Written by:

TL;DR

In this blog post, we’ll go through how the NIS2 Directive differs from the original NIS Directive, and how its field of relevance has expanded to apply to at least 500% more organisations.

In an effort to raise all of the EU member states’ cyber capabilities, NIS2 increases cross-border collaboration to improve information flow around newly discovered incidents, threats, and vulnerabilities, as well as other new initiatives that aim to increase the cybersecurity level of critical services.

This post also outlines the key reasons why your organisation should prepare for NIS2 and provides guidance on how an organisation can achieve compliance.

Why does the NIS2 Directive exist?

The European Union (EU) has started to take several regulatory measures against cyber threats. To name a few that you might have heard of, we have the General Data Protection Regulation (GDPR), the Cybersecurity Act, the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act. All of these are pieces of EU legislation designed to increase cybersecurity within the Union.

Another piece in this puzzle is the Network and Information Systems Directive (The NIS Directive). The goal of the original NIS Directive was to make the EU more resilient to cyber threats by strengthening the cybersecurity of critical services. However, due to some problems with the original NIS Directive, the EU launched the NIS2 Directive in December 2022 to address the previous problems and to further strengthen cybersecurity in the EU.

Who needs to comply with the NIS2 Directive?

The sectors that were within the scope of the first NIS Directive are still the same, therefore, an organisation that had to comply with the original directive also has to comply with the new NIS2 Directive. However, there are also many new sectors that have to comply with the NIS2 Directive, all of the affected sectors are listed in the table below.

A new size-cap rule is introduced in the NIS2 Directive to make it easier for organisations to identify themselves as a critical service. There are some exceptions to the size-cap rule but to summarise & simplify the rule you can say that your organisation falls within the scope of the NIS2 Directive if your organisation classifies as one of the Essential Entities sectors, has over 250 employees and an annual turnover above 50 million EUR or an annual balance sheet over 43 million. Your organisation will also be included in the scope if it classifies as one of the Important Entities sectors, has over 50 employees and an annual turnover or an annual balance sheet above 10 million EUR.

The European Commission expects that organisations that will be within the scope of the NIS2 Directive will increase by at least 500%, so even though your organisation was not affected by the first NIS Directive, there is a greater chance that NIS2 will have an impact on your organisation.

Do Norwegian organisations have to comply with the NIS2 Directive?

The quick answer to this question is not yet. However, critical services in Norway will have to comply with the Norwegian implementation of the original NIS Directive, Digitalsikkerhetsloven, when it is finalised. It is worth noting here that if the NIS2 Directive gets accepted into the European Economic Area (EEA) agreement, then critical services in Norway that are within the scope will eventually have to follow the obligations in the NIS2 Directive. Besides this, even if the EEA agreement would not accept the NIS2 Directive, Norwegian organisations might need to comply with third-party requirements if they are delivering services to an organisation that operates within the EU.

What do you need to do if you’re within the scope of the NIS2 Directive?

In short, you need to follow the cybersecurity risk-management measures & reporting obligations listed in Chapter IV of the NIS2 Directive. The cybersecurity risk-management measures emphasise that organisations should take a systematic risk-based approach to minimise cyber incidents and list minimum security measures that all organisations must include in their organisation to protect their network and information systems. The security measures that all affected organisations should adopt are listed below.

Besides the risk-based approach that should be applied, organisations that are within the scope of the NIS2 Directive also have to comply with reporting obligations. The reporting obligations exist because the EU wants to raise all of the member states cyber capabilities and to do this, cross-border collaboration is needed so that information can spread when new incidents, threats, and vulnerabilities are being discovered. Therefore, organisations that encounter a significant incident have to give an early warning to the nation's CSIRT (Computer Security Incident Response Team) or, in some cases, to the relevant competent authority.

The warning should be made without undue delay within 24 hours from the point in time where the organisation became aware of the incident. Within 72 hours a report should be submitted that explains the initial assessment of the incident, such as its impact, severity and indicators of compromise. Within one month, a final report should be created that includes possible cross-border impact, a comprehensive description, ongoing and applied mitigation measures, and the root cause of the incident.

What are the consequences of not complying with NIS2?

So, what could be the consequences if your organisation is affected by the NIS2 Directive but does not follow its requirements and obligations. First of all, the supervisory capabilities have increased in the NIS2 Directive, which means that audits are more likely to occur. If an organisation is unable to meet the requirements and measures, the organisation can be targeted by an administrative fine.

The fine depends on the situation and if your organisation is listed as an essential or important entity. At most it can be 10 000 000 EUR or 2% of the total annual turnover for essential entities and 7 000 000 EUR or 1,4% of the total annual turnover for important entities. In addition to the administrative fines, temporary suspension of top management is also a potential penalty if the organisation fails to comply with the NIS2 Directive.

Why should you get started now?

Each EU member state shall implement the NIS2 Directive into their own legislation no later than the 17th of October 2024, and when the national law is implemented, organisations should be ready to comply with the directive. The reason for this is because one day later, on the 18th of October 2024, organisations within the scope will be required to meet the obligations in the NIS2 Directive.

How can you get started now?

First of all, make a thorough analysis of whether or not your organisation is within the scope of the NIS2 Directive. After this is done, you should follow the national discussion regarding the NIS2 Directive to get a better picture of how it will be implemented into your national law.

If you have identified that your organisation is within the scope of the NIS2 Directive you should highly consider implementing an Information Security Management System (ISMS). An ISMS is a risk-based management system that allows organisations work systematically with information security. An ISMS contains policies, procedures, and controls that help an organisation to establish and maintain an appropriate and proportionate security level over time. In an ISMS everything should be aligned with the organisation and its business strategy.

The ISMS will assist your organisation in the process of identifying assets, vulnerabilities and threats and then map them in relation to the accepted risk level. An ISMS implementation should always be risk-based and cost-effective and it can be based upon current information security standards such as ISO27001 and NIST CSF or it can be tailored for your organisation and its needs. The ISMS will therefore help your organisation with effective NIS2 compliance as well as promoting surveillance and maintenance of your security level to strengthen your organisation’s digital assets.

It is important to note here that a complete ISMS is not built over a day. The exact time is hard to generalise because it depends on the size of your organisation, your current measures and the scope of the ISMS. Based on our experience, it takes at least 6-9 months if you want your ISMS to be certified to a standard such as ISO27001, while a smaller risk-based ISMS usually takes between 3-6 months.

Concluding remarks

As previously mentioned, an ISMS takes time to implement and NIS2 will be enforced in less than one year. Because of this, it is a great idea to start as soon as possible so that your organisation will be ready to adhere to the legal requirements. However, it is also important to remember the root cause to why an organisation should develop an ISMS and follow the NIS2 obligations, which is to protect itself from threats.

An ISMS, together with the minimum security measures that are listed in the NIS2 Directive are not just boring compliance work. They are, in fact, great security measures that all organisations, regardless of compliance obligations or not, should consider implementing to avoid common attacks such as phishing and social engineering, while also allowing your organisation to increase its cybersecurity maturity level. Are you not sure where to start or need assistance in your security journey? Feel free to reach out.

Get in touch!