The NIS2 Directive establishes a series of measures aimed at achieving a high common level of cybersecurity in essential and important companies throughout the European Union, in order to optimise the functioning of the internal market, and increase the competitiveness and productivity of these companies. This European directive was approved on 14 December 2022 and each state will have to transpose it into mandatory law by 17 October 2024.

So, if you are a CEO, CTO, CISO or Systems Administator, this is of interest to you.

What is the NIS2 Directive?

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity throughout the Union (NIS2) is an evolution of NIS1, which aims to address identified shortcomings, extending its scope, and introducing a more comprehensive and harmonised approach to cybersecurity. NIS2 focuses on better risk management, internal security analysis and audits, as well as supply chain management.

Its key objectives are:

• Establish standard cybersecurity requirements for businesses and organisations across the EU.
• Broaden the scope of NIS to cover more sectors and entities.
• Introduce stricter incident reporting obligations and enforcement measures.
• Promote better collaboration and information sharing on threat intelligence between Member States.
• Ensure a high level of IT security and operational resilience for companies as a standard across the EU.

Basic principles of the NIS2

This new regulation introduces a broad set of basic principles that it implements as minimum cybersecurity requirements that companies will have to comply with:

• Risk Assessment and Risk Management: Organisations must establish formal policies and procedures to conduct periodic risk assessments, identify vulnerabilities and implement appropriate security controls to manage identified risks,
• Incident Response and Notification: Organisations should have clearly assigned roles and responsibilities within the team to best respond to incidents, as well as established procedures for notifying designated authorities when incidents occur.
• Access Control and Authentication: Effective access controls, such as the use of multi-factor authentication, need to be implemented to prevent unauthorised access to systems and information
• Supply Chain Security: Organisations should identify and manage cybersecurity risks throughout their supply chain, and implement appropriate security measures in their relationships with direct suppliers and contracted services.
• Data Protection and Encryption: Organisations must ensure that data is kept confidential, integral and available, using techniques such as encryption and other data protection measures.
• Vulnerability Management: Organisations should have processes in place to identify and manage vulnerabilities, including regular assessments and prompt patching of identified vulnerabilities.
• Backups and Business Continuity: It is crucial that organisations have strong capabilities to manage backups and disaster recovery plans, ensuring continuity of essential services in the event of disruptive incidents.
• Cybersecurity Awareness and Training: Organisations are required to provide regular training programmes tailored to management and employees on cybersecurity so that their staff are prepared to recognise and respond to cyber threats.
• Governance and Accountability: Organisational management must be actively involved in the oversight and approval of cybersecurity measures, risk management strategies and incident response plans.

Companies that need to comply

There are 3 criteria that a company must meet in order to be obliged to comply with the NIS2 regulation:

1. Be based or provide services in an EU country.
2. Belong to one of the sectors considered critical mentioned in Annex I of the directive, which will be listed in the following section.
3. Be a medium-sized or large company. A medium-sized company is one that has between 50 and 250 employees and does not exceed 10 million in revenue. A large company exceeds 250 employees and 10 million turnover.

Generally speaking, if a company is medium-sized and is in one of the critical sectors, it will be considered a significant entity, and if it is a large company, it will be considered an essential entity. There are other cases in which an entity may be considered essential even if it is a micro-enterprise, such as if only this company provides a service considered critical or if an incident caused a significant disruption in any sector considered critical.
Important; it is possible not to be directly affected because you are not of sufficient size, or not in a critical sector, but still have to comply "voluntarily" because you are part of the supply chain of an essential or important affected company. The directive strongly emphasises that suppliers must have the same level of security as the companies themselves. 

Sanctions for non-compliance

The strengthening of companies has become a priority issue for the European Commission and the states, so failure to comply with the NIS2 regulation has severe penalties that include cancellation of licences and administrative fines of up to 10 million euros or 2% of turnover. There are also fines, disqualifications and criminal liabilities for individuals on the board of directors of a non-compliant company. In addition, a "hall of shame" will be published where the full names of those sanctioned in the last five years will be made public, which could affect their future employment opportunities.

Sectors identified as critical by NIS2

High Criticality Sectors:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Healthcare 
• Drinking and waste water
• Digital infrastructure
• ICT services (B2B)
• Public administration
• Space

Other Critical Sectors:

• Postal and Courier Services
• Waste Management
• Chemical manufacturing and distribution
• Food Production and Distribution
• Manufacturing 
• Digital Service Providers
• Research

*The final list of sectors will have to wait for the directive to be transposed into law. It should be noted that with the previous version the Spanish government added more essential services sectors to harmonise them with those in the annex of Law 8/2011, of 28 April, which establishes measures for the protection of critical infrastructures.

How to Prepare for NIS2 Compliance

In order to achieve compliance, we can summarise the activities to be carried out as follows:

1. Develop a risk management programme.
2. Develop and deliver an ICT security training plan for C-Suite, directors, managers and key employees.
3. Implement a basic framework of ICT hygiene measures.
4. Develop a business continuity plan that includes a disaster recovery plan.
5. Develop a human resources security and access control plan.
6. Allocate sufficient budget and resources.
7. Develop a plan and controls for vulnerability management.
8. Draft a set of security policies and procedures that are considered basic.
9. Review and harmonise your supply chain security.
10. Increase network and hardware security.

NIS2 compliance. An opportunity to grow 

At GrayHats we firmly believe that complying with this regulation is not only a legal obligation, but an opportunity to improve the security and resilience that your company needs to grow in a solid and sustainable way. 

If you believe your company needs to comply with this regulation and would like to know more about our comprehensive NIS2 compliance service, please contact us at info@grayhats.com.