NIS2: A new stage in cybersecurity in Europe. Are you ready?

NIS2: A New Era in Cybersecurity Across Europe – Are You Ready?

Based on data from the European Commission, the European Union Agency for Cybersecurity (ENISA), and official EU directives. See sources at the end of the article.

What is NIS2?

Directive (EU) 2022/2555 (NIS2) is an EU-wide cybersecurity legislation introducing mandatory measures to enhance the level of cyber protection across EU member states.

NIS2 comes into effect on October 18, 2024. Public and private sector organizations must assess its impact on their current cybersecurity framework, develop a compliance strategy, and understand the severe consequences of non-compliance – including stricter supervision, administrative fines, and personal liability for executives.

Why is NIS2 necessary?

The predecessor of NIS2, Directive (EU) 2016/1148 (NIS-D), was the first EU-wide law aimed at improving the resilience of network and information systems against cyber threats. However, rapid digitalization has exposed its limitations. NIS2 addresses these shortcomings by introducing:

• National cybersecurity strategies;
• Enhanced cooperation and information-sharing between EU member states;
• Stricter risk management and incident reporting obligations;
• More rigorous regulatory oversight and enforcement.

Who does NIS2 apply to?

NIS2 applies to public and private sector organizations that:

• Provide critical services or manage key infrastructure;
• Qualify as medium or large enterprises;
• Operate within the EU.

However, some companies will fall under the directive regardless of their size. Additionally, national governments may extend NIS2 coverage to additional entities. It is particularly important to consider that the directive affects supply chains, including third-party and even fourth-party risk management.

Key Changes in NIS2

• Expansion of covered sectors: NIS2 expands from 7 to 18 sectors, now including public sector entities and companies with over 50 employees or an annual turnover of €10 million.
• New classification system: Instead of the previous distinction between “operators of essential services” and “digital service providers,” companies are now categorized as “essential” or “important” entities, leading to different levels of oversight and penalties.
• Personal liability: Executives are personally responsible for failing to comply with cybersecurity risk management requirements. In certain cases, CEOs and legal representatives of essential entities may face temporary bans from holding managerial positions.
• Enhanced regulatory supervision: Authorities are granted powers to conduct on-site inspections, targeted audits, request data, and enforce compliance with cybersecurity regulations.
• Administrative fines:
  • For “essential” entities – up to €10 million or 2% of the company’s global annual turnover (whichever is higher).
  • For “important” entities – up to €7 million or 1.4% of global annual turnover (whichever is higher).
• Stricter risk management requirements: Companies must implement fundamental measures, including:
  • Risk analysis and information system security strategies;
  • Incident response procedures and business continuity plans;
  • Supply chain security management.
• Tighter incident reporting requirements: Organizations must notify regulators of significant incidents, including an “early warning” stage within 24 hours of detection.
• Supplier cybersecurity oversight: Companies must account for cybersecurity risks in their supply chains, including suppliers not directly covered under NIS2.
• Mandatory registration with supervisory authorities: Companies must register with EU regulatory bodies by April 17, 2025, and in some cases by January 17, 2025. This process requires submitting detailed company information, including sector of operation, data protection levels, and cybersecurity measures. Regulators may request additional documentation to confirm NIS2 compliance. Failure to register or comply may result in fines and heightened regulatory scrutiny. Organizations operating across multiple EU countries must assess jurisdictional requirements and possible multi-state registrations. Additionally, companies must appoint designated representatives for regulatory communications, prepare internal documentation, and develop cybersecurity compliance strategies aligned with NIS2 standards.

Immediate Actions to Take

1. Determine whether your organization falls under NIS2: Check if your sector is listed and whether your organization is classified as an “essential” or “important” entity. If applicable, conduct an internal cybersecurity assessment.
2. Understand which national laws apply to your company: Identify the jurisdiction in which your organization must register and ensure compliance with local regulations.
3. Align NIS2 with other regulatory frameworks: NIS2 is part of a broader EU cybersecurity strategy, making it crucial to consider related laws such as GDPR and DORA. Conduct a comprehensive analysis to identify overlapping requirements.
4. Update incident response procedures: Regularly test cyberattack scenarios, establish clear communication channels, and define responsibilities. Develop a protocol for promptly notifying regulators and business partners about significant incidents.
5. Review cybersecurity risk management strategies: Upgrade data protection measures, conduct security audits, identify vulnerabilities, and implement corrective actions.
6. Assess third-party risk management: Evaluate supplier contracts for NIS2 compliance, enhance supply chain audit procedures, and enforce stricter vendor verification criteria.
7. Enhance corporate cybersecurity awareness: Raising employee awareness, conducting training sessions, and enforcing personal accountability are crucial for reducing cyber risks. Consider implementing regular cybersecurity training programs.
8. Develop a cybersecurity roadmap: Create a strategic NIS2 adaptation plan, including short-term and long-term actions, designated responsible individuals, and compliance milestones.
9. Appoint an internal task force or external expert: Engage legal, IT, and risk management professionals to ensure a comprehensive approach to meeting NIS2 requirements.

How Can InDevLab Help You Prepare for NIS2?

• Assess whether your company falls under NIS2 and identify applicable exemptions;
• Conduct an audit to evaluate your organization’s compliance with NIS2 and other EU cybersecurity regulations;
• Develop an adaptation strategy, including risk management and reporting frameworks;
• Assist in preparing cybersecurity infrastructure and creating an incident response plan;
• Evaluate supply chain risks and propose mitigation measures;
• Support registration with EU regulatory authorities.

Act Now – Compliance with NIS2 is Urgent!

Non-compliance could lead to multi-million-euro fines and personal liability for executives. But you have the opportunity to protect your business now. Get a free express risk assessment from InDevLab and determine your company’s readiness for the new requirements. Submit your request today and receive a personalized NIS2 compliance strategy!

“NIS2 is not just another directive; it’s the new reality for businesses in Europe. Non-compliance is not just about fines – it’s about customer trust and corporate resilience. Prepare today so you don’t find yourself in the midst of a cyber crisis or regulatory scrutiny tomorrow. At InDevLab, we know how to turn NIS2 compliance into a competitive advantage.”

– Dmitry Ganzhelo, CTO, InDevLab

Sources

• Official NIS2 Directive (EU Directive 2022/2555)
• European Commission on Cybersecurity & NIS2
• ENISA’s NIS2 Recommendations
• ENISA Risk Management Guidelines
• Global Cybersecurity Index (ITU)