NIS2 - New Cybersecurity Obligations for Companies

The NIS2 directive is the most significant change in European cybersecurity law in recent years. In this article, you'll learn who it applies to, what it requires, and how to prepare.

What Is NIS2?

NIS2 (Network and Information Security Directive 2) is an EU directive that significantly expands cybersecurity requirements for businesses. It replaces the original NIS directive from 2016.

Key Changes from NIS1:

• More sectors covered
• More companies obligated (including medium-sized)
• Higher fines for non-compliance
• Personal liability for management
• Stricter requirements for security measures

Who Does NIS2 Apply To?

Essential Entities (Higher Requirements)

• Energy (electricity, oil, gas)
• Transport (air, rail, water, road)
• Banking and financial markets
• Healthcare
• Water supply
• Digital infrastructure (DNS, cloud, data centers)
• Public administration
• Space sector

Important Entities (Standard Requirements)

• Postal services
• Waste management
• Chemical manufacturing
• Food production
• Manufacturing (medical devices, electronics, machinery)
• Digital services (marketplaces, search engines, social networks)
• Research organizations

Size Thresholds

NIS2 applies to companies with:

• 50+ employees OR
• Annual turnover over €10 million

Important: Even smaller companies can be covered if they're critical suppliers to essential entities.

What Does NIS2 Require?

1. Risk Management

Companies must implement appropriate security measures including:

• Risk analysis and policies
• Incident handling procedures
• Business continuity planning
• Supply chain security
• Security in procurement
• Staff training and awareness
• Cryptography and encryption policies
• Access control and asset management

2. Incident Reporting

3. Supply Chain Security

You're responsible for your suppliers' security:

• Assessment of vendor security practices
• Security requirements in contracts
• Regular audits of critical suppliers

4. Management Responsibility

Company leadership must:

• Approve security measures
• Undergo cybersecurity training
• Be personally accountable for compliance

Penalties for Non-Compliance

Essential Entities:

• Up to €10 million or 2% of global annual turnover

Important Entities:

• Up to €7 million or 1.4% of global annual turnover

Personal Liability:

• Management can be held personally responsible
• Potential temporary bans from management positions

NIS2 Compliance Checklist

Governance

• Assign cybersecurity responsibility at board level
• Conduct management cybersecurity training
• Document security policies and procedures
• Establish security governance structure

Technical Measures

• Implement risk assessment methodology
• Deploy appropriate security controls
• Enable logging and monitoring
• Configure backup and recovery systems
• Implement access control (MFA, least privilege)

Incident Response

• Create incident response plan
• Establish reporting procedures
• Test incident response regularly
• Document communication channels with authorities

Supply Chain

• Inventory critical suppliers
• Assess supplier security practices
• Include security requirements in contracts
• Plan for supplier audits

Training

• Regular staff awareness training
• Technical training for IT team
• Document all training activities

Timeline

• October 2024 - Directive transposed into national law
• 2025 - Enforcement begins in most EU countries
• Ongoing - Continuous compliance required

How to Start Preparing?

Step 1: Assessment

Determine if NIS2 applies to your organization and in which category.

Step 2: Gap Analysis

Compare current security measures against NIS2 requirements.

Step 3: Roadmap

Create an implementation plan with priorities and deadlines.

Step 4: Implementation

Deploy missing security measures and procedures.

Step 5: Continuous Improvement

Regular reviews, updates, and training.

How Can We Help?

nex-IT offers comprehensive NIS2 compliance support:

• NIS2 applicability assessment
• Gap analysis and risk assessment
• Security infrastructure implementation
• Policy and procedure development
• Staff training
• Ongoing monitoring and support

Contact us - we'll help you achieve NIS2 compliance!