What is NIS2: Scope, Impacted Sectors, and How to Prepare

Late in 2022, the new regulation on Network and Information Security (NIS2) was published in the Official Journal of the European Union (EU). NIS2 is the successor of NIS1, originally published in 2016, and it brings significant upgrades to the laws and regulations for cybersecurity across the EU. 

NIS2 enacts stricter, GDPR-like regulations on cybersecurity with an emphasis on reporting and notifications, and stipulates tougher enforcement and larger penalties for violating its clauses. 

Currently a European Directive, NIS2 entered into force on 16 January 2023 and will have to be adopted in national law for all Member States by 17 October 2024, while NIS1 will be officially repealed on 18 October 2024. 

Understanding NIS2

The NIS Directive (Directive 2016/1148/EC), also known as NIS1, focused on safeguarding the critical cybersecurity infrastructure of the EU. NIS2 builds upon the previous legal framework and introduces a shift in focus towards common cyber risk management, incident reporting, and information-sharing obligations within the EU. 

The introduction of the NIS 2 Directive aims to address the limitations of its predecessor. This new Directive sets out various measures aimed at achieving a high level of cybersecurity across the EU, with the goal of enhancing the functioning of the internal market. These measures include obligations for Member States that include:

• Adopting national cybersecurity strategies
• Establishing competent authorities and cyber crisis management authorities
• Designating single points of contact on cybersecurity
• Creating Computer Security Incident Response Teams (CSIRTs)
• Abiding by the new regulations regarding cybersecurity information sharing

NIS2 also outlines cybersecurity risk management measures and reporting obligations for essential and important sectors.

NIS1 vs. NIS2

NIS1 aimed to enhance cybersecurity capabilities throughout the European Union, addressing threats to network and information systems that are essential for key sectors and ensuring the uninterrupted provision of such services in the face of incidents. The NIS1 Directive was drafted with the ultimate goal of contributing to the overall security of the EU and promoting the effective functioning of its economy and society.

After the implementation of NIS1 in May 2018, the European Commission conducted an evaluation and revision of the directive due to challenges faced by several Member States during its implementation. The Commission's evaluation assessed the relevance, EU-added value, coherence, effectiveness, and efficiency of the NIS Directive. The evaluation identified that the scope of NIS1 was too limited in terms of the sectors covered, primarily due to the increased digitalization and interconnectedness witnessed in recent years. The original directive no longer encompassed all digitalized sectors that provide key services to the economy and society as a whole. More importantly, the lack of a common understanding of primary threats resulted in inconsistent resilience across the European Union.

In response to the inconsistent and fragmented implementation of NIS1, the European Commission has introduced the NIS2 Directive, which brings significant and wide-ranging changes specifically targeting entities in critical sectors.

The key focus areas of NIS2

NIS2 aims to address the shortcomings of its predecessor and introduces significant changes on six main levels.

1. Scope extension 

The NIS 2 Directive introduces a revised approach to determining regulated entities by implementing a size cap rule. This rule is based on the Commission Recommendation of 6 May 2003, which defines micro, small, and medium-sized enterprises. According to the size cap rule, all medium-sized and large companies operating or providing services in the sectors covered in NIS2 fall under its scope. However, small enterprises and microenterprises are included in NIS2 only in exceptional circumstances. For instance, they may be included if they are the sole provider of a service essential for maintaining critical societal or economic activities within a Member State or if they offer domain name registration services.

Moreover, NIS2 expands the coverage of NIS1 to encompass new sectors and entities categorized as essential and important entities. As a result, NIS2 eliminates the distinction between Operators of Essential Services (OEDs) and Digital Service Providers (DSPs) present in the previous directive. Instead, NIS2 establishes distinct rules for essential entities and important entities.

Note: NIS2 excludes entities engaged in activities related to defense, national security, public safety, and law enforcement, as well as the judiciary, parliaments, and central banks. 

2. Responsibility of management bodies

Under the NIS2 provisions, Member States are now explicitly obligated to ensure that their management bodies endorse cybersecurity risk-management measures, supervise their implementation, and potentially face liability for any violations. Member States are also required to participate in specialized cybersecurity training programs.

Entities falling within the scope of NIS2 are mandated to perform assessments of their supply chain security. These entities must also adopt "appropriate and proportionate technical and organizational measures" to effectively manage security risks associated with the network and information systems they utilize while delivering their services.

3. Reporting

NIS2 brings forth more detailed provisions outlining the procedure and timelines for reporting incidents, including significant incidents, to CSIRTs. It also introduces enhanced supervisory measures for national authorities and imposes stricter enforcement requirements.

Specifically, NIS2 stipulates a phased approach to reporting obligations. The initial notification, known as the early warning, must be provided within 24 hours of becoming aware of a significant incident. Following the early warning, an incident notification must be submitted within 72 hours, providing further details about the incident. Finally, a comprehensive final report must be submitted within one month after the incident notification has been submitted. These measures aim to ensure prompt and effective reporting of incidents to the relevant authorities.

4. Emphasis on proactive cybersecurity

NIS2 highlights that adopting a proactive approach to cybersecurity is critical and states that efficiently and seamlessly sharing and comprehending threat information, cyber activity alerts, and response actions is of utmost importance to foster a unified approach in effectively preventing, detecting, mitigating, and thwarting attacks on network and information systems. 

As paragraph 57 reads, “Rather than responding reactively, active cyber protection is the prevention, detection, monitoring, analysis, and mitigation of network security breaches in an active manner [...].”

5. The importance of open source

With open source code now being integral to 97% of applications worldwide, it would be impossible for the European Council to ignore the importance of open source in cybersecurity. NIS2 highlights that open source facilitates a more transparent verification process for cybersecurity tools and allows for a community-driven approach to identifying vulnerabilities. By embracing open standards, the interoperability between security tools can be improved, thereby benefiting the overall security of industrial stakeholders.

Paragraph 52 reads, “Policies promoting the introduction and sustainable use of open-source cybersecurity tools are of particular importance for small and medium-sized enterprises facing significant costs for implementation, which could be minimised by reducing the need for specific applications or tools.”

6. Sanctions for non-compliance

In line with the NIS2 Directive, Member States are empowered to impose penalties for non-compliance, similar to the fines outlined in the General Data Protection Regulation (GDPR). The magnitude of these fines varies depending on whether an entity is categorized as essential or important. Non-compliance penalties for essential entities may reach a maximum of 10 million euros or a maximum of 2% of the company's total global annual turnover from the preceding financial year. Conversely, non-compliance penalties for important entities can reach a maximum of 7 million euros or a maximum of 1.4% of the company's total global annual turnover from the preceding financial year.

Sectors impacted by NIS2

The scope of NIS2 encompasses both public and private entities that meet the criteria of being classified as medium-sized enterprises — employing fewer than 250 individuals and having an annual turnover that does not surpass 50 million euros. It is important to note that NIS2 extends to entities that provide their services or conduct their operations within the EU and exceed the thresholds defined for medium-sized enterprises.

As mentioned earlier, NIS2 categorizes sectors as essential and important.

You can find the complete list of essential and important sectors and entities in Annex 1 of the Directive.

How to prepare for NIS2

We cannot emphasize enough the urgent need to anticipate mandatory budget adjustments to comply with the NIS2 directive. “We don’t have the budget to invest in cybersecurity” is no longer a valid argument in light of the strict legal ramifications. 

Step number one in preparing for the NIS2 Directive is to discuss with your technical teams in charge of security and operations. 

• Identify which provisions apply to your organization and to what extent
• Audit your security stack and identify which changes need to be made
• Adjust your cybersecurity budget accordingly

Invest in tools built for actionable threat intelligence and proactive cybersecurity

Adjusting cybersecurity budgets is one thing, but making smart, informed decisions on which tools you should invest in is a whole different story, especially with the urgency NIS2 puts on, not just cybersecurity, but proactive cybersecurity. 

CrowdSec is a modern, collaborative cybersecurity company committed to proactively safeguarding your digital assets and is the ultimate prevention tool to protect your exposed workloads. Contrary to post-intrusion tools like SIEM, CrowdSec provides a proactive response before an intrusion takes place.

• Manage the risks posed to the security of network and information systems.
  CrowdSec helps maintain your security stance over time and constantly adapt to emerging threats.
• Timely notifications to your CSIRTs and customers of any significant incidents.
  Get real-time alerts on security incidents and breaches with detailed reports that will help you communicate on any incident.
• Actively prevent, detect, monitor, analyze, and mitigate network security breaches.
  The dynamic and global insights of the CrowdSec CTI enable the swift detection and neutralization of threats. With its proactive mechanism to pre-empt attacks and adapt in real-time to emerging threats, enterprises gain an edge in cybersecurity. With the API interface, users have access to a set of granular information, including Autonomous Systems, country of origin, aggressiveness, and the types of attacks performed by an IP.
• Take advantage of open source technologies to reduce your costs.
  The CrowdSec Security Engine is, and always be, free and open source, providing you with an easy and immediate solution to identify and block malicious behaviors. Coded in Golang, it uses marginal resources and can be deployed in any environment: containers, on-prem, cloud, or hybrid. The CrowdSec Security Engine provides you with a hub of numerous analyses, detection, and remediation components to quickly and easily integrate the solution with the various elements of the security infrastructure. And if your infrastructure is too large for an open source solution, with CrowdSec, you can always pay as you grow to get access to more resources according to your needs. 

NIS2 timeline and why you should act now

The effective date of the NIS2 Directive was 16 January 2023 and all Member States are required to adopt and publicly disclose the necessary measures to ensure compliance with this directive by 17 October 2024. From 18 October 2024 onwards, these measures must be actively applied. Therefore, entities and sectors falling within the scope of NIS2 should promptly take note of its provisions and aim to implement them as soon as possible.

Non-compliance with NIS2 is not an option, and cybersecurity budgets of impacted entities for 2024 will need to be adjusted. As most organizations will have to make budget decisions over Q3 and Q4 2023, now is the perfect time to proactively conceive a plan for adjusting existing security systems, methods, and budgets to comply with NIS2.