On this page:
What is NIS 2 Compliance?
NIS 2 Compliance refers to aligning with the European Union's Network and Information Systems Security Directive (NIS 2), designed to enhance cybersecurity for essential and important entities.
NIS directive first came into action in 2016. Its specific aim was to achieve a high common level of cybersecurity across the Member States. However, gaps in its implementation fragmented the rules across the states, which increased cyber risks.
In order to dissolve these gaps, the commission proposed to have a stronger directive that is more firm and precise. A directive that extends its scope to more sectors. This is when the NIS 2 directive was introduced.
Let us look at the difference between NIS and NIS 2
| NIS | NIS 2 |
|---|---|
| Adopted in 2016, focused on improving cybersecurity across the EU for essential services (e.g., energy, transport, banking). | Came into effect on 16 January 2023, a broader scope with stricter security measures. EU member states must implement NIS 2 requirements into their national law by October 17, 2024. |
| The scope of NIS covered sectors like energy, transport, water, health, and digital infrastructure. | The scope of NIS 2 is wider. It is expanded to include more sectors such as public administration and other infrastructre services like data centers service providers, etc |
| Imposed basic security requirements on operators of essential services and digital service providers. | Introduced more detailed and comprehensive cybersecurity requirements, including supply chain security. |
| Required incidents to be reported if they had a significant impact on the continuity of essential services. | Tightened incident reporting requirements, including stricter timelines and more detailed reporting obligations. |
| Implementation and enforcement varied significantly between EU member states. | Enhanced enforcement mechanisms with increased powers for national authorities. |
NIS 2 aims to address shortcomings of the original NIS directive, ensuring a higher level of cybersecurity and more uniform implementation across the EU.
Why NIS 2 Compliance Matters?
Ensuring NIS 2 Compliance is essential for protecting critical infrastructure, and maintaining operational continuity. Non-compliance can result in substantial fines and reputational damage. The directive states, "Non-compliant essential entities under NIS 2 can be fined up to 10 million euros or 2% of their annual revenue"
Understanding NIS 2 Chapters
Explore the specific provisions and requirements of NIS 2 by diving into its chapters:
General Provisions
The directive applies to public and private organizations; NIS 2 applies to certain entities in the critical sector regardless of their size. These entities are classified as essential and important entities.However, under NIS 2, the cybersecurity measures for both essential and important entities are aligned, meaning they must follow the same baseline requirements. Important entities cover food, healthcare, etc.
According to NIS 2, if the cybersecurity management measures and incident notification obligations under a sector specific Union law (EU wide Act) is aligning with the requirements under NIS 2, then the entities from that sector needs to only follow the cybersecurity management measures and incident notification obligations under that sector specific union law.
NIS 2 sets a standard baseline for all EU Member States. Member States may establish more stringent cybersecurity if required, provided they comply with the existing baseline requirements.
Coordinated Cybersecurity Framework
Member States must designate one or more competent authorities who will be responsible for cybersecurity and have supervisory tasks within their borders. Member States should also ensure that their competent authorities have adequate resources.
Computer Security Incident Response Team (CSIRTs) play an important role in handling incidents, collecting information and in communicating with organizations. They monitor threats, analyze incidents, and share real-time warnings and data to their network and authorities. The designated CSIRTs coordinator, will act as a trusted intermediary, facilitating the interaction between the legal person reporting a vulnerability and the OEM.
Cooperation at Union and International level
Focuses on strengthening cybersecurity by collaborating at national and international levels. The cooperation group facilitates information and strategy sharing between member states.
The CSIRT network comprises of the national CSIRTs and CERT-EU.They will exchange information on CSIRT's capabilities, vulnerabilities, incidents, and threats. To tackle cyber threats, the CSIRTs will establish new methods for operational cooperation, focusing on early warnings, support during cyberattacks, and threat response planning.
Cybersecurity risk-management measures and Reporting Obligations
Essential and Important entities must provide early warning of significant incidents to the CSIRTs or competent authorities within 24 hours of becoming aware of a significant incident. There are different stages of reporting like early warning, incident notifications, intermediate reports, and final reports.
Member States should ensure that essential and important entities implement appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems cybersecurity risk-management measures, including policies on risk analysis, incident handling; business continuity; supply chain security;, and secure system development. Other measures include assessing the effectiveness of cybersecurity risk-management measures;, basic cyber hygiene practices; policies for the use of cryptography; human resources security; and multi-factor authentication.
Jurisdiction and registration
Covers rules on jurisdiction and registration procedures for essential and important entities.
Lists the criteria for organizations to determine the country supervises them. In order to keep a track of these organizations, a registry of their information is collected and maintained by the ENISA (The European Union Agency for Cybersecurity) .The information for the registry includes the organization's name, address of the organization, contact details, etc. Additionally, a database of domain registration data should be created by organizations providing domain name registration services and TLD registries. This database aims to enhance the reliability of Domain Name Services (DNS).
Information Sharing
Organizations in the European Union shall share cybersecurity-related information among them. Member States are responsible for facilitating the exchanges.They determine the information shared, ICT platforms and tools used and the conditions for this arrangement. Organizations wishing to withdraw from an ongoing exchange should notify the competent authority of the relevant Member State.
The Directive encourages all organizations in the European Union to notify CSIRTs or competent authorities of cyber threats and attacks voluntarily.
Supervision and Enforcement
Competent authorities of the country are responsible for enforcing organizations to comply with the NIS 2 Directive. On-Site inspections, targeted security audits, and ad-hoc audits are the supervisory measures of competent authorities discussed in this chapter. For any violation of the Directive, administrative fines are imposed on organizations. Additionally, relevant authorities may seek assistance from authorities of other states for supervising organizations operating across borders.
Delegating and Implementing Act
European Commission, as one of the executives of the European Union, ensures the compliance of Union laws across its countries. Thus, the European Commission has the power to adopt delegated acts. This authority shall be exercised for a period of five years from 16 January, 2023. According to this chapter, the European Parliament and the European Council may revoke the Commission's power at any time. The European Commission should adopt a delegated act as required under the Directive only if no objections are expressed either by the Parliament or the Council. It should also notify these bodies as soon as it adopts a delegated act
Final Provisions
Countries under the European Union shall adopt and publish measures to comply with this NIS 2 directive and should inform such measures to the European Commission by October 17, 2024. They shall also start implementing these measures from October 18,2024.
The European Commission will review the functioning of this Directive and report to the European Parliament and to the Council by October,2027. This review shall be conducted every three years thereafter. This report includes an assessment of the relevance of the size of the entities concerned and the sectors, sub-sectors, and types of entities referred to in this Directive for the functioning of the economy and society in relation to cybersecurity. It may also include reports of the Cooperation Group and and the CSIRT network.
Take your first step now!
Learn how ManageEngine's IAM and SIEM solutions helps you achieve this compliance
