Back to the list

NIS 2 Directive

MD, AI and Cybersecurity

Directive (EU) 2022/2555, also known as NIS 2, was adopted to ensure a common high level of cybersecurity across the European Union, thus aiming to improve the functioning of the internal market. It puts in place a set of measures, including the obligation for Member States to adopt national cybersecurity strategies, designate competent authorities, and establish single contact points and response centers computer security incidents (CSIRTs - Computer Security Incident Response Team). It also imposes risk management and reporting obligations for certain entities and sets out rules for sharing cybersecurity information.

The Directive applies to entities providing services or carrying out activities that are important from an economic point of view and covers a wide range of public and private entities operating in specific sectors. These sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water supply, and digital waste management.

The Directive establishes requirements for Member States to ensure that relevant entities take the necessary measures to manage risks that threaten the security of their networks and information systems. These measures must be appropriate and proportionate, based on a risk assessment and must include incident management policies and risk analyses.

CSIRTs play a crucial role under this directive, with the ability to monitor entity resources to manage risks and respond to incidents. International cooperation is also encouraged to strengthen cybersecurity beyond EU borders.

In sum, NIS 2 aims to consolidate the EU's cybersecurity posture by putting in place a more robust and harmonized framework for the protection of critical infrastructure, thereby ensuring a coherent and effective response to cyber threats across the Union.


What are the 10 differences between NIS 1 and NIS 2?

10 key points to compare the NIS 1 (EU 2016/1148) and NIS 2 (EU 2022/2555) Directives:

  • Expanded scope: NIS 2 covers more entities than NIS 1, including a wider range of essential sectors and activities, as well as "significant entities" in addition to "essential entities".
  • Categorization of entities: NIS 2 introduces a clear distinction between “essential entities” and “important entities”, imposing differentiated risk management and incident reporting obligations.
  • Strengthened requirements: NIS 2 strengthens cybersecurity requirements for all relevant entities, requiring stricter technical and organizational measures to ensure the security of networks and information systems.
  • Incident reporting: NIS 2 further specifies incident reporting obligations, expanding the reporting criteria to include a wider range of incidents with significant impact.
  • Cooperation and information sharing: NIS 2 strengthens cooperation mechanisms between Member States and encourages the sharing of information on cybersecurity threats and incidents, aiming to improve the collective response to these threats.
  • National Cybersecurity Frameworks: NIS 2 requires Member States to establish comprehensive national frameworks for cybersecurity, including national strategies, the designation of competent authorities and the establishment of CSIRTs.
  • Supervision and enforcement measures: NIS 2 introduces more detailed frameworks for supervision and enforcement of cybersecurity obligations, with increased powers for competent authorities.
  • Supply Chain Security: NIS 2 emphasizes security throughout the supply chain and requires entities to manage risks related to their suppliers and service providers.
  • Inclusion of new sectors: NIS 2 expands the list of sectors considered essential, including sectors such as postal services, waste management and pharmaceutical manufacturing.
  • Sanctions: NIS 2 provides for higher administrative sanctions for non-compliance, with fines of up to €10 million or 2% of total global annual turnover.

These points illustrate the more inclusive and strengthened approach taken by the NIS 2 Directive to improve the resilience and security of networks and information systems across the European Union.


The ten key points of Directive (EU) 2022/2555, or NIS 2, are as follows:

  • Expanded objective and scope: NIS 2 aims to establish a common high level of cybersecurity within the EU, by extending its scope to a larger number of sectors and entities, including security providers. essential and important services.
  • Categorization of entities: Entities are classified into "essential entities" and "important entities", with specific cybersecurity obligations for each, to ensure an appropriate level of security and resilience.
  • Risk management obligations: Entities covered by the directive must take appropriate technical and organizational measures to manage risks to the security of their networks and information systems.
  • Incident notification obligations: Entities must promptly notify the competent authorities of incidents having a significant impact on the provision of their services.
  • Strengthening national and cross-border cooperation: The Directive encourages enhanced cooperation between Member States, notably through single contact points, CSIRTs (Computer Security Incident Response Teams) and a cooperation group.
  • National cybersecurity frameworks: Member States must adopt national cybersecurity strategies, designate competent authorities, and establish CSIRTs.
  • Supervision and enforcement: Introduction of frameworks for the supervision and enforcement of cybersecurity obligations, with clear powers and sanctions for competent authorities.
  • Supply chain security and supplier relationships: The directive highlights the importance of security throughout the supply chain and requires entities to address risks related to their suppliers and service providers.
  • Inclusion of new sectors: NIS 2 expands the list of sectors considered essential, including sectors such as postal services, waste, pharmaceutical manufacturing, and chemicals.
  • Crisis management and information sharing: The directive establishes frameworks for crisis management at national and EU level, promoting the sharing of information on threats and vulnerabilities to improve preparedness and response to incidents.

NIS 2 marks a significant step towards harmonizing and strengthening cybersecurity across the EU, recognizing the importance of digital security for the overall resilience of European societies and economies.

What about navigation within NIS 2' PDF?

I don't know why, but there are no bookmarks by chapter and article in the NIS 2 Directive. Because I need to navigate within the document without wasting time, I edited the Directive in adding all the bookmarks... It's a gift, the link is at the end of the article... Otherwise you can use the consolidated version of December 27, 2022 (with minor typo corrections), but it is not available in French.

Which companies are targeted by the NIS 2 directive? Which sectors of activity?

The NIS 2 Directive targets a broader range of entities and sectors than its predecessor, recognizing the critical importance of cybersecurity across a broad spectrum of economic and societal activities. Here is an overview of the main types of companies and sectors of activity covered by this directive:


Essential and Important Entities 

The Directive differentiates between essential entities and important entities, imposing specific obligations on each, depending on their impact on the internal market, public health, economic security or safety of the EU.


Highly Critical Sectors (Annex I)

Sectors deemed highly critical include, but are not limited to:

  • Energy (electricity, gas, oil)
  • Transport (air, rail, road, maritime)
  • Bank
  • Financial market infrastructures
  • Health
  • Drinking water supply and wastewater treatment
  • Digital infrastructure (IXP, DNS, TLD registries)
  • Public spaces (public administration, space)


Other Critical Sectors (Annex II)

This category includes sectors like:

  • Postal and courier services
  • Waste management
  • Chemical manufacturing
  • Pharmaceutical manufacturing
  • Medical and health industry
  • Food production, processing, and distribution


Inclusion Criteria

The NIS 2 Directive (Directive (EU) 2022/2555) specifies the inclusion criteria to determine which entities are covered by its provisions. These criteria serve to identify essential and important entities that must comply with the cybersecurity requirements stipulated in the directive. Here is a summary of the key inclusion criteria:

  • Business Size: Unlike NIS 1, NIS 2 applies its requirements not only to essential service operators and digital service providers but also expands its scope to other types of entities, based on their size and importance. In general, the Directive targets medium and large enterprises, as defined in Commission Recommendation 2003/361/EC. Micro and small businesses may be excluded unless they provide certain types of specifically identified critical services.
  • Importance to the Economy and Society: Entities are considered essential or important depending on their role in the economy and society. This includes their importance in the provision of essential services in sectors such as energy, transport, health, drinking water supply, wastewater management, digital security, and other critical sectors identified in the annexes to the directive.
  • Potential Impact of an Incident: Entities may be included if an incident affecting their networks and information systems could have significant effects on the continuity of essential services, including impacts on public health, security, or 'economy.
  • Role in the Supply Chain: The directive also takes into account the role of entities in the supply chain of essential services. Entities that are critical suppliers or service providers to critical infrastructure operators may be included due to their potential impact on supply chain security.
  • Specific Sectors and Types of Services: The annexes to the directive detail the specific sectors and types of services that are covered. This approach allows for the precise identification of entities falling within each critical sector, including those new to NIS 1, such as certain digital services, pharmaceutical manufacturing, and food production and distribution.

Note: According to Commission Recommendation 2003/361/EC, which defines SMEs, the size criteria for companies are as follows:

  • Micro businesses: those which employ fewer than 10 people and whose annual turnover or balance sheet total does not exceed 2 million euros.
  • Small businesses: those which employ less than 50 people and whose annual turnover or balance sheet total does not exceed 10 million euros.
  • Medium-sized companies: those which employ less than 250 people and whose annual turnover does not exceed 50 million euros or whose annual balance sheet total does not exceed 43 million euros.

The NIS 2 Directive, however, goes beyond these size definitions to consider the potential impact of a cybersecurity incident on essential services. Thus, even businesses that might normally be classified as micro or small businesses under the above criteria could be included within the scope of NIS 2 if they provide services considered essential or important for the maintenance of functions. critical social or economic issues.


Importantly, EU member states have the ability to identify essential and important entities within their jurisdiction, which could include a more nuanced analysis of the importance of services provided, regardless of size of the company. The directive also encourages member states to consider certain small businesses as falling within its scope if they play a crucial role in the supply chain or for the provision of critical services.


In summary, the NIS 2 inclusion criteria aim to ensure that the Directive covers a wide range of entities that play a crucial role in maintaining the essential societal and economic functions of the EU, while taking into account their size, their strategic importance, and their potential impact on the security of networks and information systems within the Union.


What is planned for risk management?

The NIS Directive 2 advocates a proactive three-step approach to cybersecurity risk management, which encompasses the responsibility of essential and important entities in securing their networks and information systems. Here are the key steps:

  • Risk Identification and Analysis: Entities must carry out a systemic risk analysis to identify all potential incident risks. This analysis must take into account the human factor and the entity's dependence on networks and information systems, thus allowing an overall understanding of the security of their infrastructures. This is a crucial step that involves recognizing and assessing existing and potential vulnerabilities that could compromise the security of data and services.
  • Application of Risk Management Measures: After identifying risks, entities must apply appropriate risk management measures. These measures must cover prevention, detection of incidents, reaction to these incidents, recovery after incidents, and mitigation of their effects. Cybersecurity risk management must also encompass data security and consider the physical and environmental security of information systems, following relevant European and international standards, such as those in the ISO/IEC 27000 series.
  • Monitoring and Continuous Improvement: Entities must put in place policies and procedures to regularly evaluate the effectiveness of their cybersecurity risk management measures. This includes implementing basic cyber hygiene practices, cybersecurity training, use of cryptography, human resource management, access control policies, and asset management. Adopting multi-factor authentication solutions and evaluating the use of advanced technologies to strengthen cybersecurity are also part of this continuous improvement stage.

These three steps constitute a comprehensive and proactive approach to managing cybersecurity risks, consistent with the requirements of NIS Directive 2, and highlight the importance of a robust IT security culture within critical and important entities.


What is planned for incident reporting and monitoring?

Directive (EU) 2022/2555 provides a structured framework for the reporting and monitoring of cybersecurity incidents. Here are the key elements relating to these provisions:

Voluntary Notification of Relevant Information (Article 30)

  • Voluntary Notifications: Member States must ensure that notifications can be made voluntarily to CSIRTs or competent authorities by essential and important entities, as well as by other entities, regarding incidents, cyber threats, and incidents avoided.
  • Processing of Notifications: Voluntary notifications are processed in accordance with the procedure set out in Article 23, with possible priority for mandatory notifications on volunteers. Voluntary reporting does not create additional obligations for the notifying entity beyond those it would have had without notifying.


Supervision and Execution (Article 31)

  • Effective Supervision: Member States are responsible for ensuring effective supervision and taking necessary measures to ensure compliance with the Directive, with the possibility of setting risk-based supervision priorities.


CSIRT and their Tasks (Article 10)

  • Designation of CSIRTs: Each Member State designates or establishes one or more CSIRTs, which must comply with specific requirements to effectively cover the sectors, sub-sectors, and types of entities specified in the directive.
  • Tasks of CSIRTs: Include monitoring and analysis of cyber threats, vulnerabilities, and incidents at the national level; activation of early warning mechanisms; incident response; and assisting relevant entities in monitoring their networks and information systems.


Cooperation (Article 14)

  • Cooperation Group: A cooperation group is established to facilitate strategic cooperation and the exchange of information between Member States, thereby strengthening trust and security at EU level.

These provisions show a commitment to a proactive and collaborative approach to cybersecurity within the EU, encouraging information sharing and responsiveness to cyber threats while respecting the confidentiality and security of shared information.


What sanctions are planned?

The NIS 2 Directive specifies the legal responsibility of managers of essential and important entities in matters of cybersecurity. The key points regarding the responsibility of members of management and possible sanctions are as follows:


  • Responsibility of managers: Member States must ensure that any natural person responsible for an essential entity, or acting as a legal representative, has the power to ensure compliance with the directive by the entity. These people can be held responsible for failures to comply with the directive.

  • Sanctions for entities: Specific sanctions for non-compliance include significant administrative fines.
    • For essential entities, fines can reach up to €10 million or 2% of the total global annual turnover of the previous financial year, whichever is greater.
    • For significant entities, fines can be up to €7 million or 1.4% of total global annual turnover, whichever is greater.

  • Specific sanctions against managers: Member States may request competent bodies or courts, in accordance with national law, to temporarily prohibit any natural person exercising managerial responsibilities at the level of general manager or legal representative in the essential entity , to exercise these managerial responsibilities. These sanctions are applied until the entity concerned remedies the deficiencies or complies with the requirements of the competent authority. The implementation of such suspensions or prohibitions is subject to appropriate procedural safeguards.

  • Principle of proportionality and defence: When imposing sanctions, including measures against managers, competent authorities must respect the rights of the defense and take into account the specific circumstances of each case, including the seriousness of the violation, duration, prior violations, damages caused, and whether the violation was willful or negligent.

These elements clearly show that the NIS 2 Directive places particular emphasis on the responsibility of entities and their managers to guarantee a high level of security of networks and information systems within the EU, with sanction mechanisms for encourage compliance.


How to prepare for the NIS 2 Directive?

Preparing for the NIS 2 Directive (Directive (EU) 2022/2555) is crucial for essential and important entities to ensure compliance and strengthen cybersecurity across the European Union. Here is a ten-step plan to effectively prepare for NIS 2:

  • Applicability Assessment: Determine whether NIS 2 applies to your organization based on its size, industry, and whether it is considered an essential or important entity.
  • Understanding the obligations: Familiarize yourself with the requirements of the NIS Directive 2, particularly in terms of risk management and incident reporting.
  • Adoption of a QMS based on ISO 27001: Implement an Information Security Management System (ISMS) compliant with ISO 27001, which provides a framework for managing information security, including aspects such as risk assessment and incident management.
  • Risk analysis: Conduct a risk analysis to identify your organization's vulnerabilities to cyber threats, in line with the requirements of NIS 2 and the principles of ISO 27001.
  • Implementation of security measures: Develop and implement appropriate technical and organizational measures to manage identified risks, in accordance with the NIS 2 Directive and ISO 27001 best practices.
  • Training and Awareness: Provide training and awareness of your staff on information security practices, with an emphasis on roles and responsibilities related to NIS 2 and ISO 27001.
  • Incident reporting: Have procedures in place for the prompt reporting of security incidents to the appropriate authorities, in accordance with the requirements of NIS 2.
  • Review and continuous improvement: Integrate review and continuous improvement mechanisms into your ISMS, to remain compliant with NIS 2 and ISO 27001 over the long term.
  • Audit readiness: Prepare your organization for compliance audits, both for NIS 2 and ISO 27001 certification, by conducting regular internal audits.
  • Information sharing and cooperation: Engage in sharing threat information and best practices with other organizations and relevant authorities, as encouraged by NIS 2, to collectively improve cybersecurity within the organization. EU.

These steps provide a structured approach to preparing for NIS 2, leveraging the principles of ISO 27001 to establish a robust risk management and information security framework.


Conclusion

The directive aims to harmonize security measures and incident reporting obligations across the EU, improve cooperation between member states, and increase the overall resilience of critical infrastructure to cyber threats. In summary, the NIS 2 Directive applies a more inclusive and detailed approach to cover a broad range of sectors and entities, recognizing the interconnected nature of the modern economy and the importance of cybersecurity to society as a whole.

Member States must adopt and publish the necessary measures to comply with the NIS 2 Directive by October 17, 2024, and begin applying these measures from October 18, 2024. This timeline sets a clear deadline for Member States to align their national laws and regulations with the requirements of the NIS 2 Directive.


Nis 2 Directive with bookmarks