Skip to content
Avanet
What the EU NIS 2 Directive means for businesses

What the EU NIS 2 Directive means for businesses

The EU’s NIS 2 Directive aims to raise cybersecurity in Europe to a new level. It tightens security requirements for companies and extends the scope to additional sectors. In doing so, the EU is responding to increased cyberattack risks and promoting stronger harmonization of security requirements across member states.

Introduction to the NIS 2 Directive

The EU Directive on network and information security, better known as NIS 2, is the successor to the first NIS Directive from 2016. It was developed in response to the growing cybersecurity threats within the EU, which were intensified in particular by increasing digitalization and the COVID-19 pandemic. The new NIS 2 Directive was adopted on January 16, 2023, and member states had until October 17, 2024, to transpose it into national law.

The main objectives of the NIS 2 Directive are to raise security requirements in the EU, improve incident reporting, and harmonize sanctions among member states. This is achieved by extending the directive’s scope to additional sectors and entities. The directive aims to require all relevant actors, both public and private, to maintain a high level of cybersecurity. This creates stronger harmonization of security requirements within the EU, improves the protection of critical services, and ensures greater resilience against cyberattacks.

The NIS 2 Directive helps ensure that the EU is technologically and regulatorily positioned to meet the challenges of cybersecurity in an increasingly digital world. At a time when threats from cybercriminals are becoming more complex and aggressive, clear requirements and strict obligations are crucial for maintaining a high level of security. This applies not only to critical infrastructure but also to a wide range of companies that provide essential services for society.

Why is NIS 2 necessary?

The NIS 2 Directive was developed in response to increasing cybersecurity threats. COVID-19 and digitalization have increased dependence on digital infrastructure and therefore also increased the risk of cyberattacks. Threats from ransomware and other cyberattacks have now reached an industrial scale, making it necessary to standardize and improve cybersecurity standards within the EU. Attacks on critical infrastructure and companies can have devastating effects and far-reaching consequences for society. Adapting and expanding the directive is therefore an essential step in countering these threats more effectively.

Another central element of the NIS 2 Directive is strengthening cybersecurity within supply chains. This means that not only critical infrastructure must be secured, but also its suppliers and service providers, in order to minimize risk across the entire supply chain. This is particularly important because many companies work closely with partners and suppliers, which can create potential security gaps attackers may exploit. A stable and secure supply chain is crucial for minimizing risk for all parties involved and ensuring that cybersecurity is considered comprehensively.

The NIS 2 Directive also aims to foster a culture of cybersecurity across the EU. This means not only introducing technical and organizational measures, but also promoting cooperation among EU member states. The establishment of national Computer Security Incident Response Teams (CSIRTs) and the designation of national authorities responsible for cybersecurity strategy and crisis management contribute to a strong security infrastructure. CSIRTs are responsible for rapid incident response and coordination with other countries to minimize the impact of attacks and increase security.

The NIS 2 Directive also requires the establishment of a cooperation group that supports collaboration and information exchange among member states. This group promotes strategic cooperation and helps ensure that the EU can adapt quickly to new threats. Information exchange among member states enables faster identification and response to threats and helps create a shared security foundation. Through these measures, the EU becomes more resilient to attacks and can respond better to cyber threats.

Key changes introduced by the NIS 2 Directive

Extended scope

The original NIS Directive covered a number of critical sectors, including healthcare, energy, transport, and digital infrastructure. The NIS 2 Directive extends this scope to 18 sectors, including public administration, research, space, and the food supply chain. This extension is necessary because many sectors now considered critical were previously not adequately covered by legislation. The expanded scope ensures that a wide range of important infrastructure is protected, strengthening the resilience of European society.

Newly covered sectors also include areas such as waste management, space, the food supply chain, and providers of public postal services. These sectors are crucial for daily life and the general well-being of citizens. Extending the scope ensures that not only traditional critical infrastructure but also other services important to public life are protected. This is particularly important to ensure that cybersecurity measures are as comprehensive as possible and cover all potential attack vectors.

Another important aspect of the NIS 2 Directive is the distinction between “essential” and “important” entities. Essential entities are companies whose services are central to society and whose failure could have serious consequences. Important entities are also highly significant, but the potential impact of a failure is less far-reaching. This distinction allows resources to be deployed where they are most urgently needed and the highest security requirements to be applied to the most vulnerable areas.

New cybersecurity requirements

The NIS 2 Directive provides for a number of new requirements, including:

  1. Risk management measures: Organizations must take appropriate technical, organizational, and operational steps to control risks to networks and information systems. These measures include risk analysis, implementing security policies, and ensuring backups and crisis management. Regular vulnerability assessments and penetration tests are also required to ensure that potential attack vectors can be identified and remediated early.
  2. Reporting obligations: In the event of incidents, an initial report must be submitted to the national authorities within 24 hours, followed by further updates within 72 hours. The aim is to identify threats more quickly and promote EU-wide cooperation in incident handling. Companies must ensure that all security-relevant information is recorded and reported in detail so that the responsible authorities have a comprehensive situational picture.
  3. Management liability: Management is held directly responsible for compliance with NIS 2 requirements. Violations can result in high fines or, in extreme cases, even a temporary ban from exercising management functions. This is intended to ensure that company management takes cybersecurity seriously and proactively supports appropriate action. Personal liability for management serves as an incentive to ensure that the necessary security measures are not only planned but actually implemented.
  4. Certification and audit: Compliance with the requirements must be demonstrated through regular audits or security audits. While explicit certification is not mandated, it may be required by national law. Audits are an essential tool for reviewing the implementation of cybersecurity measures and adapting them where necessary. It is recommended to use security standards such as ISO/IEC 27001 to ensure that security measures comply with internationally recognized best practices.

Penalties for non-compliance

The NIS 2 Directive provides for high penalties if the requirements are not met. For “essential entities,” fines of up to 10 million euros or 2% of global annual turnover are foreseen, whichever is higher. For “important entities,” penalties of up to 7 million euros or 1.4% of annual turnover are possible. These high penalties are designed to enforce compliance with security requirements and ensure that cybersecurity is treated as a priority. In addition to financial penalties, personal liability and legal consequences for company management may also arise, particularly in cases of serious violations.

How Sophos helps with NIS 2 compliance

Sophos offers a variety of solutions that support compliance with the NIS 2 Directive. These include:

  • Sophos Phish Threat: A tool for employee training that runs simulated phishing attacks to increase security awareness in the workplace. Through continuous training, employees are enabled to recognize phishing attacks and proactively protect themselves against them, which is one of the most effective measures against cyber threats. Blog post on Sophos Phish Threat
  • Sophos Managed Detection and Response (MDR): 24/7 monitoring of the security environment that detects incidents and responds before they can have a negative impact. Sophos MDR combines advanced technologies with human expertise to ensure that threats are identified and neutralized in time.
  • Sophos Firewall: Provides comprehensive network protection aligned with the requirements of the NIS 2 Directive and enables threats to be detected and stopped early. The Sophos Firewall offers deep insight into network traffic and enables precise control of data flows to isolate potential threats.
  • Sophos Cloud Optix: A tool that continuously monitors cloud environments and ensures that configuration standards are met to prevent tampering. With Sophos Cloud Optix, companies can ensure that their cloud resources consistently follow security best practices and that potential risks are identified in good time.
  • Sophos XDR (Extended Detection and Response): Enables analysts to detect, analyze, and respond to threats across all major attack surfaces. Sophos XDR collects and correlates data from various sources and provides a comprehensive picture of a company’s security posture, enabling rapid incident response.

Sophos solutions cover many of the requirements set out in the NIS 2 Directive and help organizations prepare as effectively as possible for potential threats. With these comprehensive protection solutions, companies can ensure that the necessary precautions for compliance with the directive are implemented while also strengthening their overall security posture.

More information can be found on the Sophos NIS-2 website.

What needs to be done?

To ensure compliance with the NIS 2 Directive, several key measures should be taken:

  1. Analyze the requirements: You must determine whether your company falls into the category of an “essential” or “important” entity and assess which processes are necessary to meet the requirements of the NIS 2 Directive. This analysis should be thorough and systematic in order to identify weaknesses and initiate the necessary remediation steps.
  2. Implement strategies: The required technical, organizational, and operational steps must be implemented. These include conducting risk analyses, establishing security policies, implementing emergency management, and regularly training employees. Employee training is an important part of the security strategy, as the human component is often the greatest weakness.
  3. Use suitable tools: You should use suitable IT security solutions, such as those from Sophos, to meet the directive’s requirements and ensure that the company is protected. The tools used should be updated regularly and their effectiveness reviewed to ensure they can withstand the latest threats.
  4. Review and adapt regularly: The cybersecurity landscape is constantly changing, so it is important to conduct periodic reviews of security measures and adapt them where necessary. Companies should ensure that they stay up to date with the latest technology and continuously improve their security strategies to remain one step ahead of new threats.

Final words

The NIS 2 Directive represents an important step toward improving cybersecurity in Europe. Organizations should now take the necessary precautions to ensure that the new requirements are met and that the protection of networks and systems is improved. This is particularly important because threats in the digital space continue to increase and can only be effectively addressed through a coordinated, collective approach.

With comprehensive support from solutions such as those from Sophos, organizations can master this challenge and ensure that both the requirements of the directive are met and their own security is strengthened. Implementing the NIS 2 Directive is an opportunity to review and improve your own security architecture, not only to meet legal requirements but also to make the company as a whole more resilient to cyber threats.

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.