What the EU NIS 2 Directive means for companies
The EU’s NIS 2 Directive is intended to raise cyber security in Europe to a new level. It tightens the security requirements for companies and extends the scope to additional sectors. In doing so, the EU is responding to the increased risks posed by cyber attacks and promoting greater harmonization of security requirements within the member states.
Topics
Introduction to the NIS 2 Directive
The EU Network and Information Security Directive, better known as NIS 2, is the successor to the first NIS Directive from 2016. It was developed to respond to the ever-increasing cybersecurity threats within the EU, which have been exacerbated in particular by increasing digitalization and the COVID-19 pandemic. The new NIS 2 Directive was adopted on January 16, 2023 and member states have until October 17, 2024 to transpose it into national law.
The main objectives of the NIS 2 Directive are to increase the security requirements in the EU, to optimize the reporting of security incidents and to harmonize the sanction regulations between the member states. This will be achieved by extending the scope of the Directive to other sectors and facilities. The Directive aims to commit all relevant actors, both public and private, to a high level of cybersecurity. This will achieve greater harmonization of security requirements within the EU to improve the protection of critical services and ensure greater resilience to cyber-attacks.
The NIS 2 Directive ensures that, even in an increasingly digitalized world, the EU is technologically and regulatory ready to meet the challenges of cybersecurity. At a time when threats from cybercriminals are becoming increasingly complex and aggressive, it is crucial to ensure a high level of security through clear guidelines and strict requirements. This applies not only to critical infrastructures, but also to a wide range of companies that provide essential services to society.
Why is NIS 2 necessary?
The NIS 2 Directive was created in response to the increasing threats to cyber security. COVID-19 and digitalization have increased dependence on digital infrastructures and thus also increased the risk of cyberattacks. Threats from ransomware and other cyberattacks have now reached an industrial level, making it necessary to harmonize and improve cybersecurity standards within the EU. Attacks on critical infrastructures and companies can have devastating effects and far-reaching consequences for society. Therefore, the adaptation and extension of the directive is an essential step to better counter these threats.
Another key element of the NIS 2 Directive is the strengthening of cyber security within supply chains. This means that not only critical infrastructures must be secured, but also their suppliers and service providers in order to minimize risks throughout the entire supply chain. This is particularly important as many companies work closely with partners and suppliers, creating potential security gaps that attackers could exploit. A stable and secure supply chain is crucial to minimize risks for all stakeholders involved and ensure that cybersecurity is considered comprehensively.
The NIS 2 Directive also aims to promote a culture of cybersecurity throughout the EU. This means not only the introduction of technical and organizational actions, but also the promotion of cooperation between EU member states. The establishment of national Computer Security Incident Response Teams (CSIRTs) and the designation of national authorities responsible for cybersecurity strategy and crisis management will help to create a strong security infrastructure. The CSIRTs are responsible for responding quickly to incidents and coordinating with other countries to minimize the impact of attacks and increase security.
The NIS 2 Directive also requires the creation of a Cooperation Group to support cooperation and information sharing between Member States. This group promotes strategic cooperation and ensures that the EU is able to adapt quickly to new threats. The exchange of information between Member States enables threats to be identified and countered more quickly and helps to create a common security basis. These measures will make the EU more resilient to attacks and better able to respond to cyber threats.
Key innovations of the NIS 2 Directive
Extended area of application
The original NIS Directive covered a number of critical sectors, including health, energy, transportation and digital infrastructure. The NIS 2 Directive extends this scope to 18 sectors, including public administration, research, space and the food supply chain. This extension is necessary as many of the sectors now considered critical were not previously adequately covered by legislation. The extended scope ensures that a wide range of critical infrastructure is protected, strengthening the resilience of European society.
New sectors covered also include areas such as waste management, space, the food supply chain and public postal service providers. These sectors are crucial to the daily lives and general well-being of citizens. The extension of the scope ensures that not only traditional critical infrastructures are protected, but also other services essential to public life. This is particularly important to ensure that cybersecurity measures are as comprehensive as possible and that all potential points of attack are covered.
Another important aspect of the NIS 2 Directive is the distinction between “essential” and “important” facilities. Essential entities are companies whose services are central to social life and whose failure could have serious consequences. Important entities are also of great importance, but the potential impact of a failure is less far-reaching. This distinction makes it possible to target resources where they are most urgently needed and to apply the highest security requirements to the areas most at risk.
New requirements for cyber security
The NIS 2 Directive provides for a number of new requirements, including:
- Risk management measures: Appropriate technical, organizational and operational steps must be taken to control the risks to networks and information systems. These measures include risk analysis, implementing security policies and ensuring backups and crisis management. Regular vulnerability analyses and penetration tests are also mandatory to ensure that potential points of attack can be detected and remedied at an early stage.
- Reporting obligations: In the event of incidents, an initial report must be made to the national authorities within 24 hours, followed by further updates within 72 hours. The aim is to identify threats more quickly and promote EU-wide cooperation in dealing with incidents. Companies must ensure that all security-relevant information is recorded and reported in detail so that the competent authorities have a comprehensive picture of the situation.
- Management liability: Management is held directly responsible for compliance with the NIS 2 requirements. Violations can result in high fines or, in extreme cases, even a temporary ban from performing management tasks. This is intended to ensure that company management takes cyber security seriously and proactively supports appropriate action. The personal liability of the management serves as an incentive to ensure that the necessary security measures are not only planned but also actually implemented.
- Certification and audit: Compliance with the requirements must be verified through regular audits or safety audits. Although explicit certification is not prescribed, it may be required by national law. Audits are an essential tool for checking the implementation of cybersecurity measures and adjusting them if necessary. It is recommended to use security standards such as ISO/IEC 27001 to ensure that the security measures comply with internationally recognized best practices.
Penalties for non-compliance
The NIS 2 Directive provides for high penalties if the requirements are not met. Fines of up to 10 million euros or 2% of annual global turnover, whichever is higher, are provided for “essential facilities”. For “significant facilities”, fines of up to 7 million euros or 1.4% of annual turnover are possible. These high penalties are designed to enforce compliance with security requirements and ensure that cybersecurity is considered a priority. In addition to financial penalties, personal liability and legal consequences can also arise for company management, particularly if serious breaches occur.
How Sophos helps with NIS 2 compliance
Sophos offers a variety of solutions to help you comply with the NIS 2 directive. These include, among others:
- Sophos Phish Threat: An employee training tool that performs simulated phishing attacks to increase workplace security. Continuous training enables employees to recognize phishing attacks and proactively protect themselves against them, which is one of the most effective measures against cyber threats. Sophos Phish Threat blog post
- Sophos Managed Detection and Response (MDR): Around-the-clock monitoring of the security environment that detects and responds to incidents before they can have a negative impact. Sophos MDR combines advanced technologies with human expertise to ensure that threats are identified and neutralized in a timely manner.
- Sophos FirewallProvides comprehensive network protection that is aligned with the requirements of the NIS 2 directive and enables threats to be detected and stopped at an early stage. The Sophos Firewall provides deep insight into network traffic and enables precise control of data flow to isolate potential threats.
- Sophos Cloud Optix: A tool that continuously monitors cloud environments and ensures that configuration standards are met to prevent tampering. With Sophos Cloud Optix, organizations can ensure that their cloud resources are always compliant with security best practices and that potential risks are identified in a timely manner.
- Sophos XDR (Extended Detection and Response): Enables analysts to detect, analyze and respond to threats across all major attack surfaces. Sophos XDR collects and correlates data from multiple sources and provides a comprehensive picture of an organization’s security posture, enabling rapid incident response.
Sophos solutions cover many of the requirements prescribed in the NIS 2 directive and help to be best prepared for potential threats. With these comprehensive protection solutions, you can ensure that the necessary precautions to comply with the directive are implemented while strengthening the overall security posture of the organization.
More information can be found on the Sophos NIS 2 website.
What do you have to do?
To ensure compliance with the requirements of the NIS 2 Directive, a number of key measures should be taken:
- Analysis of the requirements: One must ensure that one’s organization falls into the category of “essential” or “critical” facility and assess what
procedures are required to meet the requirements of the NIS 2 Directive. This analysis should be thorough and systematic in order to identify weaknesses and take the necessary steps to rectify them. - Implementation of strategies: The necessary technical, organizational and operational steps must be implemented. This includes carrying out risk analyses, setting up security guidelines and implementing emergency management and regular employee training. Employee training is an important part of the security strategy, as the human element is often the greatest weakness.
- Use appropriate tools: Appropriate IT security solutions should be used, such as those from Sophos, to meet the requirements of the policy and ensure that the organization is protected. The tools used should
be updated regularly and their effectiveness reviewed to ensure they can withstand the latest threats. - Regular review and adaptation: The cyber security landscape is constantly changing, so it is important to carry out periodic reviews of security measures and adapt them if necessary. Companies should ensure that they are up to date with the latest technology and continuously improve their security strategies to stay one step ahead of new threats.
Last words
The NIS 2 Directive is an important step towards improving cyber security in Europe. The necessary precautions should now be taken to ensure that the new requirements are met and that the protection of networks and systems is improved. This is particularly important as threats in the digital space continue to grow and can only be effectively tackled through a collaborative and coordinated approach.
With the comprehensive support of solutions such as those from Sophos, you can meet this challenge and ensure that you are both compliant with the directive and strengthen your security. The implementation of the NIS 2 directive is an opportunity to review and improve your security architecture, not only to meet the legal requirements, but also to make your organization more resilient to cyber threats.