What Security Teams Need To Know About The EU’s NIS 2 Directive

The deadline to get compliant with the EU’s NIS 2 Directive is here. And this isn’t just a minor update from its NIS 1 predecessor—it’s a major expansion that carries with it new challenges and obligations.

The directive now covers a whopping 300,000 organizations, up from just 20,000 under NIS 1. Sectors like aerospace, public administration, digital services, postal and courier services, and food production are now included. Organizations are classified into “essential” or “important” entities based on size and criticality to the economy.

Security teams need to determine where their organization fits. If your company is classified as essential, with more than 250 employees or €50 million in revenue, you’re looking at regular security audits and ongoing monitoring. Important entities will face audits, but only when there’s suspicion of violations. 

Regardless of where your company is classified, it’s critical to know what the new mandates entail and what areas of security they will impact. 

Supply Chain Security & Risk Management

Software supply chain attacks have become a major concern. Gartner recently released a report, entitled “Mitigate Enterprise Software Supply Chain Security Risks” that supports echoing this sentiment. They project a 200% rise in the cost of these attacks to $138 billion by 2031. Even more alarming statistics reveal that nearly two-thirds of U.S. businesses fell victim to such breaches between May 2022 and April 2023.

And these risks are all too real. High-profile incidents like the SolarWinds Orion attack in 2020, which compromised 18,000 organizations globally, the Kaseya ransomware attack of 2021 affecting up to 1,500 businesses, and the far-reaching Log4j vulnerability have demonstrated just how exposed our software supply chains are—and the devastating consequences that follow.

To mitigate these challenges, the NIS 2 is placing a strong emphasis on securing ICT supply chains, Security teams must now assess the risks posed by third-party service providers and suppliers, ensuring they have robust cybersecurity policies in place. It’s not just about internal security anymore—it’s about the entire ecosystem of partners your organization relies on.

Companies should review and update contracts with suppliers to include cybersecurity risk management clauses. They should make sure vendors are meeting the same security standards as your organization, and regularly evaluate their practices to identify and mitigate vulnerabilities in your supply chain.

Incident Reporting and Management Accountability
One of the most critical changes under NIS 2 is the new incident reporting requirements. Organizations must submit an early warning within 24 hours of discovering a significant incident, followed by an incident notification within 72 hours, and a final report within a month. This rapid timeline requires security teams to have a well-prepared incident response plan that enables swift action and clear communication.

NIS 2 also imposes direct obligations on management bodies, including the C-suite and board of directors. Senior leaders must be involved in cybersecurity decision-making, approve risk management measures, and undergo cybersecurity training.

Failure to meet these obligations could result in hefty fines and personal liability, so it’s crucial that security teams ensure their leadership is actively engaged in cybersecurity strategy.

Extraterritorial Reach and Compliance
Like the GDPR, NIS 2 has extraterritorial implications. Even if your organization is not based in the EU, you may still fall under the directive’s scope if you provide services within the EU. This means that companies outside Europe cannot afford to ignore NIS 2. 

It is critical for organizations to assess whether their business activities in the EU bring them within the directive’s scope and to take steps to ensure compliance with its requirements.

Fines & Penalties
Non-compliance with NIS 2 can lead to substantial fines, similar to those imposed under the GDPR. Violations can result in fines of up to €10 million or 2% of an organization’s total global turnover, whichever is higher. Given these penalties, it’s essential that security teams take NIS 2 seriously, especially smaller companies that lack the resources to incur such hefty fines. 

What Security Teams Can Do to Prepare

  •  Assess Scope: Determine whether your organization qualifies as an “essential” or “important” entity under NIS 2 and review which obligations apply to you.
  • Review Incident Response Plans: Ensure you can meet the 24-hour, 72-hour, and one-month reporting requirements for significant security incidents.
  • Engage Leadership: Make sure your C-suite and board are aware of their responsibilities under NIS 2, and that they are actively involved in approving and overseeing cybersecurity risk management efforts.
  • Secure the Supply Chain: Audit your supply chain for vulnerabilities and ensure contracts with suppliers include adequate cybersecurity provisions.
  • Monitor Member State Progress: Keep an eye on the implementation status of NIS 2 in each EU member state to ensure compliance with local variations of the directive.

NIS 2 Directive brings significant changes and increased obligations for organizations across the EU and beyond.

Security teams must act now to assess their classification, strengthen supply chain security, ensure compliance with incident reporting requirements, and engage senior leadership in cybersecurity efforts. By preparing for these new mandates, organizations can avoid costly penalties and bolster their overall security posture.

Graham Rance is VP Global Pre-Sales at CyCognito

Image:  Ideogram

You Might Also Read: 

DORA: Compliance With The EU Digital Resilience Act:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

« GenAI Is The Biggest Cyber Security Risk
How Do The UK Cyber Security & Resilience Bill & The EU's NIS2 Compare? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

Opengear

Opengear

Opengear ensures network resilience to enterprises by enabling business continuity with the Network Resilience Platform.

TruSTAR Technology

TruSTAR Technology

TruSTAR is a threat intelligence exchange platform built to protect and incentivize information sharing.

Comarch

Comarch

Comarch is a provider of IT business solutions to optimize operational and business processes. Cyber security solutions are focused on Identity Management and Security Assessment services.

Wotan Monitoring

Wotan Monitoring

Wotan Monitoring is the software solution for fully automatic process monitoring, infrastructure monitoring and end-to-end monitoring.

exceet Secure Solutions

exceet Secure Solutions

exceet Secure Solutions is your experienced specialist for Internet of Things (IoT), Heath Telematics, electronic signatures and timestamps and IT security.

Alyne

Alyne

Alyne is a Munich based 2B RegTech offering organisations risk insight capabilities through a Software as a Service.

Zighra

Zighra

Zighra is a leading provider of On-Device AI solutions for continuous authentication and fraud detection on mobile and web applications.

Cybersecurity Collaboration Forum

Cybersecurity Collaboration Forum

The mission of the Cybersecurity Collaboration Forum is to foster information security communication and idea sharing across the C-Suite, enabling leaders to better protect their enterprises.

Datplan

Datplan

Datplan offers a software solution that gives an overview of 8 key cyber risk areas, their threats, and risk management steps.

Griffiss Institute (GI)

Griffiss Institute (GI)

GI's primary role is to advocate and facilitate the co-operation of private industry, academia, and the Air Force Research Laboratory in developing solutions to critical cyber security problems.

Siege Technologies

Siege Technologies

Siege Technologies is a pioneer of multi-purpose cybersecurity products and services that enable customers to leverage both offensive and defensive technologies.

ID R&D

ID R&D

ID R&D is an award-winning provider of AI-based facial liveness, document liveness, and voice biometrics.

MajorKey Technologies

MajorKey Technologies

MajorKey improves security performance by reducing user friction and business risk, empowering your people, and protecting your IP.

CyberMontana

CyberMontana

CyberMontana is a statewide initiative providing cybersecurity awareness, training, and workforce development for businesses and residents of Montana.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.