Introduction to NIS2 Directive compliance
The NIS2 Directive addresses cybersecurity inconsistencies among EU member states and enhances cooperation. Aligned with the European digital single market strategy, it expands its reach to include more sectors and sub-sectors. It applies to all entities that meet certain conditions, regardless of size. The directive enforces compliance audits, incident notifications, and detailed risk management requirements. Additionally, it sets minimum sanction standards and introduces EU Cyclone and civil security bodies to support cross-border coordination. Organisations must understand their sector’s role within the NIS2 framework, prepare promptly, and assess their compliance and maturity levels.
Refer to the Timeline image below for key dates associated with the NIS and NIS2 Directives, from the initial NIS publication to the upcoming NIS2 compliance deadline.
Why cyber threats necessitate stricter security measures
Cyberattacks have become a significant threat for European states, activists, and SMEs. The original NIS directive, adopted in 2016, was Europe’s first major cybersecurity legislation. However, increasing tensions in cyberspace have led to severe attacks on essential sectors, such as hospitals, government bodies, and critical infrastructure. For instance, recent conflicts involving Russia have intensified cyber activity, targeting critical assets.
These cyberattacks now disrupt not only large organisations but also smaller entities. France’s cybersecurity authority, ANSSI, reported that over 52% of ransomware attacks in 2021 and 2022 targeted SMEs. This has pushed member states to expand sanctions and obligations, ensuring better NIS2 Directive compliance and a stronger cybersecurity framework.
Refer to the Goals of NIS1 and NIS2 image below to understand how NIS1’s goal of achieving a high common cybersecurity level evolved into the more comprehensive goals of NIS2.
Understanding why NIS2 was developed and how it fits into EU legislation
The EU introduced NIS2 to address the gaps identified in NIS1 and adapt to new cybersecurity challenges. NIS1 allowed member states significant flexibility, which resulted in inconsistent enforcement. NIS2 resolves these issues by mandating uniform cybersecurity obligations. It fits within a broader EU legislative framework that includes sectoral regulations, where specialised rules take precedence. For example, regulations for the financial sector override general NIS2 mandates.
To optimise NIS2 Directive compliance, organisations should analyse all relevant regulations in their sectors. Broader regulations, like GDPR, may also complement NIS2 requirements, enhancing overall security and compliance measures.
The European Strategy and Complementary Regulations image below provides a clear view of how NIS2 aligns with other EU cybersecurity strategies, including sectoral and specific regulations.
Key improvements and compliance measures in NIS2
NIS2 expands the sectoral scope significantly, from 30 types of entities under NIS1 to 67. It now covers all entities meeting certain criteria, ensuring that SMEs also comply. Additionally, organisations are required to verify their supply chain’s adherence to NIS2 standards.
The directive mandates compliance audits conducted by national cybersecurity authorities. Incident notifications follow strict timelines: 24 hours for initial notifications, 72 hours for detailed updates, and one month for comprehensive reports. These measures ensure consistency in incident responses. Although the final definition of critical incidents is still pending, guidelines are expected before the October 2024 deadline.
NIS2 addresses inconsistencies in sanctions by setting clear minimums. Sanctions vary based on whether an entity is classified as essential or important. This classification depends on size and other criteria, influencing the obligations and controls applied for NIS2 Directive compliance.
Scope expansion under NIS2 Directive compliance
NIS2 categorises entities into essential and important categories, outlined in Annexes 1 and 2. Essential entities face stricter controls and higher administrative fines, while important entities share similar obligations but face lower penalties. The differentiation is not solely based on Annex separation; it involves specific criteria.
Compliance with NIS2 requires meeting various organisational and security requirements. These include internal control measures, access management, and incident reporting. Establishing processes, policies, and documentation is necessary for adherence. Conducting a preparatory analysis helps organisations understand their current maturity level and supports effective action planning.
Refer to the Scope Expansion of NIS2 image below to visualise the extensive sectoral coverage of NIS2 and see how it compares to NIS1.
Preparing for NIS2 compliance: Key steps and recommendations
Organisations should not delay preparation for NIS2 compliance. The directive’s final version was adopted last December, and member states have until October 2024 for transposition. Early preparation is essential to conduct assessments, create plans, and implement necessary measures.
Starting early helps organisations identify gaps and align strategies with NIS2 Directive compliance. This enables them to estimate remediation costs and timelines effectively. To prepare efficiently, organisations should understand their sector and classification under NIS2. Devoteam’s method supports clients in understanding these requirements and developing compliance strategies.
The NIS2 Timeline image below offers a complete view of the significant dates in the NIS2 Directive journey, from initial proposals to the final compliance deadline.
Evaluating organisational maturity for effective NIS2 compliance
Large organisations often have different entities that may fall under various NIS2 categories. Understanding the impact across essential, critical, and high-criticality sectors is crucial. NIS2 uses complex criteria for categorisation, which affects obligations and enforcement levels.
Devoteam’s micro-audit methodology assesses an organisation’s maturity in governance, incident response, and crisis management. This analysis identifies compliance gaps and strengthens overall resilience. In some cases, these audits have revealed critical security risks that, once addressed, improved the organisation’s defences beyond basic NIS2 Directive compliance.
Conclusion
Achieving NIS2 Directive compliance is crucial for enhancing cybersecurity throughout Europe. The directive corrects the inconsistencies seen in NIS1 and enforces a unified approach across member states. By expanding its scope and setting clear compliance measures, NIS2 aims to create a more secure and resilient digital environment. Organisations must act now to meet the October 2024 deadline. Early preparation helps identify compliance gaps, align strategies, and maintain trust in an increasingly competitive landscape. This ensures that organisations are not only compliant but also better protected against evolving cyber threats.
NIS2 Compliance: Are You Ready?
Speak with our experts today.