NIS vs NIS2: Key Differences Explained for EU Cybersecurity Compliance (part 2)

The NIS2 Directive is the updated version of the original NIS Directive, the European Union’s first cybersecurity regulation. Designed to close previous gaps and ensure consistent implementation across all EU member states, NIS2 significantly expands the scope of cybersecurity compliance.

In InDevLab we prepared detailed article about difference between directives for C-level management as CEO, CIO, CTO and CISO.

Read previous part of article for NIS vs NIS2: Key Differences Explained for EU Cybersecurity Compliance (part 1)

How NIS1 and NIS2 complement one another

The foundation set out by NIS1 is complemented by the updates that were added with NIS2. NIS2 was built on NIS1 to address the need for more cyber resilience across EU organizations.

NIS1’s role in establishing a baseline and standardizing practices laid the groundwork for NIS2 to introduce more advanced measures. Together, they have brought EU member states a comprehensive and effective approach to cybersecurity that improves cybersecurity and cyber resilience.

NIS2 expectations of EU member states

NIS2 includes a number of specific administrative requirements for EU member states. These are meant to create local infrastructure to enforce the use of robust cybersecurity measures by covered entities. The following are the notable requirements for EU member states established with NIS2.

Creation of national competent authorities

Under NIS2, EU member states are required to designate one or more national competent authorities responsible for overseeing the application and enforcement of the NIS2 directive. EU member states must provide national competent authorities with adequate resources and support to perform their duties effectively. These duties include monitoring covered entities’ compliance, conducting audits, and imposing sanctions for non-compliance by those under their purview. EU member states must also ensure that national competent authorities are able to operate independently and impartially, maintaining high standards of transparency and accountability in their activities.

Development of national cybersecurity strategies

EU member states must develop and implement comprehensive national cybersecurity strategies in accordance with the rules mandated in NIS2. These strategies must outline the systems and processes that are used to achieve and maintain a high level of cybersecurity. They must also take into consideration the evolving threat landscape.

In addition, EU member states’ cybersecurity strategies must include measures for risk management, incident response, recovery, and cyber resilience. EU member states are also expected to regularly review and update their cybersecurity strategies to address new challenges and incorporate lessons learned from previous incidents.

Establishment of computer security incident response teams (CSIRTs)

NIS2 mandates that EU member states create national and regional CSIRTs to ensure effective incident response and coordination. These teams must be adequately resourced and trained to handle various types of cyber incidents.

EU member states’ CSIRTs are responsible for providing early warning, incident handling, and support for affected covered entities. They must also facilitate information sharing and collaboration with other CSIRTs within the EU to help enhance the overall cyber resilience of all EU member states.

Enhanced cooperation and information sharing

NIS2 emphasizes the importance of cooperation and information sharing among EU member states, the European Union Agency for Cybersecurity (ENISA), and other relevant stakeholders. EU member states are expected to participate actively in EU-level cybersecurity initiatives and forums. These are meant to provide opportunities to share threat intelligence, cybersecurity and cyber resilience best practices, and lessons learned. This collaborative approach aims to enhance the collective cyber resilience of the EU and enable a more coordinated response to cross-border cyber threats.

Implementation of risk management and reporting obligations

According to NIS2, EU member states are required to oversee the adoption of appropriate risk management measures and comply with incident reporting obligations by covered entities. These measures should be proportionate to the risks faced by each organization and should include technical and organizational controls to prevent and mitigate cyber threats.

Covered entities must report significant incidents to the national competent authorities within a specified timeframe, ensuring timely and effective responses. EU member states must establish clear guidelines and procedures for incident reporting and follow-up actions.

Promotion of cybersecurity awareness and education

EU member states are required to promote cybersecurity awareness and education among their citizens and businesses. This includes developing and promoting public awareness campaigns, providing training and resources for employees, and encouraging the adoption of good cybersecurity practices. EU member states must also support initiatives that enhance cybersecurity skills and competencies, addressing the growing demand for skilled cybersecurity professionals.

Regular assessments and continuous improvement

NIS2 mandates regular assessments and continuous improvement of covered entities’ cybersecurity measures. EU member states must conduct periodic assessments of their national strategies, CSIRTs, and other relevant frameworks to identify areas for improvement. They are also expected to implement corrective actions based on these assessments to ensure that their cybersecurity measures remain effective and up-to-date. This ongoing process of evaluation and improvement is crucial for ensuring preparedness to defend against cyber threats and for maintaining a high level of cyber resilience.

Need help getting NIS2-ready?

We’ve prepared a set of practical NIS2 templates to save you time and help ensure compliance:

• Risk assessment Checklist

• Relevant Regular Authority Contacts

• Security Control Matrix Template

• Compliance Checklist

Feel the form and receive useful information and templates that will useful for organization adoption for NIS2

Supply Chain Security Requirements Under the NIS2 Directive

One of the key focus areas of the NIS2 Directive is supply chain security. With cyber attacks on supply chains becoming more frequent and sophisticated, the directive introduces strict cybersecurity requirements to protect the entire supply ecosystem within EU organizations. Below are the main NIS2 supply chain security requirements companies need to meet.

Compliance and Accountability

Under NIS2, organizations are held accountable for the security of their supply chains. To meet NIS2 compliance standards, covered entities must carry out regular audits and assessments to verify that their suppliers meet required cybersecurity measures.

Organizations are also required to establish clear internal processes for evaluating the security practices of suppliers and addressing any non-compliance. All assessments, practices, and incident reports must be properly documented and ready for review by national competent authorities upon request.

Collaboration and Information Sharing

The NIS2 Directive highlights the importance of strong collaboration between organizations and their suppliers. Companies are encouraged to share threat intelligence and vulnerability data to help suppliers stay informed and prepared for emerging threats.

This collaborative approach supports both sides in taking proactive steps to manage cyber risks. Additionally, covered entities and key suppliers should carry out joint security drills and incident response simulations to improve coordination and identify any weak points in the supply chain security process.

Identifying and Assessing Supply Chain Risks

To stay compliant with NIS2 cybersecurity requirements, organizations must develop systems for identifying and assessing risks within their supply chains. This includes mapping the entire supply chain, identifying critical suppliers and service providers, and understanding how sensitive data flows through the network.

Organizations must also evaluate each supplier’s cybersecurity posture and identify any vulnerabilities that could be exploited, using insights from current threat intelligence and risk assessments.

Implementation of Security Measures

Organizations covered by NIS2 must take active steps to reduce supply chain risks by implementing strong security controls. These should include:

• Requiring suppliers to maintain robust incident response and recovery plans

• Setting clear minimum cybersecurity standards for all suppliers, covering access control, data protection, encryption, and threat response

• Continuously monitoring suppliers’ cybersecurity readiness through audits and evidence-based reviews

• Including specific cybersecurity requirements in supplier contracts, with defined expectations, compliance terms, and penalties for non-compliance

Integrating Supply Chain Security into Cyber Governance

NIS2 mandates that supply chain cybersecurity be embedded into the organization’s overall cybersecurity governance framework. This includes:

• Developing supply chain policies that align with your organization’s broader cybersecurity strategy

• Ensuring that senior leadership is involved in managing supply chain security, including setting goals, allocating budgets, and reviewing progress

• Providing regular cybersecurity training and awareness programs for employees and suppliers to keep everyone aligned on best practices and known risks

Which sectors are regulated by the NIS2 Directive?

The NIS2 Directive applies to organizations that are classified as medium or large by EU standards (i.e., organizations that have more than 50 employees and/or generate more than 10 million euros in revenue per year). However, these parameters do not apply to organizations in certain sectors, such as those that are:

• Deemed critical infrastructure
• Providers of public services (e.g., electronic communication networks)
• Providers of a service where an interruption could impact public safety, security, or health or cause systemic risks
• Sole providers of a service to a government

Whole list of sectors and organization criteria’s you could find in our article NIS2 in 2024: Which companies must comply with the new EU cybersecurity directive?

NIS2 vs NIS requirements

Following is a comparison of NIS and NIS2 by the European Commission.

Additional changes included in the NIS2 Directive are:

• Reinforced obligations for essential and important entities to implement technical, operational, and organizational measures to manage the risks
• Significant expansion of incident reporting requirements
• More stringent penalties for failure to comply with NIS2

Incident Reporting Under the NIS2 Directive

The NIS2 Directive brings much stricter rules for cybersecurity incident reporting across the EU. Unlike the original NIS Directive (NIS1), all cybersecurity incidents must now be reported—even if they don’t impact operations. The goal is to help authorities respond faster and track threats more effectively.

Each EU member state must designate a central authority or Computer Security Incident Response Team (CSIRT) to handle reports.

Three-Step Incident Reporting Process (Mandatory)

1. Initial Report – Within 24 Hours
Organizations must notify the national authority or CSIRT within 24 hours of a cybersecurity incident. If possible, they should indicate whether it was caused by a malicious or illegal act.

2. Detailed Report – Within 72 Hours
A follow-up report must include the incident’s scope, impact, and any known technical details.

3. Final Report – Within 1 Month
A comprehensive report is required, including:

• Full description of the incident

• Impact and severity

• Cause or threat type

• Actions taken and ongoing mitigation

Reporting Major Cyber Threats

In addition to incidents, major cyber threats that could lead to significant damage must also be reported. This includes threats that could:

• Cause major operational or financial disruption

• Harm individuals or organizations

Organizations not covered by NIS2 may report threats voluntarily, without facing additional obligations.

Penalties for Non-Compliance

Failure to meet NIS2 compliance standards comes with heavy fines:

• Essential entities: Up to €10 million or 2% of global turnover

• Important entities: Up to €7 million or 1.4% of global turnover

The NIS2 Directive – part of a growing trend

The NIS2 Directive represents a growing trend for cybersecurity and cyber resilience to be integral to legislation. With the NIS2 Directive, every EU member state is required to adopt it as law. The NIS2 Directive has a far reach into organizations of all types with the intention of shoring up defenses against escalating cyber threats. The good news about the NIS2 Directive and similar initiatives is that it helps organizations improve their overall cybersecurity posture, which has positive impacts on all aspects of operations.

Want to Know How to Prepare Your Organization for NIS2?

1. If you’re unsure how the NIS2 Directive applies to your organization or what steps you need to take for compliance, we’re here to help.
2.  Fill out the form on our website
3. Get a free consultation with our cybersecurity specialist. Learn exactly what your business needs to stay secure and compliant under NIS2

Don’t wait until the deadline—start your NIS2 compliance journey today.