. POSTAL AND COURIER SERVICES
Includes: postal service providers, including providers of courier services.
2. WASTE MANAGEMENT
Includes: undertakings carrying out waste management – excluding undertakings for whom waste management is not their principal economic activity.
3. MANUFACTURE, PRODUCTION, AND DISTRIBUTION OF CHEMICALS
Includes: undertakings carrying out the manufacture of substances and the distribution of substances or mixtures and undertakings carrying out the production of articles from substances or mixtures.
4. PRODUCTION, PROCESSING, AND DISTRIBUTION OF FOOD
Includes food businesses which are engaged in wholesale distribution and industrial production and processing.
5. MANUFACTURING
Includes:
- Manufacture of medical devices and in vitro diagnostic medical devices
- Manufacture of computer, electronic, and optical products
- Manufacture of electrical equipment
- Manufacture of machinery and equipment n.e.c.
- Manufacture of motor vehicles, trailers, and semi-trailers
- Manufacture of other transport equipment
6. DIGITAL PROVIDERS
Includes:
- Providers of online marketplaces
- Providers of online search engines
- Providers of social networking services platforms
7. RESEARCH
Includes research organisations – meaning an entity with the primary goal of conducting applied research or experimental development and using the research results for commercial purposes, but which does not include educational institutions.
So, if your organisation is in any of the sectors listed above, no matter if it is in the highly critical or other critical category, then NIS2 might apply to you.
So what now?
Well, a deep breath can help. Just kidding, kind of.
It’s time to talk about two more categories of organisations in NIS2.
Essential vs. Important Entities according to NIS2
Next, we’re adding another layer of categories. NIS2 defines two categories for entities in scope: important and essential.
That’s four different categories… but who’s counting?
Organisations in both categories have to meet the same security requirements. The difference is in how important and essential organisations will be supervised and penalised for noncompliance.
To figure out if your organisation is considered essential or important, it mostly comes down to size.
We’ll give you these details next.
Essential entities
- Organisations in highly critical sectors (see above) with more than 250 employees, an annual turnover of more than € 50 million or balance sheet greater than € 43 million
- Regardless of size: trust service providers, top-level domain name registries, and DNS service providers
- Providers of public electronic communications networks or of publicly available electronic communications services with 50-250 employees or more than € 10 million in revenue
- Public administration entities
- Any other highly important or other organisation that is the only provider of the service within the country or disruption of their service could have a significant impact
Essential organisations can be supervised proactively to ensure they meet the requirements of the NIS2 Directive.
Important entities
Important entities are basically those left over that aren’t considered essential.
- All other highly critical or other critical organisations that do not fit the qualifications for essential entities
In practice, this means organisations within the sectors included in the NIS2 Directive (above) that are medium-sized or smaller (fewer than 250 employees, have an annual turnover of less than € 50 million, or balance sheet less than € 43 million).
Small (fewer than 50 employees, revenue of € 10 million or less) and micro enterprises (fewer than 10 employees, revenue of € 2 million or less) are not necessarily excluded from NIS2 compliance. The countries they operate in can include them if their services play a key role in society.
Important organisations are supervised “after the fact,” meaning they will only be investigated if the authorities receive evidence of non-compliance.
Phew – the hard part is over now. Thanks for staying with us!
Now that we’ve gotten all the complicated NIS2 details out of the way, let’s dive into what NIS2 means for you.
What if my organisation is not located in the EU?
Not in the EU, not your problem? Think again.
Even if your organisation is not located in the EU, if it provides services within the EU, it must comply with the NIS2 Directive.
NIS2 gives some rules about how non-EU organisations should proceed.
It says that non-EU entities that provide services within the EU need to designate a representative to the EU in one of the countries where the services are offered. The representative is then responsible for managing the organisation’s NIS2 compliance work, such as reporting security incidents.
What if the NIS2 Directive doesn’t apply to me?
If, after reading through the sectors and size limitations above, it seems that your organisation won’t be required to comply with NIS2 – you don’t have to sweat it.
You don’t have to worry about any immediate fines or steps to compliance.
But, you might consider building your security work to comply with the directive anyway. There’s a few reasons for that:
- NIS2 encourages countries to ensure that even the organisations that are not in the scope of the directive achieve a high level of cybersecurity by implementing the same risk management measures
- The scope of organisations NIS2 applies to is wide, and these organisations have to make sure their suppliers are also secure. So, a lot of companies will end up having to comply with the NIS2 Directive because a company they work with does
Basically, it seems like the risk management and cybersecurity measures in the NIS2 will quickly become the standard.
By proactively adapting your security to include the 10 minimum security measures in NIS2, you make it easy for other companies to work with you. You can also signal to your customers that you use secure practices and they can trust you.
So, now that you have an idea of whether NIS2 applies to your organisation…
Let’s talk about everything organisations will have to do to comply with it.
The main thing to know is that there are 10 security requirements and timelines for reporting security incidents.
Let’s get into it!
The NIS2 Directive has three general objectives
The three main goals of NIS2 are to increase cyber resilience across essential service providers, streamline cyber resilience through stricter security requirements and penalties for violations, and improve the EU’s preparedness to deal with cyber-attacks.
NIS2 gets it done with some new guidelines for things like security and accountability.
There are 4 areas of new requirements in the NIS2 Directive
1. Risk management
Throughout the NIS2 Directive, managing cybersecurity risks is a main theme.
NIS2 says that organisations should use an all-hazards approach to address risks that could come from, e.g., human error, system failure, malicious actors, natural disasters, and the physical and environmental security of systems.
2. Corporate accountability
NIS2 holds C-level executives responsible in new ways. It requires management to oversee, approve, be trained on, and address risks to their organisations’ cybersecurity.
If they fail to do so, they can be held personally liable through measures such as suspension from holding management positions.
3. Reporting obligations
The new directive has detailed requirements for reporting security incidents, which we discuss a bit later.
But for now, it’s good for you to know that organisations have to have processes in place for promptly reporting security incidents.
4. Business continuity
Since NIS2 applies to providers of essential services, it’s important that these organisations have plans in place to keep their services running if they experience a major security incident.
For example, the plan should include things like system recovery, emergency procedures, and creating a crisis response team.
Now, we’ll get into the fun part – what NIS2 actually requires and what could happen if you don’t meet the requirements.
NIS2 Requirements
The NIS2 Directive has requirements for minimum security measures organisations must have, timelines for reporting security incidents, and how organisations can be penalised if they don’t comply.
Cybersecurity: 10 minimum security measures required by NIS2
NIS2 says that organisations have to take appropriate and proportional risk management actions to prevent security incidents and minimize their impact.
It gives a list of 10 baseline measures that all organisations must address.
Get your check list ready and see how many you already do!
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, such as backup management and disaster recovery, and crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encyrption
- Human resources security, access control policies and asset management
- The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity – where appropriate
The text of the NIS2 Directive places importance on good cyber hygiene practices and cybersecurity awareness.
Some elements of cyber hygiene mentioned in the NIS2 Directive are: software and hardware updates, password changes, managing new installs, access control, and online application security.
It also prioritizes supply chain security. It says that companies have to tailor their security measures for each direct supplier and assess the overall security level of all suppliers.
Luckily, most of these requirements are not new, and a lot of companies are hopefully already working on these areas. It also goes hand in hand with GDPR work because these are good steps towards protecting data.
New reporting requirements
If you experience a security incident, you need to let the right people know. The NIS2 Directive gives clear instructions for how organisations should report security incidents.
- Within 24 hours of first becoming aware of an incident: submit an early warning to the computer security incident response team (CSIRT) or national authority. If possible, this should say whether it is believed that the incident was caused by malicious or unlawful conduct, and if it will have cross-border consequences
- Within 72 hours of first becoming aware of an incident: submit an incident notification. It should give an update to the early warning with an initial assessment of the incident, its severity and impact, and any indicators of compromise
- Within 1 month of first becoming aware of an incident: submit a final report. It should have a detailed description of the incident, including its severity and impact; what caused it; applied and ongoing mitigation measures; and the cross-border impact
Hopefully, you won’t need to use this part of our NIS2 guide. But it’s here in case you need it.
Higher sanctions for NIS2 violations and increased supervision
The NIS2 Directive gets serious about making sure businesses are following the rules.
It gives minimum financial penalties that should be applied when an organisation does not meet the security risk management or reporting requirements of NIS2.
Essential entities can be fined at least €10,000,000 or 2% of the total global revenue for the previous year, whichever is higher. This is the same fine given for less severe violations of the GDPR.
Important entities can be fined at least €7,000,000 or 1.4% of the total global revenue for the previous year, whichever is higher.
Organisations can expect to be supervised through audits, on-site inspections, and requests for NIS2 compliance information/ documentation. If a NIS2 breach is found, the organisation can receive a fine, a non-monetary penalty such as a compliance order, or the management can be held responsible.
For the most part, organisations will be supervised by the country they are established within – with some exceptions for organisations within the digital infrastructure sector.
So, what does this mean for your organisation?
Organisations within the sectors covered by the NIS2 Directive will be responsible for complying with the new security measures by October 18, 2024.
For some of the sectors, the Commission will publish further information about the technical requirements by October 17, 2024.
So, if your organisation is included in the scope of the NIS2 Directive, it’s a good time to get started.
If your organisation is not included in the sectors and size limitations of the NIS2 Directive, you can probably relax a little.
Consider if any companies you partner with will need to comply with NIS2 and what that might mean for your organisation. And think about how you can implement the new security requirements anyway, since it’ll give you an advantage later.
Our recommendations for your organisation
Before we go, we want to leave you with four steps to help you get started with your NIS2 work.
Step 1: Figure out if your organisation needs to comply with the NIS2 Directive
You can do this by reviewing the sectors and size limitations for NIS2. If you have to comply with NIS2, go ahead and start with a risk assessment.
Step 2: Do a risk assessment
A risk assessment gives you an overview of all the potential security risks your organisation could face, how likely they are, how big of an impact they would have on your organisation, and what you’re already doing to manage that risk.
A risk management process like this is required by NIS2, and you can get started with our free risk analysis template and guide to filling it out. The risk analysis can help you decide where the gaps in your security are, and what you need to do to fix them.
While you’re at it, the NIS2 Directive also requires organisations to have an IT security policy. We’ve got a free template and guide for the IT security policy too.
Additionally, you might want to use ISO/IEC 27001 to inform your risk assessment and management practices. You can read more about getting ISO 27001 certified here.
Step 3: Implement security measures
Once you’ve decided what security changes you need to make, it’s time to put them into action.
A framework that could help you here is the Plan-Do-Check-Act (PDCA) cycle. It gives you a structured way to put new measures in place and measure how well they worked. A lot of organisations use it to continuously improve their cybersecurity.
When you’re putting new security measures in place, make sure you’ve covered all 10 of the baseline security requirements listed in the NIS2 Directive.
You should also look at your supply chain and supplier relationships so you can ensure those are secure as well. it is important to work with data processing partners that have a high level of security to ensure a secure supply chain. You can read our guide on data processors and controllers here.
ISO 22301 can guide your work related to business continuity planning and supply chain security.
Step 4: Evaluate the effectiveness of those measures
If your security measures aren’t enough or didn’t work the way you expected, here is where you can see that and make changes. It’s good to start early with your NIS2 work so, even if you have to make adjustments, you’ll be ready by October 2024.
Security awareness training in the NIS2 Directive
Since our mission at CyberPilot is to provide quality security awareness training, we are of course watching the NIS2 Directive requirements.
The new directive requires security mitigation measures, which could include training your employees to detect phishing emails with phishing testing.
The NIS2 directive also requires security awareness training – and raising security awareness is going to be a focus area for each country’s national cybersecurity strategies.
Training on cybersecurity, risks, cybersecurity skills, awareness, social engineering, phishing, and good cyber practices for both management and employees is listed as a priority in the NIS2 text.
Some examples of topics to cover in security awareness initiatives include: software and hardware updates, changing passwords, managing new installations, and social engineering/phishing.
Our security awareness training courses are one way that CyberPilot can help you adapt to the NIS2 Directive.
Cyber hygiene in the NIS2 Directive
Building good cyber security habits and a strong security culture in your organisation are also mentioned in NIS2. A cyber-oriented culture and employees with good digital habits work hand in hand to increase your overall security.
An easy way to keep security on the agenda is by using visual reminders in your office. We have free posters and infographics with cybersecurity tips that make security fun. You can also check out our guide on creating a strong security culture in your organisation.
Learn more about NIS2
Interested in reading more about the NIS2 directive? The European Commission has answered some FAQs here. We’re here to help you transition to NIS2 compliance. Feel free to contact us!