NIS2 Directive – Read Everything You Need to Know

The NIS2 Directive or Network and Information Security Directive is an EU-wide cybersecurity legislation that will enter into force in national law by October 17th, 2024. Read this blog for a summary of everything you need to know about the NIS2 Directive. If the list seems challenging and long, don’t worry – our experts at Huld will help you meet the requirements! 

The NIS2 Directive – What Does It Oblige You to Do? 

The Directive aims to achieve uniform and effective cybersecurity across the EU. Its implementation in organizations is effectively enforced, for example through significant sanctions. The NIS2 Directive requires companies to take operational, organizational and technological measures to improve cyber security. As a concrete example, reporting is bound by specific requirements in the event of, for example, operational disruptions or near misses. 

Under the Directive, the company’s top management is responsible for implementing and monitoring the operator’s cybersecurity risk management for communication networks and information systems. In practice, this means the ultimate responsibility to organize and resource risk management appropriately, and to oversee its operation. 

Key obligations: 

  • Integrating cybersecurity to all corporate network and information systems 
  • Ensuring effective risk management measures 
  • Reporting to the supervisory authority within 24 hours of detection, with more detailed reporting within 72 hours and a final report within 1 month. 
  • Ensuring cyber security and adequate training 

What Will Change? 

The biggest change in the new NIS2 Directive compared to its predecessor is that it will apply to an increasing number of organizations, such as manufacturers of electronic equipment. 

The requirements and minimum measures set out in the Directive are also broader than in the previous legislation. For example, NIS2 places particular emphasis on risk management measures and adds new requirements such as physical security reporting. 

The main changes: 

  • More companies covered by the Directive 
  • Increased supervision and control by public authorities 
  • More diversified sanctions and coercive measures 
  • Greater emphasis on risk management 
  • New requirements for information security 
  • Increased reporting requirements 
  • Closer control of supply chains 

Check the List to See If the NIS2 Directive Applies to You 

The NIS2 Directive obligations apply to medium-sized (50+ employees or annual turnover and balance sheet total exceeds €10 million) and large companies (250+ employees or annual turnover exceeds €50 million and balance sheet total exceeds €43 million) operating in sectors classified as highly critical and other critical sectors. In addition, the Directive applies to all nationally designated critical operators, irrespective of their size. 

The operators are divided into key and important operators. 

Key operators 

  • Public administration 
  • Health 
  • Transport 
  • Energy 
  • Drinking water and wastewater 
  • Digital infrastructure 
  • Banking and finance 
  • ICT service management 
  • Space 

Important operators 

  • Food sector 
  • Waste management 
  • Postal and courier services 
  • Manufacturing (e.g., computers, medical equipment, electrical equipment, other machinery, vehicles and trailers, other transport equipment) 
  • Digital services 
  • Research activities 
  • Chemical sector (manufacturing, production and distribution) 

Sanctions – What Happens If I Don’t Comply? 

Under the NIS2 Directive, key actors are subject to active (ex-ante) control, while important actors are subject to passive (ex post) control. The authorities hold the right to carry out audits of the actor and data, without prejudice to confidentiality provisions and other restrictions on disclosure, or to require the actor to carry out a security audit of its cybersecurity risk management. 

Companies that fail to comply with the Directive and remedy their shortcomings within the deadline will face sanctions that could have a significant negative impact on their business. 

Sanctions 

  • Temporary interruption of business 
  • Cancellation of a license or certificate to carry on business 
  • Administrative fine for a key player, up to €10 million or 2% of turnover 
  • Administrative fine for other major operators up to EUR 7 million or 1,4 % of turnover 
  • Restriction of the activities of a manager, e.g. CEO, board member or similar legal representative, for a limited period of time 

How to Get to Grips with the NIS2 Directive?

Tips from Huld’s Cybersecurity Expert:

  1. Check whether the obligations apply to your company. 
  2. Have the attitude that improving cyber security is important and positive. 
  3. Make an honest assessment of whether there is room for improvement in cybersecurity management. 
  4. If you have any doubts, contact an expert to confirm your assessment and develop a follow-up plan. 
  5. Reduce and eliminate risks, streamline and harmonize practices, improve business efficiency and gain a competitive advantage by following the plan. 

What Happens Next? 

The Directive has been in consultation from 3.10. to 29.11.2023. The review of the feedback and further preparation will start in November 2023. After that, a government proposal on the Directive will be submitted to Parliament in spring-winter 2024. The NIS2 Directive is due to become part of national legislation by October 17th, 2024, and the implementation of regulations will start on October 18th, 2024. 

We are here for you

Our cybersecurity experts can help you secure your business and meet the requirements of the NIS2 Directive. Our experts are ISO27001 certified and have extensive experience in multidisciplinary security management, governance and risk assessment methodologies. 

Contact us:
Tarmo Kellomäki
Director, Digital Security & Functional Safety
+358 44 562 5222