What Security Teams Need To Know About The EU’s NIS 2 Directive

Uploaded on 2024-10-25 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The deadline to get compliant with the EU’s NIS 2 Directive is here. And this isn’t just a minor update from its NIS 1 predecessor—it’s a major expansion that carries with it new challenges and obligations.

The directive now covers a whopping 300,000 organizations, up from just 20,000 under NIS 1. Sectors like aerospace, public administration, digital services, postal and courier services, and food production are now included. Organizations are classified into “essential” or “important” entities based on size and criticality to the economy.

Security teams need to determine where their organization fits. If your company is classified as essential, with more than 250 employees or €50 million in revenue, you’re looking at regular security audits and ongoing monitoring. Important entities will face audits, but only when there’s suspicion of violations. 

Regardless of where your company is classified, it’s critical to know what the new mandates entail and what areas of security they will impact. 

Supply Chain Security & Risk Management

Software supply chain attacks have become a major concern. Gartner recently released a report, entitled “Mitigate Enterprise Software Supply Chain Security Risks” that supports echoing this sentiment. They project a 200% rise in the cost of these attacks to $138 billion by 2031. Even more alarming statistics reveal that nearly two-thirds of U.S. businesses fell victim to such breaches between May 2022 and April 2023.

And these risks are all too real. High-profile incidents like the SolarWinds Orion attack in 2020, which compromised 18,000 organizations globally, the Kaseya ransomware attack of 2021 affecting up to 1,500 businesses, and the far-reaching Log4j vulnerability have demonstrated just how exposed our software supply chains are—and the devastating consequences that follow.

To mitigate these challenges, the NIS 2 is placing a strong emphasis on securing ICT supply chains, Security teams must now assess the risks posed by third-party service providers and suppliers, ensuring they have robust cybersecurity policies in place. It’s not just about internal security anymore—it’s about the entire ecosystem of partners your organization relies on.

Companies should review and update contracts with suppliers to include cybersecurity risk management clauses. They should make sure vendors are meeting the same security standards as your organization, and regularly evaluate their practices to identify and mitigate vulnerabilities in your supply chain.

Incident Reporting and Management Accountability
One of the most critical changes under NIS 2 is the new incident reporting requirements. Organizations must submit an early warning within 24 hours of discovering a significant incident, followed by an incident notification within 72 hours, and a final report within a month. This rapid timeline requires security teams to have a well-prepared incident response plan that enables swift action and clear communication.

NIS 2 also imposes direct obligations on management bodies, including the C-suite and board of directors. Senior leaders must be involved in cybersecurity decision-making, approve risk management measures, and undergo cybersecurity training.

Failure to meet these obligations could result in hefty fines and personal liability, so it’s crucial that security teams ensure their leadership is actively engaged in cybersecurity strategy.

Extraterritorial Reach and Compliance
Like the GDPR, NIS 2 has extraterritorial implications. Even if your organization is not based in the EU, you may still fall under the directive’s scope if you provide services within the EU. This means that companies outside Europe cannot afford to ignore NIS 2. 

It is critical for organizations to assess whether their business activities in the EU bring them within the directive’s scope and to take steps to ensure compliance with its requirements.

Fines & Penalties
Non-compliance with NIS 2 can lead to substantial fines, similar to those imposed under the GDPR. Violations can result in fines of up to €10 million or 2% of an organization’s total global turnover, whichever is higher. Given these penalties, it’s essential that security teams take NIS 2 seriously, especially smaller companies that lack the resources to incur such hefty fines. 

What Security Teams Can Do to Prepare

  •  Assess Scope: Determine whether your organization qualifies as an “essential” or “important” entity under NIS 2 and review which obligations apply to you.
  • Review Incident Response Plans: Ensure you can meet the 24-hour, 72-hour, and one-month reporting requirements for significant security incidents.
  • Engage Leadership: Make sure your C-suite and board are aware of their responsibilities under NIS 2, and that they are actively involved in approving and overseeing cybersecurity risk management efforts.
  • Secure the Supply Chain: Audit your supply chain for vulnerabilities and ensure contracts with suppliers include adequate cybersecurity provisions.
  • Monitor Member State Progress: Keep an eye on the implementation status of NIS 2 in each EU member state to ensure compliance with local variations of the directive.

NIS 2 Directive brings significant changes and increased obligations for organizations across the EU and beyond.

Security teams must act now to assess their classification, strengthen supply chain security, ensure compliance with incident reporting requirements, and engage senior leadership in cybersecurity efforts. By preparing for these new mandates, organizations can avoid costly penalties and bolster their overall security posture.

Graham Rance is VP Global Pre-Sales at CyCognito

Image:  Ideogram

You Might Also Read: 

DORA: Compliance With The EU Digital Resilience Act:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

« GenAI Is The Biggest Cyber Security Risk
How Do The UK Cyber Security & Resilience Bill & The EU's NIS2 Compare? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

SSLGURU

SSLGURU

SSLGURU bring all of the major SSL certificate vendors to one market place in order to create the world's largest SSL store with the most competitive prices.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

Lanner Electronics

Lanner Electronics

Lanner Electronics is a leading hardware provider for advanced network appliances and industrial automation solutions including cyber security.

Positive Technologies

Positive Technologies

Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection.

Beta Systems Software

Beta Systems Software

Beta Systems automate IT-based business processes, control access rights, monitor processes, secure the network and optimize the infrastructure management of corporate IT.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

Procilon Group

Procilon Group

Procilon Group specialize in the development of cryptographic software as well as strategic advice on information security and data protection.

MER Group

MER Group

MER Group is a world-leading solutions provider specializing in Homeland Security (HLS), Cyber and Intelligence, Communication Infrastructure and Tactical Communication Systems.

Cyber Academy

Cyber Academy

Cyber Academy is one of the first institutions in the SE Europe region that provides a hands-on program in cyber security, blockchain and AI.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Guidepost Solutions

Guidepost Solutions

Guidepost Solutions are a diverse, global team of investigators, experienced security and technology consultants, and compliance and monitoring experts.

CoreStack

CoreStack

CoreStack helps enterprises overcome cloud challenges such as ever growing security risks, stringent regulatory compliance needs and operational complexities.

CoinCover

CoinCover

Blockchain technology is changing everything. However, it brings its own set of unique risks. Coincover ensures everyone is protected, enabling them to innovate freely, without constraints.

Securafy

Securafy

At Securafy, we understand how important it is to have the right IT partner by your side. For over 30 years, we’ve helped businesses stay secure, connected, and compliant.

Basalt

Basalt

Basalt provide qualified consulting services in information security, personnel security and physical security.