EU guidelines for digital security. What you need to know about the NIS2 Directive?
In the era of advancing digitalization, ensuring the security of data and information systems is a top priority. The NIS2 Directive represents another step by the European Union to strengthen the protection of critical infrastructure. What exactly is the NIS2 Directive introduced in 2023? What changes does it bring, and what obligations does it impose on operators of essential sectors? Let's take a closer look at the new provisions and tasks awaiting businesses operating in the digital world.
The NIS2 Directive, amending the first European law on cybersecurity NIS, aims to adapt cybersecurity standards throughout the European Union to new digital threats. The updated directive is intended to raise requirements related to risk management, improve response to cybersecurity incidents, and impose obligations related to reporting security incidents.
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Systems Directive 2) is a legal-regulatory document establishing general cybersecurity standards for critical entities to operate in the EU. It is an update to the original NIS Directive from 2016 and responds to the changing digital landscape and increasingly sophisticated cyber attacks. NIS2 sets new security rules for operators of essential sectors in both the public and private sectors, operating in areas such as energy, banking, or healthcare.
The full name of NIS2 is "DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive).”
When was NIS2 introduced, and when is the deadline for implementing the new requirements?
The NIS2 Directive came into force on January 16, 2023, and the deadline for implementing the new requirements is October 17, 2024. After this deadline, the new regulations will apply in all European Union countries.
What changes does the NIS2 Directive bring?
Compared to the first version of the document, the NIS2 Directive introduces the following changes:
- The revised directive expands the scope of entities covered by regulations, including more sectors of the economy.
- NIS2 abandons the distinction between operators of essential services and digital service providers, instead classifying organizations based on their significance and dividing them into essential sectors and important sectors.
- The new directive includes medium and large enterprises in selected industries and allows a flexible approach in identifying smaller high-risk firms.
- The amended document imposes new obligations on entities, such as implementing risk analysis and risk management solutions, implementing security system policies, securing supply chains, and developing a Business Continuity Plan.
- The NIS2 Directive tightens reporting requirements for incidents and increases sanctions for non-compliance. For example, essential and simportant sectors will be obliged to report serious incidents to the relevant CSIRT (or other authority) within specified deadlines. These organizations may also be required to notify their customers of the occurrence of an incident and, in specific situations, even the threat itself.
Powers of supervisory authorities in controlling and enforcing regulations
The NIS2 Directive grants supervisory authorities extensive powers to control and enforce regulations. Among them are:
- conducting independent and targeted security audits and ordering the implementation of audit recommendations,
- requesting the provision of information, access to data, and documents,
- issuing orders to ensure compliance with the NIS2 Directive.
The detailed scope of powers will differ depending on whether the actions concern essential sectors or important sectorss. In the case of non-compliance with the directive by the former, supervisory authorities may have the power to temporarily suspend certification, permit provision of services, or conduct business.
Who does the NIS2 Directive apply to?
Nowa dyrektywa NIS2 zmienia dotychczasowy podział na operatorów usług kluczowych, dostawców usług cyfrowych i podmioty publiczne, dzieląc je na podmioty kluczowe i podmioty ważne. Dyrektywa obejmuje średnie przedsiębiorstwa z sektorów publicznych i prywatnych z państw członkowskich UE.
Dokument NIS2 wprowadza także podmioty, które nie były objęte pierwszą wersją dyrektywy. Prognozy wskazują, że zobowiązanych do dostosowania swoich standardów bezpieczeństwa do nowych przepisów będzie w Polsce kilka tysięcy firm. Nowa dyrektywa rozszerza katalog organizacji o takie branże jak:
The new NIS2 Directive applies to a range of entities operating across 11 essential and 7 important sectors. The directive covers medium-sized enterprises from both public and private sectors of EU member states. The NIS2 document also introduces entities that were not covered by the first version of the directive. The new directive expands the catalog of organizations to include industries such as:
- banking and finance,
- water and sewage,
- public administration,
- food production.
Essential sectors according to NIS2 (according to Annex I of the directive):
- financial markets,
- drinking water,
- waste water,
- digital infrastructure,
- ICT service management,
- public administration,
Important sectors according to NIS2 (according to Annex II of the directive):
- postal and courier services,
- waste management,
- digital providers,
- research organisations.
Penalties for non-compliance with NIS2 provisions
The amended NIS2 Directive introduces precise regulations regarding the imposition of fines and sanctions for violating its provisions. In the case of essentional sectors breaking risk management or incident reporting rules, administrative penalties ranging up to 10 million euros or 2% of the total annual turnover may be imposed. Important sectors may face fines of up to 7 million euros or 1.4% of the total annual turnover.
The NIS2 Directive also provides for the possibility of imposing periodic fines to enforce compliance with the provisions and introduces penalty sanctions for violating the directive's regulations.
What actions does your company need to take in connection with NIS2? The first step is a security audit
If your company falls into the category of essentional or important sectorss, according to EU regulations, you must take specific actions to adapt to the new standards and avoid penalties for their violation. First, you should conduct an audit of the information system to determine the level of security and compliance with the new NIS2 requirements, as well as identify areas that require improvement.
According to the directive, organizations must develop a Business Continuity Plan and implement appropriate risk management and security analysis solutions. Securing digital infrastructure, ensuring compliance with the NIS2 Directive, and adopting a conscious approach to incident management are key elements of implementing the new provisions.
We understand that implementing these requirements is a complex process that requires diligence and expert knowledge in cybersecurity. Therefore, our experienced specialists are ready to provide professional support, adapting your organization to the NIS2 Directive requirements and conducting an audit of compliance with the new regulations. We will develop personalized solutions perfectly tailored to the needs of your business – regardless of the industry in which you operate and the level of security measures applied.
Contact us today to prepare your company for the changes introduced by NIS2. We will assist you throughout the process and conduct a compliance audit.
Reach out to us at [email protected] or use the form in the footer of the page.
Check how we can further strengthen the cybersecurity of your organization.