logo_FEDER español
gss-logo-header
EN
ES
DemoRequest a demo
CybersecuritySecurity

What is the NIS2 Directive and What is it for?

GlobalSuite Solutions
🕑 6 minutes read

Table of contents

What is the NIS2 Directive and What is it for?

Cybersecurity has become an imperative priority for all organizations. The entry into force of the NIS2 Directive in January 2023 has marked a new horizon in the protection of critical infrastructures within the European Union. This new regulation not only raises the bar for security, but also expands its scope to a wide range of sectors.

The NIS2 Directive (Directive (EU) 2022/2555) is a regulation of the European Parliament and of the Council that seeks to ensure a high level of cybersecurity throughout the European Union. It is based on three fundamental pillars: cybersecurity controls, risk management, and governance and cooperation. From the implementation of policies and procedures to continuous monitoring and incident management, NIS2 provides a comprehensive framework for safeguarding digital operations.

When Does NIS2 Come into Effect?

It came into force in January 2023, marking the beginning of the transposition period by the Member States. These have until October 17, 2024 to incorporate it into their national legislation and until January 2025 to communicate the sanctioning regime applicable to the European Commission. By 2025, it will be determined which entities are considered essential and important, and in 2027, the Commission will review the functioning of the Directive and report on it to the Parliament and the Council.

Who Does it Apply to?

The EU considers that companies and organizations with more than 50 employees and a turnover of more than 10 million euros must comply with this regulation. The Directive affects essential entities according to their critical infrastructure, thus differentiating sectors of high criticality such as

  • Energy
  • Banking
  • Financial
  • Transportation
  • Healthcare sector
  • Digital infrastructure
  • Drinking water and wastewater
  • ICT service management (B2B)
  • The public administration is also part of this group, although the judiciary, parliaments and central banks are excluded.

On the other hand, it also affects other critical sectors that include:

  • Research
  • Chemical
  • Food
  • Postal services
  • Digital providers
  • Waste management.

These sectors, although not marked as highly critical, are also fundamental for the sustenance and security of essential infrastructures and services in a national and European context.

What are Important and Essential Entities?

The Directive identifies two types of entities: “Essential Entities” and “Important Entities”. The essential ones are those that belong to the sectors of high criticality that exceed the maximum limits foreseen, as well as the qualified providers of trust services and registers of top-level domain names and providers of DNS services, regardless of their size. Also the providers of public electronic communications networks or electronic communication services available to the public that are considered medium-sized companies, entities of the public administration, any other entity belonging to other critical sectors that the Member State identifies as an essential entity, the critical entities identified by the CER Directive and, if so provided by the Member State, the entities identified as operators of essential services in accordance with the previous NIS Directive.

The “Important Entities” are those that, although not in sectors of high criticality, are vital for the economy and society.

Highlights of NIS2

Governance and Responsibility

The NIS2 Directive requires that the member states of the European Union ensure that the management bodies of the organizations not only approve, but also supervise the application of cybersecurity risk management measures. These governing bodies can be held liable for infringements of the provisions of Article 21 of the Directive. It is imperative that the governing bodies keep up to date on cybersecurity training, transmitting this knowledge to their employees.

Security Requirements

Article 21 of the Directive points out the obligation of entities to implement a strategic and holistic approach to cybersecurity risk management. Key points include:

  • Development of information security policies and risk analysis.
  • Implementation of a complete incident management process.
  • Ensuring operational continuity and backup management.
  • Strengthening security in the supply chain.
  • Security management in the acquisition, development and maintenance of systems.
  • Evaluation of the effectiveness of cyber risk management measures.
  • Maintenance of basic cyber hygiene practices and cybersecurity training.
  • Use of cryptography and encryption as protective measures.
  • Implementation of access control and asset management policies.
  • Adoption of multi-factor or continuous authentication solutions.

Cybersecurity Information Exchange Mechanisms

Article 29 mentions the information exchange mechanisms and the circumstances in which the entities subject to the Directive must carry out said exchanges. The main objective is to prevent, detect or respond to incidents, recover from them or reduce their impact, thus reinforcing the level of cybersecurity of the entities.

Incident Notification

Article 23 stipulates that Member States must ensure that essential and important entities notify their reference CSIRT or the competent authority of any incident that has a significant impact on the provision of their services. The security incident notification process is divided into four phases: incident detection, initial notification, intermediate notification and final notification.

Role of the Competent Authorities

The competent authorities play a crucial role in ensuring cybersecurity within the European Union, carrying out thorough inspections, specialized audits and remote supervision. They can impose administrative sanctions on the management bodies and suspend operations of an essential entity if necessary.

Sanctioning Regime

A deadline of January 17, 2025 has been established for member states to communicate their respective sanctioning regimes to the EU. The economic sanctions for organizations that fail to comply with the established regulations are significant:

  • Essential entities: up to €10,000,000 or 2% of the total annual turnover of the previous year worldwide.
  • Important entities: up to €7,000,000 or 14% of the total annual turnover of the previous year globally.

Relationship between NIS2, ISO 27001, DORA and PIC/CER

The NIS2 Directive is complemented by several other frameworks and regulations that together provide a comprehensive approach to cybersecurity and operational resilience. Here are some of the key relationships:

  1. ISO 27001:
    • Information Security Management: ISO 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining and improving an information security management system (ISMS). NIS2 complements ISO 27001 by providing a broader regulatory framework that includes risk management and incident reporting at EU level.
    • Policies and Procedures: Both regulations require organizations to develop and maintain information security policies and procedures, although NIS2 has a more specific focus on certain critical sectors and mandatory incident reporting.
  2. DORA (Digital Operational Resilience Act):
    • Digital Operational Resilience: DORA, which applies primarily to financial entities, establishes operational resilience requirements that are consistent with the requirements of NIS2. Both regulations seek to ensure that entities can withstand and recover from disruptive incidents.
    • Assessment and Testing: Both DORA and NIS2 emphasize the importance of continuous assessment and regular testing of security and resilience systems, including penetration testing and incident simulation exercises.
  3. CER Directive (Critical Entities Resilience):
    • Protection of Critical Infrastructures: The CER Directive focuses on the resilience of critical entities against a wide range of threats, including cyber threats. NIS2 and CER are aligned in their objective of protecting critical infrastructures, although NIS2 has a more focused approach on cybersecurity.
    • Cooperation and Governance: Both directives highlight the need for cooperation and effective governance between Member States and critical entities to improve security and resilience at European level.

Where to Start? How Do I Deal with NIS2 Compliance?

GlobalSuite Solutions offers comprehensive coverage to help you meet the requirements of the NIS2 Directive. Our solutions include:

  • Risk management framework
  • Incident management, classification and notification process
  • Digital operational resilience program
  • Procedure for conducting threat-led penetration tests
  • System that deploys ICT security tools, policies and procedures
  • Business continuity policy and recovery plans
  • System for learning and evaluating vulnerabilities, incidents and cyberattacks
  • Drafting of policies and regulations /Risk Analysis and Management: GDPR, ENS, NIS2, ISO 27001/22301, DORA
  • Data Protection Laws and Relations with Public and Supervisory Bodies

At GlobalSuite Solutions, we are prepared to help you comply with the NIS2 Directive in a comprehensive manner. Our suite of tools and services is designed to address each of the NIS2 requirements, from risk management to incident notification and operational continuity. Schedule a one-on-one call with our experts to learn how our solutions can be tailored to your organization’s specific needs and ensure regulatory compliance efficiently and effectively. Transforming your cybersecurity approach has never been easier with the help of GlobalSuite Solutions.

Share:

GlobalSuite Solutions
. GlobalSuite Solutions es una innovadora plataforma GRC que automatiza la gestión de riesgos, garantiza el cumplimiento de las normativas y optimiza los procesos.

More articles