The NIS2 Directive and how to prepare for compliance

The NIS2 Directive, published in December 2022, sets out a series of measures for improving cyber risk management throughout the European Union. All EU member states must apply the Directive as part of national law by October 2024. By the same date, all applicable organizations must comply with the measures set out in NIS2.

NIS2 supersedes the previous version of the NIS Directive, which applied to far fewer companies and received criticism for its lack of clarity and uniformity in how member states should implement it. This article describes the scope and key obligations of NIS2 compliance and describes how penetration testing and risk-based vulnerability management facilitates your company’s compliance.

What does the NIS2 Directive cover?

Aside from the implementation limitations with the first version of NIS, one of the key drivers behind strengthening the Directive is a far more menacing cyber threat landscape. The original NIS Directive stretches back to 2016 when attacks like ransomware were rarer and significantly less costly for companies. To drive the point home, cyber-crime cost $0.7 trillion worldwide in 2017; this figure now stands at $8,15 trillion in 2023.

Also, the Covid 19 pandemic drove accelerated digital transformation in many critical sectors, so there is a wider attack surface than ever for hackers to exploit. And, different services and sectors are more interdependent and interconnected

NIS and NIS2: What’s the difference?

The three main changes between NIS and NIS2 are as follows:

  1. NIS2.0 adds a host of new economic sectors to extend its scope to far more of the organizations that play important roles in modern digital ecosystems.
  2. Removes inconsistencies in implementation by clarifying the security, incident reporting, and enforcement requirements that apply to all organizations and all member states.
  3. Establishing planning, crisis management, and increased collaboration between member states in the event of large-scale cybersecurity incidents with the potential for systemic impacts.

NIS2 scope

To understand just how significant the extended scope of NIS2 is, let’s look at the new sectors included in it:

  • Public electronic communications networks or service providers
  • Waste water and waste management
  • Manufacturers of critical products like chemicals and medical devices
  • Food
  • Digital services like social networking and data center services
  • Aerospace
  • Postal and courier service
  • Public administration

These sectors are additions to the seven sectors already included in the first version of NIS: healthcare, digital infrastructure, transport, water supply, digital service providers, energy, banking and financial market infrastructure.
The Directive designates two separate categories of entities that fall under the scope of its requirements:

  1. Essential entities — organizations operating in a critical sector where a cyber disruption might cause serious harm to an economy or society (e.g. healthcare and energy). A size threshold also applies here, where essential entities in these critical sectors must have at least 250 employees OR an annual turnover of at least €50 million OR an annual balance sheet of at least €43 million.
  2. Important entities — these are either medium organizations operating in a critical sector or medium and large organizations operating in any of the sectors other than the critical sectors. To meet the threshold for medium size, organizations must have at least 50 employees OR an annual turnover (or balance sheet total) of at least €10 million.

Both categories of entities have to comply with the Directive. The main difference is that if you are an essential entity, your compliance is proactively supervised; important entities only get monitored if a non-compliance incident occurs and gets reported.

NIS2: Ten key obligations

To make it easier for companies to understand their obligations and achieve a high level of common cybersecurity, NIS2 sets out ten essential cyber risk management measures.

  1. Have policies outlining approaches to both risk assessment and general information security.
  2. Put in place appropriate plans for security incident handling.
  3. Have policies and procedures like testing and auditing that help evaluate the effectiveness of security measures.
  4. Address supply chain security and define the relationships and connectivity between your company and your suppliers.
  5. Strengthen authentication through multi-factor authentication, or continuous authentication solutions. Similarly, secure voice, video and text communications through encryption.
  6. Ensure cybersecurity training and basic cyber hygiene for users.
  7. Have business continuity plans that include backup management, disaster recovery, and crisis management steps.
  8. Prioritize security when acquiring network and information systems, developing and maintaining such systems through measures like vulnerability handling and disclosure.
  9. Establish policies and procedures regarding the use of cryptography and, where appropriate, encryption.
  10. Address human resources security, implement access control policies, and perform effective asset management.

The EU regards this combination of technical, operational, and organizational measures as sufficient for achieving the minimum desired levels of improved cyber risk management and bolstered cyber resilience for organizations that fall under the scope of NIS2.

NIS2 reporting obligations

Perhaps reflecting the fact that delays in breach notifications or other security incidents continue to make media headlines and cause unnecessary extra risks, the EU takes a hard line in NIS2 with its reporting obligations:

  • Companies that suffer from a significant incident must notify competent authorities or their country’s national computer security incident response team (CSIRT) within 24 hours of discovering such an incident.
  • The next requirement is within 72 hours of incident discovery you have to update your original incident notification with an initial assessment that includes the severity, impact, and any indicators of compromise if detected.
  • Upon request from competent authorities or the CSIRT, provide an intermediate incident report or other status updates about the incident.
  • No later than one month after the first incident report, submit a final report that details incident severity and impact, the type of threat or root cause, mitigation measures taken, and any cross-border impact if observed.

Most of the time you’ll report to your country’s CSIRT, but for member states like France, Belgium, or Germany, you can also report security incidents to the designated competent authorities in those countries.

NIS2 governance and enforcement

As with many other regulations, there are penalties involved for non-compliance with either the necessary cyber risk management measures or the reporting obligations. NIS2 imposes hefty monetary penalties to encourage organizations to align with its requirements and ensure the risks are truly understood.

Each member state can decide its own appropriate fines, but the upper bound on maximum applicable fines for NIS2 breaches is at least:

  1. Essential Entities: Either €10 million or 2% of global annual revenue
  2. Important Entities: €7 million or 1.4% of global annual revenue

The higher of the two figures for each type of entity ends up as the ultimate payable penalty. NIS Directive 2.0 is not restricted to monetary penalties, though. The Directive’s punitive measures include provisions on the liability of those holding senior management positions in the event of cyber incidents in which a company displays gross negligence.

The aim here is to take away the burden of security from just IT departments and ensure that senior managers are responsible for implementing NIS2’s safeguards. Potential further consequences can include:

  • Having to make compliance violations public and therefore affecting your organization’s reputation.
  • Making public statements that identify the senior manager responsible for the violation.
  • In the case of repeated violations at essential entities, a temporary ban on responsible individuals holding management positions at the company.

Does NIS2 apply if you’re outside the EU?

Extraterritoriality is a feature of EU regulations like GDPR that contribute to the EU region’s reputation for the world’s most stringent privacy and security regulations. It’s imperative to understand that NIS2 does indeed have an extraterritorial scope. In particular, if you are not established in the EU but offer services in the EU, you’ll likely need to comply if your company fits within the scope of the Directive’s sectors and company sizes.

The extraterritorial rules state that you should establish a representative in one of the member states where your company offers its services. That member state then becomes the nation under which jurisdiction and enforcement of the Directive fall for your company. Without a designated representative, any member state in which you operate can take legal action for non-compliance with NIS2 obligations.

How penetration testing can help with NIS2 compliance

Of particular note in the ten essential measures that organizations must implement is the need to test and audit your security measures. Penetration testing is one of the best ways to achieve this because it tests measures to their limit using the logic and skills that real-world threat actors deploy. To avoid hefty breaches and reputational damage, pen testing is a cornerstone part of aiding with NIS2’s objective of strengthening cybersecurity across the EU.

Outpost24’s penetration testing services offer a proactive and systematic approach to identifying and mitigating vulnerabilities in your networks and systems. These simulated attacks, carried out by our team of security experts, attempt to breach any software and hardware from a hacker’s perspective. Our pen testing helps you align with the NIS2’s focus on risk management and incident response, ensuring the resilience of your networks and information systems.

How a vulnerability management program can help with NIS2 compliance

Another pivotal way to strengthen cyber risk management is by properly managing vulnerabilities. Risk-based vulnerability management is a proactive approach to cybersecurity that considers the likelihood of a vulnerability being exploited and the potential impact of events when deciding which vulnerabilities to remediate.

Risk-based vulnerability management also includes detailed documentation and reporting of identified vulnerabilities, their associated risks, and the steps taken to address them. This information is critical for the incident reporting requirements of NIS2.

Outscan NX is Outpost 24’s risk-based vulnerability management solution. Our platform provides comprehensive coverage across internal, external and cloud environments with threat intelligence-led scanning, real-time risk scoring, actionable solution-based reports, and tons more features. Access all of this through a clear and user-friendly interface.

The NIS2 directive’s aim of improving cyber risk management in the EU is clear, and the deadlines are in place. Implement Outscan NX today to better align your company’s cybersecurity program with the NIS2 requirements and obligations.