Overview of the EU NIS-2 directive: scope, concrete requirements, reporting obligations and relationship to the Cyber Resilience Act.
Scope of NIS 2
The NIS-2 directive significantly expands the scope compared with its predecessor. It now covers a broader range of sectors and entities:
Essential sectors
- Energy (electricity, district heating / cooling, oil, gas, hydrogen)
- Transport (air, rail, maritime, road)
- Banking & financial market infrastructures
- Health
- Drinking and wastewater
- Digital infrastructure
- B2B providers of ICT services
- Public administration
- Space
Important sectors
- Postal and courier services
- Waste management
- Chemicals (production, manufacturing, trade)
- Food (production, processing, distribution)
- Industry (medical devices, electrical & electronic, mechanical engineering, automotive)
- Digital services (marketplaces, search engines, social media)
- Research
The directive applies to medium and large enterprises in these sectors, based on defined thresholds.
Specific requirements of NIS 2
Article 21 of the NIS-2 directive lays out a number of specific requirements for affected entities. These aim to ensure a high common level of cybersecurity across the EU. Below are the main requirements in detail:
R isk management (Article 21, paragraph 1 and 2(a))
Implement appropriate and proportionate technical, operational and organizational measures to address cybersecurity risks, including concepts for risk analysis and the security of information systems.
Examples: regular risk analyses, creating and updating a risk inventory, implementing a formalized risk management process.
Supply chain security (Article 21, paragraph 2(d) and paragraph 3)
Take cybersecurity risks across the entire supply chain into account, including security aspects between the company and its direct suppliers or service providers.
Examples: conducting security audits of suppliers, including cybersecurity clauses in contracts, implementing a supplier risk management system.
Handling security incidents (Article 21, paragraph 2(b))
Implement measures for the effective handling of security incidents.
Examples: establishing a Computer Emergency Response Team (CERT), developing and regularly testing incident response plans, implementing automated detection and response systems.
Continuity of operations and crisis management (Article 21, paragraph 2(c))
Implement measures to maintain operations, including backup management, recovery after an emergency and crisis management.
Examples: developing and regularly testing business continuity and disaster recovery plans, setting up a cyber incident crisis team, implementing redundant systems and data backups.
Security in acquisition, development and maintenance (Article 21, paragraph 2(e))
Implement security measures in the acquisition, development and maintenance of network and information systems, including vulnerability management and disclosure.
Examples: integrating security-by-design principles into development processes, regularly applying security updates and patches, implementing a vulnerability management program.
Testing and assessment of effectiveness (Article 21, paragraph 2(f))
Implement concepts and procedures to assess the effectiveness of cybersecurity risk management measures.
Examples: regular internal and external security audits, implementing key performance indicators (KPIs) for cybersecurity, conducting penetration tests and red-team exercises.
Cyber hygiene and training (Article 21, paragraph 2(g))
Implement basic cyber hygiene procedures and conduct cybersecurity training.
Examples: regular phishing simulations, mandatory annual cybersecurity awareness training for all employees, implementing password and device usage best-practice policies.
Encryption and cryptography (Article 21, paragraph 2(h))
Implement concepts and procedures for the use of cryptography and, where appropriate, encryption.
Examples: use of AES-256 for data encryption, use of TLS for encrypting data transmissions, implementation of end-to-end encryption for sensitive communications.
Personnel security, access control and facility management (Article 21, paragraph 2(i))
Implement measures for personnel security, access control concepts and facility management.
Examples: background checks when hiring new employees, implementation of role-based access control, installation of access control systems for critical infrastructures.
Multi-factor authentication and secure communication (Article 21, paragraph 2(j))
Use solutions for multi-factor authentication or continuous authentication, secure communication systems and, where appropriate, secure emergency communication systems.
Examples: implementing 2-factor authentication for all critical systems, using VPNs for remote access, setting up a secure emergency communication system.
Consideration of the state of the art (Article 21, paragraph 1, subparagraph 2)
Take the state of the art and, where applicable, relevant European and international standards into account when implementing security measures.
Examples: regular review and updating of security measures based on the latest best practices and standards such as ISO/IEC 27001, NIST Cybersecurity Framework or BSI IT-Grundschutz.
Proportionality of measures (Article 21, paragraph 1, subparagraph 2)
Consider the proportionality of measures by taking into account factors such as risk exposure, the size of the entity and the potential impact of security incidents.
Examples: cost-benefit analysis for security measures, adjusting security controls based on the criticality of systems and data, prioritizing security investments based on risk analyses.
Implementing these requirements requires a holistic approach to cybersecurity that covers technical, operational and organizational aspects. Companies must adapt these requirements to their specific situation and continuously review and improve them.
Reporting obligations of NIS 2
Article 23 of the NIS-2 directive sets out clear reporting requirements for cybersecurity incidents:
Early warning
Essential and important entities must submit an early warning to the competent authorities or the CSIRT (Computer Security Incident Response Team) without undue delay, and at the latest within 24 hours of becoming aware of a significant cybersecurity incident.
Interim report
Within 72 hours after the early warning, an updated report must be submitted that contains an initial assessment of the incident, its severity and impact, and, where available, the indicators used to identify a compromise.
Final report
At the latest one month after submission of the interim report, a final report must be provided containing:
- A detailed description of the incident, its severity and impact
- The type of threat or cause that likely triggered the incident
- Applied and ongoing remediation measures
- If applicable, cross-border effects of the incident
Sanctions and enforcement
The NIS-2 directive provides for effective, proportionate and dissuasive sanctions for breaches:
Fines
Companies can face fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher.
Personal liability
Management bodies can be held accountable for failures to monitor and enforce compliance with NIS-2 obligations.
Temporary bans
Executives may be temporarily prohibited from exercising management functions.
Distinction from the Cyber Resilience Act (CRA)
While the NIS-2 directive focuses on the security of network and information systems in critical sectors, the Cyber Resilience Act (CRA) specifically targets the cybersecurity of products with digital elements. It is important to understand the differences and synergies between these two EU regulations:
| NIS 2 | CRA | |
|---|---|---|
| Focus | Focuses on organizational and process-related aspects of cybersecurity in specific sectors. | Targets product security and focuses on the entire supply chain of products with digital elements. |
| Scope | Applies to companies and organizations in defined critical sectors. | Concerns manufacturers, importers and distributors of products with digital elements, regardless of sector. |
| Requirements | Requires risk management measures, reporting obligations and organizational security measures. | Requires consideration of cybersecurity in product design, conformity assessments and continuous vulnerability management throughout the product lifecycle. |
| Timeline | Transposition into national law by October 2024. | Expected to enter into force in 2024, with a 24-month transition period for most provisions. |
For many companies, especially those that both operate critical infrastructure and manufacture or distribute products with digital elements, both regulations will be relevant. A holistic approach that addresses both NIS-2 and the CRA is therefore important.
Implementation and timeline of NIS 2
EU Member States have until 17 October 2024 to transpose the provisions of the NIS-2 directive into national law. However, note the following:
- Different transposition speeds: not all countries will meet the deadline, which may lead to an uneven implementation.
- National adaptations: some countries may expand or adjust the directive’s requirements, resulting in differences between Member States.
- Phased implementation: companies should expect a phased rollout and possible adjustments to requirements over time.
For an up-to-date overview of the implementation status in various EU countries, we recommend our article “NIS 2-Umsetzung in Europa: Ein Überblick über den aktuellen Stand”. This article provides valuable insights into the different approaches and progress of Member States in implementing the directive.
Conclusion
The NIS-2 directive represents a significant step toward improving cybersecurity in the EU. It poses considerable challenges for companies but also offers the opportunity to comprehensively strengthen cybersecurity and increase resilience against threats. A proactive approach and early engagement with the directive’s requirements are crucial for companies to be well prepared and to minimize potential risks.
