What is the NIS2 Directive?
The NIS2 Directive, or the Directive on Security of Network and Information Systems, is a European Union (EU) directive that aims to enhance the overall cybersecurity and resilience of network and information systems across various critical sectors. NIS stands for Network and Information Systems. The directive was initially adopted in 2016 and became effective in May 2018. Following that In January 2023 EU member states have officially approved a revision of the 2016 NIS Directive, responding to increased threats of cyberattacks.
The updated NIS2 Directive enhances security requirements, simplifies reporting obligations, and introduces stricter supervisory measures and enforcement requirements. The aim is to provide stronger defence for critical entities against supply chain vulnerabilities, ransomware attacks, and other cyber threats.
NIS directive entered into force on 16 January 2023, and the Member States now have 21 months, until 17 October 2024, to incorporate the NIS2 Directive into their national laws.
Who is affected?
NIS2 regulates sixteen sectors of operators (Entities) in the EU:
- Essential Entities: Large enterprises from 11 Annex I sectors.
- Important Entities: Medium enterprises from all 18 Annex I and Annex II sectors as well as large enterprises from Annex II.
According to definition of enterprise size:
- Micro enterprises: fewer than 10 employees and less then 2m EUR turnover/balance.
- Small enterprises: fewer than 50 employees and less than 10m EUR turnover/balance.
- Medium enterprises: fewer than 250 employees and less than 10m EUR and annual turnover below €50 million or balance sheet below €43 million.
- Large enterprises are all the rest.
The new rules apply to medium and large companies across essential sectors such as energy, transport, banking, health, and digital infrastructure.
All medium and large businesses in postal services, waste management, chemicals, food manufacturing, medical devices, and digital platforms like online marketplaces and social networking services are included.
For the full list please refer to Annex I and II sectors.
Who is likely exempt from the NIS2 Directive?
With the definition of small and micro-enterprises in mind – they are generally exempt from the NIS Directive, provided that they meet specific criteria related to their size and scope of operation.
How will the NIS2 directive be enforced?
The new NIS Directive emphasises the central role of competent authorities in supervision and enforcement tasks, providing a unified framework for these activities across EU Member States. To enhance effective compliance, NIS2 outlines a minimum set of supervisory means, including:
- Regular audits.
- Targeted checks.
- Request for information.
- Access to documents.
The directive introduces differentiated supervisory regimes for essential and important entities, aiming for a balanced obligation framework. Recognising a historical reluctance in applying penalties for lapses in security measures or incident reporting, the directive establishes a consistent framework for sanctions across the EU. It defines a minimum list of administrative sanctions for breaches of cybersecurity risk management and reporting obligations outlined in the NIS2 Directive to promote effective enforcement.
What administrative sanctions are applicable under the NIS2 Directive?
NIS2 directive puts the following sanctions at the disposal of competent authorities:
- Directors and management can be held personally liable for failures in implementation.
- Regulators may suspend business operations if necessary for network security.
- Essential entities: maximum of at least €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Important entities: maximum of at least €7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
What are the requirements of the NIS 2 directive?
NIS 2 directive defines four major organisational requirements:
- Risk Management: To comply with the new Directive, organisations must take measures to minimise cyber risks. These measures include incident management, stronger supply chain security, enhanced network security, better access control, and encryption.
- Corporate Accountability: NIS2 requires corporate management to oversee, approve, and undergo training on the cybersecurity measures of the entity while addressing cyber risks. Violations may lead to penalties for management, involving liability and the potential imposition of a temporary ban from management roles.
- Reporting Obligations:Entities classified as essential and important are required to establish processes for the swift reporting of security incidents that significantly impact their service provision or recipients. NIS2 defines specific notification deadlines, including a 24-hour “early warning” period.
- Business Continuity: Organisations are obligated to strategize on ensuring business continuity in the event of major cyber incidents. This plan should encompass aspects such as system recovery, emergency procedures, and the establishment of a crisis response team.
And mandates 10 baseline security measures:
- Security in supply chains involves managing the relationship between a company and its direct suppliers. Companies need to select security measures tailored to the vulnerabilities of each direct supplier. Subsequently, an assessment of the overall security level for all suppliers must be conducted.
- Risk assessments.
- Policies and procedures for the use of cryptography and encryption.
- Policies for handling and reporting vulnerabilities.
- Security procedures for employees with access to sensitive or important data.
- The use of multi-factor authentication evaluating the effectiveness of security measures.
- Policies and procedures for evaluating the effectiveness of security measures.
- A plan for handling security incidents.
- Cybersecurity training.
- A plan for managing business operations during and after a security incident.
How much time does my organisation need to become NIS 2 compliant?
The standard NIS2 compliance process, encompassing security assessments, auditing, consulting, and tool implementation, typically spans around 12 months.
How can Bitsea Help?
The NIS2 establishes a set of requirements in the area of cybersecurity. One of the key areas which every vendor should have clear visibility is the software supply chain. This includes usage of open source: every company must Identify components, manage components, track security vulnerabilities and install patches.
In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials (SBOM).
Bitsea supports you in all aspects of Open-Source-Management so that you as a company are protected against a lack of compliance and cyber attacks on the software supply chain. Bitsea has over a decade of experience in helping businesses understand their code and building highly detailed and customised to their needs SBOM.
In addition we:
- Identify security vulnerabilities in SBOM.
- Manage SBOM: notify you whenever a new security vulnerability is detected.
- Setup tool chains to automatically analyse new software for open source components.
- Manage FOSS data: Which components are used in a software system.
- Support with ISO 5230 & ISO 18974, preparation for certification.