NAKIVO > Blog > Multiplatform

In-Depth Guide to the NIS 2 Directive: Enhancing EU Cybersecurity Standards

Updated: October 15, 2024

Written by: NAKIVO Team

In 2022, according to the European Union Agency for Cybersecurity, the average cost of an IT incident was €200,000 in the EU. With a 150% annual increase in the number of cyber threats and approximately 280 ransomware attacks per month, these costs are expected to continue increasing. The ever-evolving cyber threat landscape requires stronger resilience and better risk awareness among EU organizations, resulting in the new EU cybersecurity law – the NIS2 Directive.

This post covers the NIS2 Directive requirements and their impact on the EU digital landscape. We’ll also explore how NAKIVO’s solution can help you protect your data in a NIS2-compliant environment.

Ensure Availability with NAKIVO

Ensure Availability with NAKIVO

Meet strict requirements for service availability in virtual infrastructures. Achieve uptime objectives with robust DR orchestration and automation features.

DISCOVER SOLUTION

What Is NIS2?

NIS2 is an EU Network and Information Security Directive No. 2022/2555 that was officially published in December 2022 and took effect at the beginning of 2023. NIS2 aims to standardize and enhance cybersecurity across the EU. The Directive replaces the previous NIS1 Directive, which came into effect in 2016.

Unlike directly applicable regulations such as the Digital Operational Resilience Act (DORA), which remains the same across all EU member states, directives must be adapted into national laws by each state individually. Member states have time by October 2024 to adopt and publish all measures necessary for NIS2 compliance. After that date, organizations will be legally obligated to comply.

The Objectives of the NIS2 Directive

The NIS2 Directive seeks to improve current cybersecurity standards and establish a new benchmark for EU organizations’ resilience against digital threats.

The Directive focuses on four main aspects:

  • Strengthening digital security through new requirements for risk management, corporate accountability, and business continuity.
  • Reducing inconsistencies in cybersecurity across the EU by expanding the Directive’s scope and including more sectors.
  • Encouraging national and cross-border situational awareness and collaboration to address existing cyber incidents and new threats effectively.
  • Introducing standardized reporting obligations during incidents to improve transparency and facilitate coordinated response.

Key Differences Between the Original NIS Directive and NIS 2

Although NIS1 aimed to enhance the European Union’s cybersecurity and resilience, rapid digitalization, and evolving threats during and after the pandemic revealed its deficiencies, particularly the lack of specific requirements and uneven implementation across the EU.

The proposal for an updated NIS Directive was first published in 2020 and outlined the need for an expanded scope, higher cybersecurity standards, new requirements, and a more unified approach.

Compared to NIS1, the new directive:

  • significantly extends the initial scope by adding more sectors and introducing a new classification based on the organization’s role in the digital economy of a country
  • introduces stricter security and risk management requirements with a list of minimum security measures to implement
  • enforces business continuity planning in case of significant cyber incidents
  • requires stricter incident reporting
  • establishes non-compliance fines and stronger enforcement measures
  • enforces regulatory supervision, including onsite and offsite inspections, ad-hoc audits and security scans
  • holds management accountable for non-compliance and permits authorities to request suspension from work
  • highlights supply chain security as a critical aspect of overall cybersecurity.

Expanded Scope of EU Cybersecurity Regulations

NIS2 more than doubles the scope of the initial NIS. It also replaces the previous distinction between “operators of essential services” and “digital service providers” with Essential and Important categories based on organization size and revenue thresholds.

Contrary to GDPR, NIS2 sets a narrower criteria for organizations that fall into scope as the Directive will apply only to those who provide services or undertake activities in the EU. For example, if an international company has an EU subsidiary, only the subsidiary falls under the NIS2. However, there’s a catch. Due to a more demanding supply chain diligence, companies outside the EU can still be affected.

Sectors and entities under the directive

The NIS2 scope is covered by Annex I (highly critical sectors that can be classified either as Essential or Important) and Annex II (Important).

The NIS1 scope already included the majority of sectors specified in Annex I, such as:

  • Energy
  • Transport
  • Health
  • Drinking water
  • Financial market infrastructure
  • Banking
  • Digital infrastructure

New sectors that were added to the NIS2 Directive’s scope in Annex I are as follows:

  • Space
  • Wastewater
  • Information and communication technology (ICT) service management
  • Public administration

Depending on the organization’s type, size, and revenue, organizations that fall under Annex I can be classified as:

  • Essential, if their disruptions can result in severe consequences for the country:
    • large companies with more than 250 employees or more than €50 mln annual revenue
    • Public administrations of central governments
    • Operators of essential services
    • Other companies that a member state selects
  • Important:
    • Companies with more than 50 employees or more than €10 mln annual revenue
    • Other companies that a member state selects

The same security requirements apply to both categories. However, the Essential group falls under proactive supervision, while the Important group is only monitored when an incident of non-compliance is reported. For Essential organizations, authorities can impose higher non-compliance fines and even temporarily ban managerial duties.

Annex II adds more sectors, all of which fall under the Important category:

  • Postal and courier services
  • Food
  • Chemicals
  • Manufacturers
  • Digital providers
  • Waste management
  • Research
  • Domain name registration services

The Directive empowers member states to establish national lists of Important and Essential organizations, regardless of the revenue and size thresholds, if their impact on the national economy is critical, or if the company is the sole provider of certain services. Each member state is expected to establish such a list by April 2025.

Obligations for small and medium enterprises (SMEs)

Most medium enterprises with 50 or more employees and an annual turnover of €10 million are considered Important or Essential depending on the sector.

Smaller companies are out of the scope unless they fall under the national list of Essential and Important entities or belong to these sectors:

  • Digital infrastructure
    • DNS service providers
    • Trust service providers
    • TLD name registries
    • Providers of public electronic communications networks and publicly available communication services
  • Public administration entities

Although compliance may require additional investments, the EU NIS2 principles of adequacy and proportionality help SMEs apply cybersecurity measures despite limited resources. For example, SMEs can focus on risk management and cybersecurity awareness by conducting regular personnel training.

Let’s explore the security measures in more detail below.

Cybersecurity Risk Management Under NIS 2

Risk management and security policies

Since the digital landscape is changing faster than laws can keep up, the NIS2 Directive mandates a “state of the art” approach, requiring organizations to adopt security measures that are adequate, proportional, and economical based on their specific needs and capabilities. When assessing the adequacy of the security measures, organizations should consider the exposure to risks, the organization’s size, the likelihood and severity of security incidents and implementation costs.

Organizations should implement the latest and most effective measures available at the time to prevent or minimize IT incidents and their impact on their operations. However, the Directive does not oblige organizations to ensure cybersecurity at all costs and emphasizes the importance of continuous risk and security evaluation to remain “state of the art”.

The NIS2 cybersecurity requirements are centered around the risk-based (“all-hazards”) approach (Article 21) and encourage organizations to regularly assess the risks they are exposed to via security scans, risk analysis, regular penetration tests, patches, and asset management.

Additionally, the Directive outlines ten baseline security measures that are compulsory for all:

  1. Policies on risk assessment and information security
  2. Incident handling (prevention, detection, and response)
  3. Business continuity plan with backup and disaster recovery plans, emergency procedures, crisis management, and an established crisis response team
  4. Supply chain security, risk analysis of direct suppliers and service providers, plan to mitigate suppliers’ vulnerabilities and other security-related aspects in relationships between the organization and its direct suppliers and service providers
  5. Cybersecurity training and cyber hygiene
  6. Evaluation of the effectiveness of implemented security measures
  7. Policies and procedures for cryptography and encryption
  8. The use of multi-factor or continuous authentication, secured communication with voice, video, and text encryption
  9. Policies and procedures for personnel security, data access, asset management
  10. Network and information system security, including procurement, development, and maintenance

Along with these measures, the EU NIS2 also encourages cooperation and information sharing to facilitate mutual awareness and collaboration on addressing new digital threats and improving overall EU resilience against cyberattacks.

Supply chain security

Since the former NIS Directive didn’t focus on supply chain security, the new NIS2 fills that gap. Preamble 85 emphasizes the importance of supply chain security due to the prevalence of cyberattacks where malicious actors use vulnerabilities of third-party tools and services to compromise the security of networks and information systems of the organization.

The Directive requires organizations to evaluate the resilience, quality, and cybersecurity practices of their suppliers and service providers and to incorporate proper risk management measures into contractual agreements. Preamble 86 focuses specifically on incident response, penetration testing, security audits, and consulting.

This puts an additional burden on suppliers and service providers, including managed service and security service providers, that work with organizations targeted by NIS2. Providers are expected to improve their digital security and operational resilience, even if they’re out of the NIS2 scope.

Enhanced Cyber Incident Reporting Requirements

The new Directive enforces incident reporting and notification with specific deadlines in case of a significant incident or a cyberattack. By “significant”, NIS2 (Article 23) considers those that can cause severe operational disruptions or financial losses for the organization or result in significant material or non-material damage for any other parties.

  • Within 24h. Organizations should notify competent authorities or the Computer Security Incident Response Team (CSIRT) about the incident and specify whether it’s a cyber attack or could have a cross-border impact.
  • Within 72h. Organizations should provide the initial assessment of the incident’s severity and impact.
  • Upon request. Competent authorities and the CSIRT can request organizations to provide an intermediary report on the status update.
  • Within 1 month after the incident notification. The final report should contain a detailed description of the incident, an assessment of its impact, the root cause that led to the incident, and mitigation measures implemented. When the incident takes more than one month, an organization is expected to submit a progress report and the final report when the incident is over.

Along with incident reporting, organizations also need to notify service recipients about the incident and possible measures that those recipients can take to mitigate the incident’s consequences.

NIS 2 Directive Compliance Challenges and Opportunities

Benefits of compliance

EU NIS2 compliance can help organizations strengthen cybersecurity and improve operational resilience against disruptions. This results in a better reputation and transparency of the organization, so compliance can offer competitive advantages.

Another apparent benefit of NIS2 compliance is the avoidance of fines for non-compliance. The Directive enforces the following penalties:

  • Essential organizations: at least €10 million or up to 2% of the total worldwide annual turnover, whichever is larger
  • Important organizations: at least €7 million or up to 1.4% of the total worldwide annual turnover, whichever is larger

Other enforcement measures include warnings, operation suspension, suspension of the organization’s certification or authorization, and suspension of those discharging managerial responsibilities.

Challenges and considerations

The biggest challenge of NIS2 is that it comes into play when organizations face more sophisticated and complex digital threats, meaning that more sophisticated and complex strategies are now needed to deal with them. For this reason, the NIS2 Directive significantly expands the cybersecurity responsibilities of organizations and introduces more rigorous measures.

New cybersecurity measures will require organizations to invest in technology and expertise, which can burden smaller organizations. According to the Impact Assessment Report of the European Commission, in the next 3 years, organizations will require 22% more investments into information security if they were not affected by NIS1 and 12% more investments if they are already NIS1 compliant.

Another challenge is the significant risk of non-compliance, which has high financial consequences for organizations. Essential entities will face both regular and ad hoc security audits ex-ante as a preventive measure.

The Impact of the NIS 2 Directive on the EU Digital Market

The NIS2 Directive becomes the main driving force for strengthening and harmonizing the level of cybersecurity across the EU. However, since the Directive needs to be transposed into national laws, cybersecurity standards and requirements will vary depending on the country.

NIS2 sets a higher standard for cybersecurity and contributes to better operational resilience of all sectors against digital threats. For the cybersecurity sector, the Directive opens a new market of solutions designed to help organizations with NIS2 compliance.

It’s worth mentioning that the EU finance sector is additionally protected by the Digital Operational Resilience Act (DORA). The Act imposes unchanged requirements on all EU countries as a sector-specific regulation. Its requirements prevail over the NIS2 but don’t replace or compete with it. Thus, finance institutions are required to comply with both DORA and NIS2.

Preparing for NIS 2 Compliance

First, determine whether your organization falls within the NIS2 scope or whether you provide managed services or other services to organizations that NIS2 regulates. You also need to determine the law of what member state applies to your organization to know the exact requirements you should align with.

Conducting a gap analysis

Gain insight into your organization’s cyber security and risk exposure by conducting a gap analysis. Before the exact NIS2 requirements are set in your country, you can use international standards like the IEC 62443 and Cybersecurity Capability Maturity Model (C2M2) and the software and hardware cybersecurity requirements of the EU Cyber Resilience Act (CRA) as a reference for your assessment.

NIS2 is structured around three main categories, so consider them first when conducting a gap analysis:

  • Governance (Article 20). NIS2 places significant emphasis on management responsibility for compliance and overall cybersecurity, which may require reviewing the working culture and adopting behavioral changes in your organization.
  • Cybersecurity risk management measures (Article 21). The NIS2 requires organizations to assess and prepare for all possible hazards by implementing appropriate and proportionate technical, operational, and organizational measures.

    The Directive outlines ten minimal measures, including an incident response plan, risk assessment, supply chain security, effectiveness assessment of cybersecurity measures, secure communication, and regular personnel training.

  • Reporting (Article 23). Ensure transparent and timely post-incident reporting to align with the NIS2 requirements.
  • EU cybersecurity certification (Article 24). According to the NIS2, member states may require organizations to use EU-certified technology services and products.

Complementing Your Cybersecurity Strategy with NAKIVO

NAKIVO Backup & Replication is a robust solution for backup and disaster recovery. Its advanced functionality and cybersecurity features can help organizations protect their data while maintaining compliance with the NIS 2.

Here are some aspects of the NAKIVO solution mapped to NIS2 baseline measures to help you implement a cyber-resilient data protection strategy.

ICT security and data protection

  • Data resilience. With the NAKIVO solution, you can protect all your workloads on virtual and physical machines, in the cloud, data in file shares and Microsoft 365 apps via a centralized web-based dashboard. Easily meet the golden backup rule and store data copies in multiple locations onsite and offsite (including NAS and deduplication devices, USB drives and tape), in the public cloud or S3-compatible cloud platforms.
  • Data integrity. The solution supports application-aware mode and allows you to create consistent backups of workloads running applications and databases, including onsite Microsoft applications like Active Directory and Exchange Server, as well as Oracle DB. The support of Microsoft 365 apps and services enables you to easily back up Exchange Online mailboxes, Teams messages, SharePoint Online sites and OneDrive for Business data.
  • Protection against cyber threats like ransomware. With NAKIVO’s solution, you can follow the cybersecurity best practices to mitigate the risk of a successful cyber attack. You can make your backups immutable in the cloud, local folders or HYDRAstor devices to ensure that nobody can remove or change data within the specified period. You can also send backup copies to detachable offline storage like tape for air gapping, preventing cybercriminals from accessing data over the network.
  • Encryption. Protect your backup data by enabling AES256-bit encryption. NAKIVO’s solution supports source-side encryption, meaning your data is secured in transit and at rest.
  • Access control. Configure role-based access control to the solution, following the principle of least privilege.
  • Authentication. Enable multi-factor authentication when accessing backup data and data protection activities. NAKIVO’s solution also supports MFA-enables Microsoft 365 accounts, so you don’t need to compromise security within Microsoft 365 infrastructure.

Incident detection, handling and response

  • Business continuity. The solution offers backup, replication, real-time replication, as well as 12 different recovery options to ensure that you can restore data in any scenario. Instantly verify that VM backups and replicas are recoverable and scan backups for malware to ensure a smooth and secure recovery.
  • Disaster recovery. In case of a disaster, you need just 1 click to trigger the sequence and failover to a replica located at the secondary site. The Site Recovery functionality enables you to create automated workflows to fail over and back in seconds while achieving all recovery objectives.
  • Real-Time Monitoring. With IT Monitoring for VMware, you can detect unusual and suspicious CPU, RAM and disk space consumption early, before they become a bigger problem.

Effectiveness assessment of security measures

  • Disaster Recovery testing. The NAKIVO solution enables you to run non-disruptive recovery testing to ensure your disaster recovery plan works and recovery objectives are met. During the testing, you can check networks and ensure that network mapping and re-IP settings are correct. You can also verify whether the disaster recovery sequences are effective or need changes. The testing doesn’t impact your production environment and can be run on schedule.

See the Solution in Action

See the Solution in Action

Get a personalized demo of any feature to get started in no time. Our engineers are here to help and answer any questions you may have.

Book a Free Demo

People also read

Picture
A Guide to the General Data Protection Regulation
Picture
8 Proven Practices to Protect Against Ransomware
Picture
2023 Data Protection Trends for IT Infrastructures