What Security Teams Need To Know About The EU’s NIS 2 Directive

Uploaded on 2024-10-25 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The deadline to get compliant with the EU’s NIS 2 Directive is here. And this isn’t just a minor update from its NIS 1 predecessor—it’s a major expansion that carries with it new challenges and obligations.

The directive now covers a whopping 300,000 organizations, up from just 20,000 under NIS 1. Sectors like aerospace, public administration, digital services, postal and courier services, and food production are now included. Organizations are classified into “essential” or “important” entities based on size and criticality to the economy.

Security teams need to determine where their organization fits. If your company is classified as essential, with more than 250 employees or €50 million in revenue, you’re looking at regular security audits and ongoing monitoring. Important entities will face audits, but only when there’s suspicion of violations. 

Regardless of where your company is classified, it’s critical to know what the new mandates entail and what areas of security they will impact. 

Supply Chain Security & Risk Management

Software supply chain attacks have become a major concern. Gartner recently released a report, entitled “Mitigate Enterprise Software Supply Chain Security Risks” that supports echoing this sentiment. They project a 200% rise in the cost of these attacks to $138 billion by 2031. Even more alarming statistics reveal that nearly two-thirds of U.S. businesses fell victim to such breaches between May 2022 and April 2023.

And these risks are all too real. High-profile incidents like the SolarWinds Orion attack in 2020, which compromised 18,000 organizations globally, the Kaseya ransomware attack of 2021 affecting up to 1,500 businesses, and the far-reaching Log4j vulnerability have demonstrated just how exposed our software supply chains are—and the devastating consequences that follow.

To mitigate these challenges, the NIS 2 is placing a strong emphasis on securing ICT supply chains, Security teams must now assess the risks posed by third-party service providers and suppliers, ensuring they have robust cybersecurity policies in place. It’s not just about internal security anymore—it’s about the entire ecosystem of partners your organization relies on.

Companies should review and update contracts with suppliers to include cybersecurity risk management clauses. They should make sure vendors are meeting the same security standards as your organization, and regularly evaluate their practices to identify and mitigate vulnerabilities in your supply chain.

Incident Reporting and Management Accountability
One of the most critical changes under NIS 2 is the new incident reporting requirements. Organizations must submit an early warning within 24 hours of discovering a significant incident, followed by an incident notification within 72 hours, and a final report within a month. This rapid timeline requires security teams to have a well-prepared incident response plan that enables swift action and clear communication.

NIS 2 also imposes direct obligations on management bodies, including the C-suite and board of directors. Senior leaders must be involved in cybersecurity decision-making, approve risk management measures, and undergo cybersecurity training.

Failure to meet these obligations could result in hefty fines and personal liability, so it’s crucial that security teams ensure their leadership is actively engaged in cybersecurity strategy.

Extraterritorial Reach and Compliance
Like the GDPR, NIS 2 has extraterritorial implications. Even if your organization is not based in the EU, you may still fall under the directive’s scope if you provide services within the EU. This means that companies outside Europe cannot afford to ignore NIS 2. 

It is critical for organizations to assess whether their business activities in the EU bring them within the directive’s scope and to take steps to ensure compliance with its requirements.

Fines & Penalties
Non-compliance with NIS 2 can lead to substantial fines, similar to those imposed under the GDPR. Violations can result in fines of up to €10 million or 2% of an organization’s total global turnover, whichever is higher. Given these penalties, it’s essential that security teams take NIS 2 seriously, especially smaller companies that lack the resources to incur such hefty fines. 

What Security Teams Can Do to Prepare

  •  Assess Scope: Determine whether your organization qualifies as an “essential” or “important” entity under NIS 2 and review which obligations apply to you.
  • Review Incident Response Plans: Ensure you can meet the 24-hour, 72-hour, and one-month reporting requirements for significant security incidents.
  • Engage Leadership: Make sure your C-suite and board are aware of their responsibilities under NIS 2, and that they are actively involved in approving and overseeing cybersecurity risk management efforts.
  • Secure the Supply Chain: Audit your supply chain for vulnerabilities and ensure contracts with suppliers include adequate cybersecurity provisions.
  • Monitor Member State Progress: Keep an eye on the implementation status of NIS 2 in each EU member state to ensure compliance with local variations of the directive.

NIS 2 Directive brings significant changes and increased obligations for organizations across the EU and beyond.

Security teams must act now to assess their classification, strengthen supply chain security, ensure compliance with incident reporting requirements, and engage senior leadership in cybersecurity efforts. By preparing for these new mandates, organizations can avoid costly penalties and bolster their overall security posture.

Graham Rance is VP Global Pre-Sales at CyCognito

Image:  Ideogram

You Might Also Read: 

DORA: Compliance With The EU Digital Resilience Act:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

« GenAI Is The Biggest Cyber Security Risk
How Do The UK Cyber Security & Resilience Bill & The EU's NIS2 Compare? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality ISAC operates as a central hub for sharing sector-specific cyber security information and intelligence.

StationX

StationX

StationX is a leading provider of cyber security training, consultancy and services.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Center for Analysis & Investigation of Cyber-Attacks (CAICA)

Center for Analysis & Investigation of Cyber-Attacks (CAICA)

The Center for Analysis & Investigation of Cyber-Attacks is one of the leading Kazakhstan organisations in the field of information and computer security.

Centro de Gestion de Incidentes Informaticos (CGII)

Centro de Gestion de Incidentes Informaticos (CGII)

CGII is the Computer Incident Management Center of the State of Bolivia.

Kapalya

Kapalya

Kapalya empowers businesses and their employees to securely store sensitive files at-rest and in-transit across multiple platforms through a user-friendly desktop and mobile application.

Barbara IoT

Barbara IoT

Barbara is an industrial device platform specifically designed for IoT deployments.

AnChain.AI

AnChain.AI

AnChain.AI's analytics platform proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graphs, and threat intelligence on blockchain transactions.

Norwest Venture Partners (NVP)

Norwest Venture Partners (NVP)

Norwest Venture Partners offer entrepreneurs a broad range of services to help them build their businesses at every stage of growth. Key sectors include AI, Infrastructure, SaaS and Security.

Wolf Hill Group

Wolf Hill Group

Wolf Hill Group, a Slone Partners company, is a national recruitment firm focused on Cybersecurity.

Armenia Startup Academy

Armenia Startup Academy

Armenia Startup Academy is a pre-acceleration program for selected Armenian tech companies and startups in areas including cybersecurity.

Solvere One

Solvere One

Solvere One is a managed service provider (MSP) focused on corporate consulting and partnership.

Dutch Institute for Vulnerability Disclosure (DIVD)

Dutch Institute for Vulnerability Disclosure (DIVD)

DIVD's aim is to make the digital world safer by reporting vulnerabilities we find in digital systems to the people who can fix them.

NetWitness

NetWitness

NetWitness empowers security teams to rapidly detect today’s targeted and sophisticated attacks with unparalleled visibility.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

Accelerynt

Accelerynt

Accelerynt was founded with a singular purpose: help teams like yours build cybersecurity resilience.