Everything You Need to Know About The NIS2 Directive

The Primary Objective of The Directive

The NIS2 Directive, officially known as the “Directive on Measures for a High Common Level of Cybersecurity across the Union,” represents the European Union's commitment to strengthening cybersecurity across its Member States. NIS2 has garnered attention in the cybersecurity community and the market, and its impact will be felt, at least until its implementation deadline in two years, if not beyond.

The primary objective of NIS2 is to provide additional legal measures to enhance cybersecurity at the EU level and boost the Union's overall cyber resilience.

Given that the NIS2 Directive came into force in 2023, organizations must begin preparing for its implementation very soon.

NIS2 – Why It Matters and the Timeline

The NIS2 Directive is a revised version of the original NIS Directive, which marked the EU's first foray into cybersecurity legislation in 2016. Over time, policymakers identified flaws in the original legislation and recognized the need for an updated version that would bring more clarity to certain issues, resulting in the birth of NIS2.

This new directive modernizes the legal framework to keep pace with the ever-evolving cyber threat landscape and address the impact of increased digitalization.

NIS2 achieves this by expanding the minimum cybersecurity standards and requirements to encompass new entities and sectors, thereby enhancing the cyber resilience and incident response capabilities of public and private organisations, authorities, and the EU as a whole.

The European Council adopted the NIS2 Directive in November 2022, and it was published in the Official Journal of the EU in December 2022. The clock is ticking as EU Member States have 21 months from the directive's coming into force to incorporate its provisions into their national legal frameworks, with the directive taking effect in October 2024.

Although the deadlines might seem distant, the complexity of NIS2 and the significantly higher standards it sets for cybersecurity mean that the time to start planning for implementation is now.

Key Requirements of the NIS2 Directive

• Expanded Scope: NIS2 applies to a broader range of sectors and entities than its predecessor, including “essential” and “important” entities within relevant sectors.
• Cybersecurity Risk Management Measures: NIS2 mandates the implementation of various cybersecurity risk management policies, encompassing risk analysis, incident response, encryption, cryptography, vulnerability disclosure, cybersecurity training, and ICT supply chain security.
• Incident Reporting: The directive introduces stringent incident reporting requirements, including initial notification within 24 hours of awareness, a second notification within 72 hours, and a final report within 1 month.
• Oversight by Management Bodies: NIS2 places direct responsibilities on management bodies to approve and supervise the implementation of cybersecurity risk management measures. Members of these bodies must undergo regular training on cybersecurity risks and risk management practices.
• Enforcement: National authorities are granted enforcement powers, including suspension of an entity's authorization to operate, publishing noncompliance, imposing personal liability on management body members, and levying administrative fines of up to EUR 10 million or 2% of total worldwide turnover, whichever is higher.

Is NIS2 Applicable to Your Organization?

NIS2 follows a cap-size rule, encompassing all medium-sized and large entities within the specified sectors. Smaller entities with a high-risk profile may be identified by Member States.

However, NIS2 does not cover entities engaged in activities related to law enforcement, defence, national security, parliaments, central banks, or the judiciary.

Entities under the scope of NIS2 are categorized as “essential” and “important,” with each category covering specific sectors and activities. The European Commission's impact assessment estimates that approximately 110,000 companies across the EU fall within the scope of NIS2. When considering entities from non-EU countries closely linked to the EU's single digital market, this number will increase substantially.

How CDeX Can Help with NIS2 Implementation

NIS2 places significant emphasis on enhancing cyber training and exercises across the EU to improve cyber resilience. CDeX, with a fully automated cyber range and its expertise in cybersecurity training, stands ready to assist your organization.

We can help you understand the current cyber threat landscape, identify skill gaps, and regularly upskill your employees in cybersecurity. Whether it's utilizing our cyber range as a service or organizing tailored exercises and training, CDeX is your partner in preparing for NIS2 compliance.