How the NIS2 Directive will bring value to your business
21 September 2022
The EU’s NIS2 Directive imposes more stringent legal requirements regarding cyber and information security across the EU Member States. If your company is covered by NIS2, how do you ensure compliance and make the adoption of NIS2 add value to your business?
At Implement, we are working closely with clients to prepare them for NIS2. We firmly believe that with the right approach to the NIS2 Directive, you can add value to your business in terms of both resilience and reputation.
In this article, we highlight the essentials of how your organisation should approach the NIS2 Directive to make its adoption a beneficial part of your business.
What is NIS2?
Many European countries are experiencing a rapidly increasing number of cyberattacks that are also becoming more sophisticated. The question is no longer what we should do if we are affected by a cyberattack but rather what to do when it happens. Following this line of thinking, companies will not be judged by consumers and stakeholders on whether they are affected by a cyberattack, but they will be judged by the nature of their response and their preparedness for the attack.
In response to this new threat landscape, the European Parliament came to an agreement on a high common level of cybersecurity across the European Union (EU). The agreement is known as the NIS2 Directive and is an extension of the former NIS Directive. In its essence, NIS2 will significantly enhance the scope in terms of both the entities and sectors that are included, as well as introduce new cybersecurity risk management requirements that covered entities must adhere to as a minimum standard. Entities subject to NIS2 must comply with the legal obligations outlined in NIS2 by 18 October 2024.
Which companies will be included in the NIS2 Directive and why does it matter?
In essence, the NIS2 Directive applies to private or public entities that are considered as either essential or important. Generally, to determine whether an entity falls within one of these categories, several conditions are considered.
First, an organisation needs to examine the sector in which it operates. This is crucial because NIS2 clearly outlines the sectors that are in the scope of either the essential or important category.
The second condition concerns the size of an organisation. In this respect, NIS2 introduces a size cap rule, meaning that, in general, only medium and large organisations are in the scope of NIS2. The determination of an organisation’s size is based on the employee headcount and annual turnover. In the NIS2 context, this includes primarily large companies with more than 250 employees and medium-sized companies with 50–250 employees. Companies with less than 50 employees or an annual turnover of less than EUR 10 million are not included unless they are deemed of critical importance to society.
While both essential and important entities must adhere to the same cybersecurity risk management measures, the supervisory and penalty regime differ. The NIS2 Directive prepares the ground for inspections, and in light of these inspections, the distinction between essential and important should be particularly noted:
For essential entities, the inspections will be conducted ex-ante, which means inspections will have taken place before potential incidents occur.
For important entities, the inspections will be conducted ex-post, meaning inspections will mostly be initiated after a significant incident occurred.
The difference between when the inspections take place for essential and important entities has a direct impact on how many resources your organisation needs to allocate and what types of capabilities your organisation will need to have at its disposal.
Regardless of size, the NIS2 Directive also applies to public administration entities of central governments and public administration entities at a regional level. Exempt from this are public administrations whose activities are in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.
We are included in the NIS2 Directive – what do we do?
More than 150,000 companies across the EU are estimated to be affected by the NIS2 Directive, and many of these companies will gain an advantage if they immediately determine whether they will be included in the Directive or not. It pays to have a solid plan for the work ahead, following the notion of action instead of reaction, to avoid being taken off guard by the potential number of resources you will need to comply with the Directive.
Harmonised sanctions will form an inherent part of the NIS2 Directive, and these sanctions will be the catalyst for placing NIS2 at the top of the management’s agenda.
At Implement, we believe that companies should strive for the benefits they can gain from the resilience and robustness derived from complying with the NIS2 Directive. The Directive particularly emphasises a risk-based approach, and for most organisations, a risk management perspective will be the best way to balance security needs deriving from the Directive with business objectives.
If your organisation is included in the Directive, it is our recommendation that you initiate the preliminary work as soon as possible. An appropriate first step for your organisation is to examine and evaluate the forthcoming legal requirements and consequences of non-compliance. Additionally, it is well advised to identify and allocate sufficient resources to develop the capabilities needed in order to fulfil the requirements posed by NIS2. You can do this, for instance, by conducting an information security gap analysis, taking NIS2 as a point of reference. At this point, it is also worth noting that the requirements posed by NIS2 are closely aligned with the requirements that information security standards and best-practice frameworks prescribe (such as ISO 27001).
Besides organisational and technical requirements, NIS2 further imposes strict reporting obligations. In that regard, the NIS2 Directive aims to streamline reporting practices to avoid over-reporting and to reduce the reporting workload, while ensuring timely and sufficient notification in case of a significant incident to minimise the damage and detrimental impacts.
Entities will have to issue an early warning report within 24 hours of becoming aware of a significant incident. After that, but no later than 72 hours of becoming aware of the incident, organisations are required to submit an incident notification containing an initial assessment of the incident.
The initial assessment should contain an evaluation of the severity and impacts as well as potential indicators of compromise. Last, entities are expected to issue a final report within one month after the submission of the incident notification. In that respect, preparation will be essential for the ability to deliver a concise and valuable report within these time frames.
National legislation and the road ahead
The NIS2 Directive was adopted by the EU on 27 December 2022, after which it went formally into effect by the publication in the Official Journal of the European Union on 16 January 2023. Since NIS2 is an EU Directive and not an EU regulation, Member States must first transpose NIS2 into national legislation within 21 months to apply and enforce the requirements in their respective country. National legislation will follow the Directive’s minimum requirements but may also prescribe more comprehensive obligations. However, it is well advised to not be hesitant and act now, taking the requirements of NIS2 as a baseline for the implementation efforts towards compliance.
In respect of other EU legislations, NIS2 has been aligned closely with sector-specific legislation. This concerns particularly the regulation on digital operational resilience for the financial sector (DORA) and the Directive on the Resilience of Critical Entities (CER) in order to provide legal certainty and ensure coherence between NIS2 and these sector-specific legislations.
We help equip companies for a secure future
At Implement, we are ready to advise organisations on the NIS2 Directive. Our team of diverse subject matter experts are specialised in all aspects of the NIS2 requirements, including risk management, business continuity and supply chain security, allowing for a unique end-to-end process. Based on our interdisciplinary expertise, we can help determine the applicability of NIS2, determine the extent to which organisations are included in the scope of the Directive and advise on the potential obstacles and challenges. Further, we have extensive experience in designing and implementing organisational and technical measures tailored to the organisation’s context and assisting with establishing the necessary capabilities needed for compliance.
We aim to make organisations secure ahead of an uncertain future, through a truly human-centric approach. If you want to know more or wish to be kept up to date on NIS2, please do not hesitate to get in touch.