Skip to content
BLOG NEWS CONTACT US

StratoKey CCM

Cloud Compliance Management (CCM) delivers complete automated compliance management and reporting for enterprise.

StratoKey CASB

StratoKey Cloud Access Security Broker (CASB) for protecting sensitive data in cloud and SaaS applications.

StratoKey CCM Platform

Platform Overview

End-to-end Compliance for any application.

Compliance Support

HIPAA

Ready to go Health Insurance Portability and Accountability Act pack.

ITAR & CMMC

ITAR and CMMC pack to power your compliance management.

NIST 800-53

NIST 800-53 pack for low, moderate and high baselines.

Compliance Packs

NIST SP 800-53, NIST SP 800-171, GLBA, FERPA, BaFin, PIPEDA, PDPA, Privacy Act.

Compliance Support

NetSuite, Salesforce, ServiceNow

Compliance integrations for NetSuite, Salesforce and ServiceNow.

StratoKey CASB + CCM

Data protection + compliance management.

Compliance as a Service (CaaS)

API for Compliance as a Service.

StratoKey CASB

StratoKey the CASB

Learn how StratoKey operates as a Cloud Access Security Broker for sensitive data in cloud and SaaS applications.

Cloud Data Protection

Delivering a complete, application agnostic, Cloud Data Protection platform through our EMAD™ technology stack.

How StratoKey works

See how StratoKey works to secure data in cloud and SaaS applications.

Featured Integrations

Box

Encryption, Monitoring, Analytics and Defensive capabilities for Box.

Confluence

Secure content in Confluence (including Cloud) with StratoKey.

Jira

Jira (including Cloud) encryption capabilities to support regulatory compliance.

NetSuite

Encryption, tokenization and anonymization services for NetSuite.

SAP Business ByDesign

Securing SAP Business ByDesign and S/4HANA with StratoKey.

Salesforce

Encryption and tokenization for Salesforce, without breaking your integrations.

ServiceNow

SNOW encryption, tokenization and anonymization. Official Partner.

Slack

Full control over data security through end-to-end encryption for Slack.

Application Agnostic

Highly configurable, field-level encryption and tokenization for any application.
Solutions

Cloud Data Pseudonymization

Anonymization of cloud data, without duplicates, whilst maintaining format.

Cloud Encryption

Standards compliant encryption for any cloud or SaaS application.

Cloud Access Security Brokers

A detailed feature summary of key StratoKey CASB characteristics.

Encryption as a Service (EaaS)

EaaS API with Encryption, Tokenization and Anonymization.
Compliance

HIPAA compliance

Meeting HIPAA compliance requirements for cloud and SaaS.

Data Sovereignty

Solving data sovereignty issues with cloud and SaaS applications.

GDPR compliance

How to ensure your cloud or SaaS application use is GDPR compliant.

Data breach laws

Understanding obligations imposed by data breach laws.

CASB Guide

How the right CASB can assist organizations in securing cloud data, applications and users.

StratoKey White Paper

A technical overview of how StratoKey operates to secure cloud and SaaS applications.

HIPAA Compliance Guide

How to meet stringent HIPAA PHI (Protected Health Information) requirements in the cloud.

GDPR Encryption Guide

What your organization can do to meet GDPR requirements when using cloud and SaaS apps.

Partner Program

Become a StratoKey platform or technical Partner.

Request Live Demonstration

Line up a StratoKey demonstration for your project team.

Contact us for more information

Contact us to discuss your requirements and learn more about StratoKey.

The NIS2 Directive, What You Need To Know

Apr 10, 2025
Sian Parany

The Network and Information Systems (NIS) Directive, introduced in 2016, was the European Union's (EU) first cybersecurity legislation aimed at protecting critical infrastructure and essential services from cyber threats.

What is NIS2?

As cyber risks evolved, the need for an updated framework led to the development of NIS2 Directive (Directive (EU) 2022/2555, a more comprehensive directive designed to address the limitations of its predecessor. The NIS2 Directive marks a significant milestone in the EU’s efforts to bolster cybersecurity across its member states. At the national level, NIS2 aims to enhance overall cybersecurity through:

  1. Preparedness: Each EU member state must establish a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems authority to address potential cyber threats.
  2. Collaboration: The directive creates a Cooperation Group to facilitate information exchange among member states, fostering a unified approach to cybersecurity.
  3. Cultural shift: NIS2 promotes a cybersecurity-focused culture across critical infrastructure sectors heavily reliant on information and communication technology (ICT).

These measures are designed to collectively ensure that relevant entities throughout the EU are equipped with appropriate security measures, threat intelligence, and best practices to effectively mitigate cyber threats.

 

Why Is NIS2 Important?

Whilst the NIS1 Directive triggered a change in mindset and improved data protection - it faced challenges, these included; A rapidly evolving risk landscape; Varying levels of adoption due to confusion over what was deemed an essential company; Increasing rates of cyber-crime, with new and sophisticated attack vectors emerging, including AI-powered threats: And, geopolitical factors which gave rise to more politically motivated and state sponsored cyber-attacks.

 

The NIS2 directive is important as it provides a unified implementation for member states, and raises the bar for cyber resilience that is in-step with the evolving cyber threat landscape. With cyberattacks costing EU consumers and businesses an estimated €180 billion to €290 billion annually - cyber resilience have never been more critical for the EU.

 

NIS2 vs. NIS1 Directive

NIS2 expands upon its predecessor, NIS1 (Directive (EU) 2016/1148) by increasing the scope of applicability, including more industry sectors and digital service providers; As well as introducing new penalties, NIS2 details stricter risk and cybersecurity requirements including: Indecent response planning and encryption; More detailed and time-bound incident reports; Uniform criteria for entity classification and clear enforcement guidelines; And greater accountability for implementation shouldered by an entities management team.

 

Aspect

NIS1 Directive

NIS2 Directive

Scope
  • Essential service operators (e.g., energy, transport)
  • Some digital service providers
  • Broader range of sectors
  • Covers both "essential" and "important" entities

Risk Management and Cybersecurity Requirements

  • Basic risk management practices required
  • Stricter requirements
  • Focus on supply chain security and third-party risks
  • Incident response planning, encryption, and business continuity measures

Incident Reporting
  • Report within a "reasonable time frame"
  • Initial report within 24 hours
  • Follow-up report within 72 hours
  • Final detailed report within one month

Harmonization Across EU Member States
  • More discretion for national authorities
  • Uniform criteria for entity classification
  • Clear guidelines for enforcement across EU

Enforcement and Penalties
  • Limited penalties
  • Management explicitly accountable
  • Fines up to €10 million or 2% of global turnover for essential entities

 

Understanding the Expanded Scope of Application is Important

The NIS2 Directive introduces a significant change in how organizations are classified and regulated for cybersecurity purposes in the EU. This new framework replaces the previous distinction between "operators of essential services" (OES) and "digital service providers" (DSP) with a more comprehensive classification system.

NIS2, article 3 now categorizes entities as essential or important based on their size and the criticality of their services. The directive expands its scope from 7 to 15  sectors, encompassing a broader range of vital aspects of EU society.

 

What are Essential Entities

Essential entities are defined as large companies operating in critical sectors. These are organizations with:

  • At least 250 employees
  • An annual turnover of at least €50 million
  • An annual balance sheet of at least €43 million

Sectors classified as essential by NIS2 include:

  • Energy
  • Transportation
  • Finance
  • Public administration
  • Health
  • Space
  • Water supply (drinking and wastewater)
  • Digital infrastructure

What are Important Entities

Important entities are typically medium-sized enterprises operating in sectors of high criticality but not falling under the essential services category. These organizations generally have:

  • At least 50 employees
  • An annual turnover of at least €10 million
  • A €10 million balance sheet

Sectors classified as important by NIS2 include:

  • Postal services
  • Waste management
  • Chemicals
  • Research
  • Foods
  • Manufacturing
  • Digital providers

Sector Distinctions

While some sectors may appear to overlap, there are key distinctions:

  • Digital infrastructure refers to cloud services, telecommunications operators, data centers, and trust services - entities providing digital services crucial to society's backbone.
  • Digital providers encompass more specific services like search engines, online markets, and social networks, which are integral to communication and transactions but may not have as severe implications if rendered inoperable.

Jurisdiction for Non-EU Operators

NIS2 also addresses entities based outside the EU. According to article 26:

  • Essential and important entities fall under the jurisdiction of the EU Member State where they provide their services.
  • If an entity provides services in multiple Member States, it falls under the jurisdiction of each respective state.

There are a few exceptions, article 26 provides clarification on the exceptions. This comprehensive classification system aims to create a more secure and resilient digital landscape across the European Union by acknowledging the complex relationships between various entities and fostering collaboration.

 

What Are The Main Requirements For NIS2

The NIS2 Directive introduces several key requirements for essential and important entities to enhance cybersecurity across the European Union.

While the directive contains 46 articles, Chapter IV (Articles 20-25) is particularly significant for organizations seeking compliance. Most of the other chapters focus on the member states’ requirements - rather than an entities requirements. Articles 20 - 25 revolve around two main topics: cybersecurity risk management and reporting obligations.


The key NIS2 subject areas for entities:

  • Responsibilities of senior management.
  • Importance of training.
  • Risk-based approach to cybersecurity.
  • Cybersecurity approach - a mixture of technical, operational and organizational measures
  • Supply chain security.
  • Reporting significant incidents.
  • Use of certified IT products and services.
  • Fines and supervision

Responsibilities of Senior Management

Article 20 of NIS2 mandates that top management of essential and important entities:

  • Approve cybersecurity measures for implementation.
  • Oversee the implementation process.
  • Can be held liable for inadequate cybersecurity implementation and may face legal consequences for insufficient cybersecurity measures. Managers could be held personally accountable for negligence or non-compliance with essential risk management protocols.

Articles 32 and 33 further emphasize the liability of legal representatives of these entities.


Importance of Training

Article 20 of NIS2 requires top management to undergo cybersecurity training and for them to encourage similar cybersecurity training for employees.

Training is so that management gain “sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity”.


Risk-based Approach to Cybersecurity

Article 21 requires cybersecurity measures to be appropriate and proportional to the related risks.

When assessing the risks companies should take into account the following:

  • Exposure to risks.
  • Company size.
  • Likelihood and severity of potential incidents.
  • Societal and economic impacts of incidents.

Cybersecurity: A Mix of Technical, Operational and Organizational Measures

Article 21 requires entities to implement measures to protect network and information systems and the physical environment of those systems from incidents, and “shall include at least the following”:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


Supply Chain Security

Article 21 focuses on risks related to direct suppliers and service providers, including:

  • Supplier-specific vulnerabilities.
  • Overall quality of products and cybersecurity practices.
  • Secure development procedures.


Reporting Significant Incidents

Article 23 outlines incident reporting requirements:

  • Early warning, providing information on whether the incident is suspected of being caused by unlawful or malicious acts or could have cross-border impact.
  • Initial incident notification, an initial assessment including incident severity and impact, and where available, the indicators of compromise.
  • Intermediate reporting and providing status updates.
  • Final report developed at the latest one month after the incident notification.
  • Progress reporting in cases where the incident is ongoing.

Use of Certified IT Products and Services

While not currently mandatory, NIS2 allows for potential future requirements to use certified IT products or services under European cybersecurity certification schemes.

Fines and Supervision

Article 32 and 33 outline the supervisory and enforcement measures in relation to important and essential entities respectively. Stating that for each entity type,

“Member States shall ensure that the supervisory or enforcement measures imposed...in respect of the obligations laid down in this Directive are effective, proportionate and dissuasive”.

It continues by saying that there should be oversight for essential and important entities, which includes on-site inspections, off-site supervision, cybersecurity audits, and security scans.

 

Article 34 outlines substantial penalties for non-compliance, imposing significant fines on important and essential entities that fail to adhere to NIS2 regulations:

  • Essential entities: Up to €10 million or 2% of global annual turnover
  • Important entities: Up to €7 million or 1.4% of global annual turnover


Implementation Deadline and Current Status

The NIS2 Directive deadline was October 17, 2024. By this date, EU member states were required to implement the directive's requirements into their national laws. However, the transition has not been smooth for all countries.

As of October 18, 2024, European countries' progress in transposing the NIS2 Directive varies significantly. Given the evolving nature of this situation its likely these statuses will change.

  • Level 1 (Little Progress): Spain.

     

  • Level 2 (Mid-term Advancement): Sweden, Ireland, Netherlands, Portugal, Estonia, Poland, Slovakia, Slovenia, Bulgaria, Greece, Cyprus, and Malta.

  • Level 3 (Draft Law Analysis): Denmark, Luxembourg, France, Austria, Finland, Germany, Czech Republic, and Romania .

  • Level 4 (Law Approved): Belgium, Italy, Latvia, Lithuania, Hungary, and Croatia.

Challenges and Concerns Across EU Members

The implementation of NIS2 across the EU has faced several challenges:

  1. Delayed Transposition: Many member states missed the October 17, 2024 deadline, creating uncertainty for organizations within their borders.
  2. Scope and Classification: The expanded scope of NIS2 has led to confusion about which organizations are classified as "essential" or "important".
  3. Resource Allocation: Many organizations are concerned about the resources required to comply with NIS2.
  4. Skills Shortage: A significant number of cybersecurity staff lack certified training necessary for NIS2 compliance.
  5. Budgetary Constraints: Some enterprises report difficulties in securing the budget required for NIS2 compliance.

Looking Ahead At Important NIS2 Dates

As we move further into 2025, several key dates loom on the horizon for NIS2 implementation:

  • January 17, 2025: Introduction of new peer review practices.
  • April 17, 2025: Deadline for member states to compile lists of essential and important entities.
  • October 17, 2027: The European Commission's three-year report on how NIS2 is functioning.

These milestones will be crucial in assessing the directive's effectiveness and identifying areas for improvement.

Implications for Businesses

For businesses operating in the EU, NIS2 represents both a challenge and an opportunity. By some estimates, more than 150,000 companies in the EU will need to become NIS2 compliant. While compliance may require significant investment in cybersecurity measures, staff training, and potentially new hires, it also provides a framework for enhancing overall security posture.

Key considerations for businesses include:

  1. Assess your organization's classification under NIS2 (essential or important).
  2. Conduct thorough risk assessments including existing cloud and SaaS products in use.
  3. Develop robust security measures, this may include encryption and monitoring.
  4. Implement multi-factor authentication and other required security controls.
  5. Develop incident response plans and reporting mechanisms.
  6. Invest in training for management, cybersecurity staff and general employees.
  7. Stay informed about your country's specific implementation of NIS2.

How StratoKey Can Help Organizations with NIS2 Compliance

StratoKey's Cloud Data Protection (CDP) Gateway offers a robust solution to help EU companies meet key cybersecurity requirements of the NIS2 Directive.

The StratoKey CDP Gateway addresses critical aspects of data protection, encryption, and access control, aligning with NIS2 obligations and enhancing overall cybersecurity posture.

Key Features and Benefits

  1. Robust Encryption: StratoKey end-to-end encrypts data before it reaches cloud applications, ensuring protection for data at rest and in transit.
  2. Granular Access Control: The CDP gateway integrates with existing identity access management systems to provide fine-tuned access controls.
  3. Real-time Monitoring: Security analytics with user-level audit trails enable organizations to quickly detect, respond and report on potential threats.
  4. Data Sovereignty: StratoKey's tokenization engine allows EU companies to keep sensitive data within their jurisdictional borders, replacing it with tokens to address GDPR, data residency, and sovereignty requirements.

Importantly, the StratoKey CDP Gateway is hosted within the entities own environment. Self-hosting the gateway provides the entity with complete control over encryption keys and data protection, ensuring sensitive information remains encrypted/tokenized before leaving the entities environment. This not only delivers security benefits, but also clear data sovereignty benefits.

By deploying StratoKey within an entities own infrastructure, the entity maintains full sovereignty over their data, can mitigate risks associated with cloud provider or SaaS application access, and effectively address NIS2 compliance requirements.


NIS2 Compliance Support

StratoKey's CDP Gateway helps organizations address many cybersecurity requirements outlined in NIS2 article 21, including:

  • Risk management and incident response.
  • Supply chain security enhancement.
  • Network and information system security.
  • Implementation of encryption and access policies.

By deploying StratoKey's Cloud Data Protection Gateway in their environment, organizations can tokenize or encrypt regulated data before it leaves for the cloud, taking a significant step towards meeting NIS2 requirements.

The comprehensive approach to cloud data protection, combined with flexibility and scalability across multiple cloud services, makes StratoKey a valuable tool for EU companies seeking to enhance their cybersecurity measures in line with NIS2 directives.

 

Get in touch with StratoKey to ask how we can help with NIS2 compliance security controls or download the StatoKey Whitepaper to learn more about the StratoKey CDP Gateway.

 
NIS2