The Network and Information Security Directive 2 (NIS2) is the European Union’s (EU) updated framework aimed at strengthening cybersecurity resilience across critical sectors. Building on the original NIS Directive (2016), it imposes stricter requirements for risk management, incident reporting, and regulatory oversight. As the transposition deadline nears, organizations must ensure compliance to mitigate risks and avoid penalties.
Who Does NIS2 Apply To?
NIS2 broadens cybersecurity requirements across various industries, classifying entities into Essential and Important sectors, both of which must adhere to compliance obligations.
Essential Entities (Higher Risk, Stricter Rules)
These sectors provide critical infrastructure and are subject to supervision and potential on-site inspections:
- Energy: Electricity, oil, gas, and district heating
- Transport: Air, rail, water, and road transport
- Banking: Financial institutions and payment service providers
- Financial Market Infrastructure: Trading venues and central counterparties
- Health: Hospitals, medical device manufacturers, and laboratories
- Drinking Water & Wastewater: Water supply and wastewater treatment
- Digital Infrastructure: Cloud services, data centers, and DNS providers
- Public Administration: Government agencies at national and regional levels
- Space: Satellite services and ground-based infrastructure.
Important Entities (Moderate Risk, Less Stringent Supervision)
These sectors must still meet compliance requirements but have fewer direct regulatory interventions:
- Postal and Courier Services
- Waste Management
- Manufacturing of Critical Products (e.g., pharmaceuticals, medical devices, chemicals, food production)
- Food Supply Chains (large-scale producers and suppliers)
- Digital Service Providers (e.g., social networks, search engines)
- Research and Development (for critical technologies and security-related fields).
Key Requirements Under NIS2
To comply with NIS2, organizations in the above sectors must implement strong cybersecurity measures, including:
1.Risk Management and Governance
- Implement a Cyber Risk Management Strategy
- Ensure executive accountability (board members can be held personally liable)
- Conduct regular cybersecurity training for employees.
2. Incident Reporting and Response
- Initial report within 24 hours of a major cyber incident
- Full incident report within 72 hours
- Final assessment report within one month.
3. Supply Chain Security
- Organizations must assess third-party risks (including suppliers and IT providers)
- Implement security measures for vendors and outsourced services.
4. Business Continuity and Crisis Response
- Disaster recovery plans to ensure continued operations
- Testing and risk assessments to evaluate resilience against cyber threats.
5. Enforcement and Penalties
- Fines of up to €10 million or 2% of global annual turnover for non-compliance
- Temporary or permanent bans on executives for repeated violations.
How to Prepare for NIS2 Compliance?
Organizations should take these steps:
- Conduct a Cybersecurity Risk Assessment: Identify vulnerabilities in networks and supply chains
- Appoint a Chief Information Security Officer: Assign responsibility for NIS2 implementation
- Develop an Incident Response Plan: Ensure clear protocols for reporting and mitigating breaches
- Train Staff and Leadership: Improve cybersecurity awareness at all levels
- Monitor Regulatory Updates: Stay informed about national implementations of NIS2.
The NIS2 Directive represents a major step forward in EU cybersecurity regulations, aiming to strengthen resilience across critical industries. Businesses must act now to assess their cybersecurity posture, implement necessary safeguards, and avoid non-compliance penalties.
Need expert guidance on NIS2 compliance? Konkrit Solutions can help your organization develop a tailored cybersecurity strategy and ensure full compliance with EU regulations.
