The Network and Information Systems (NIS) Directive, introduced in 2016, was the European Union's (EU) first cybersecurity legislation aimed at protecting critical infrastructure and essential services from cyber threats.
As cyber risks evolved, the need for an updated framework led to the development of NIS2 Directive (Directive (EU) 2022/2555, a more comprehensive directive designed to address the limitations of its predecessor. The NIS2 Directive marks a significant milestone in the EU’s efforts to bolster cybersecurity across its member states. At the national level, NIS2 aims to enhance overall cybersecurity through:
These measures are designed to collectively ensure that relevant entities throughout the EU are equipped with appropriate security measures, threat intelligence, and best practices to effectively mitigate cyber threats.
Whilst the NIS1 Directive triggered a change in mindset and improved data protection - it faced challenges, these included; A rapidly evolving risk landscape; Varying levels of adoption due to confusion over what was deemed an essential company; Increasing rates of cyber-crime, with new and sophisticated attack vectors emerging, including AI-powered threats: And, geopolitical factors which gave rise to more politically motivated and state sponsored cyber-attacks.
The NIS2 directive is important as it provides a unified implementation for member states, and raises the bar for cyber resilience that is in-step with the evolving cyber threat landscape. With cyberattacks costing EU consumers and businesses an estimated €180 billion to €290 billion annually - cyber resilience have never been more critical for the EU.
NIS2 expands upon its predecessor, NIS1 (Directive (EU) 2016/1148) by increasing the scope of applicability, including more industry sectors and digital service providers; As well as introducing new penalties, NIS2 details stricter risk and cybersecurity requirements including: Indecent response planning and encryption; More detailed and time-bound incident reports; Uniform criteria for entity classification and clear enforcement guidelines; And greater accountability for implementation shouldered by an entities management team.
|
Aspect |
NIS1 Directive |
NIS2 Directive |
|
Scope |
|
|
|
Risk Management and Cybersecurity Requirements |
|
|
|
Incident Reporting |
|
|
|
Harmonization Across EU Member States |
|
|
|
Enforcement and Penalties |
|
|
The NIS2 Directive introduces a significant change in how organizations are classified and regulated for cybersecurity purposes in the EU. This new framework replaces the previous distinction between "operators of essential services" (OES) and "digital service providers" (DSP) with a more comprehensive classification system.
NIS2, article 3 now categorizes entities as essential or important based on their size and the criticality of their services. The directive expands its scope from 7 to 15 sectors, encompassing a broader range of vital aspects of EU society.
Essential entities are defined as large companies operating in critical sectors. These are organizations with:
Sectors classified as essential by NIS2 include:
Important entities are typically medium-sized enterprises operating in sectors of high criticality but not falling under the essential services category. These organizations generally have:
Sectors classified as important by NIS2 include:
While some sectors may appear to overlap, there are key distinctions:
NIS2 also addresses entities based outside the EU. According to article 26:
There are a few exceptions, article 26 provides clarification on the exceptions. This comprehensive classification system aims to create a more secure and resilient digital landscape across the European Union by acknowledging the complex relationships between various entities and fostering collaboration.
The NIS2 Directive introduces several key requirements for essential and important entities to enhance cybersecurity across the European Union.
While the directive contains 46 articles, Chapter IV (Articles 20-25) is particularly significant for organizations seeking compliance. Most of the other chapters focus on the member states’ requirements - rather than an entities requirements. Articles 20 - 25 revolve around two main topics: cybersecurity risk management and reporting obligations.
The key NIS2 subject areas for entities:
Article 20 of NIS2 mandates that top management of essential and important entities:
Articles 32 and 33 further emphasize the liability of legal representatives of these entities.
Article 20 of NIS2 requires top management to undergo cybersecurity training and for them to encourage similar cybersecurity training for employees.
Training is so that management gain “sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity”.
Article 21 requires cybersecurity measures to be appropriate and proportional to the related risks.
When assessing the risks companies should take into account the following:
Article 21 requires entities to implement measures to protect network and information systems and the physical environment of those systems from incidents, and “shall include at least the following”:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Article 21 focuses on risks related to direct suppliers and service providers, including:
Article 23 outlines incident reporting requirements:
While not currently mandatory, NIS2 allows for potential future requirements to use certified IT products or services under European cybersecurity certification schemes.
Article 32 and 33 outline the supervisory and enforcement measures in relation to important and essential entities respectively. Stating that for each entity type,
“Member States shall ensure that the supervisory or enforcement measures imposed...in respect of the obligations laid down in this Directive are effective, proportionate and dissuasive”.
It continues by saying that there should be oversight for essential and important entities, which includes on-site inspections, off-site supervision, cybersecurity audits, and security scans.
Article 34 outlines substantial penalties for non-compliance, imposing significant fines on important and essential entities that fail to adhere to NIS2 regulations:
The NIS2 Directive deadline was October 17, 2024. By this date, EU member states were required to implement the directive's requirements into their national laws. However, the transition has not been smooth for all countries.
As of October 18, 2024, European countries' progress in transposing the NIS2 Directive varies significantly. Given the evolving nature of this situation its likely these statuses will change.
Level 2 (Mid-term Advancement): Sweden, Ireland, Netherlands, Portugal, Estonia, Poland, Slovakia, Slovenia, Bulgaria, Greece, Cyprus, and Malta.
Level 3 (Draft Law Analysis): Denmark, Luxembourg, France, Austria, Finland, Germany, Czech Republic, and Romania .
Level 4 (Law Approved): Belgium, Italy, Latvia, Lithuania, Hungary, and Croatia.
The implementation of NIS2 across the EU has faced several challenges:
As we move further into 2025, several key dates loom on the horizon for NIS2 implementation:
These milestones will be crucial in assessing the directive's effectiveness and identifying areas for improvement.
For businesses operating in the EU, NIS2 represents both a challenge and an opportunity. By some estimates, more than 150,000 companies in the EU will need to become NIS2 compliant. While compliance may require significant investment in cybersecurity measures, staff training, and potentially new hires, it also provides a framework for enhancing overall security posture.
Key considerations for businesses include:
StratoKey's Cloud Data Protection (CDP) Gateway offers a robust solution to help EU companies meet key cybersecurity requirements of the NIS2 Directive.
The StratoKey CDP Gateway addresses critical aspects of data protection, encryption, and access control, aligning with NIS2 obligations and enhancing overall cybersecurity posture.
Importantly, the StratoKey CDP Gateway is hosted within the entities own environment. Self-hosting the gateway provides the entity with complete control over encryption keys and data protection, ensuring sensitive information remains encrypted/tokenized before leaving the entities environment. This not only delivers security benefits, but also clear data sovereignty benefits.
By deploying StratoKey within an entities own infrastructure, the entity maintains full sovereignty over their data, can mitigate risks associated with cloud provider or SaaS application access, and effectively address NIS2 compliance requirements.
StratoKey's CDP Gateway helps organizations address many cybersecurity requirements outlined in NIS2 article 21, including:
By deploying StratoKey's Cloud Data Protection Gateway in their environment, organizations can tokenize or encrypt regulated data before it leaves for the cloud, taking a significant step towards meeting NIS2 requirements.
The comprehensive approach to cloud data protection, combined with flexibility and scalability across multiple cloud services, makes StratoKey a valuable tool for EU companies seeking to enhance their cybersecurity measures in line with NIS2 directives.
Get in touch with StratoKey to ask how we can help with NIS2 compliance security controls or download the StatoKey Whitepaper to learn more about the StratoKey CDP Gateway.