The NIS2 Directive (Directive on Security of Network and Information Systems 2) is the legislative framework of the European Union designed to achieve a high common level of cybersecurity across the Union, addressing the limitations of the previous 2016 regulation. Its most significant components are outlined below:
1. Scope and classification of entities
The directive removes the previous distinction between operators of essential services and digital service providers. Instead, it adopts a size- and sector-based approach:
- General scope: Applies to all medium and large entities operating in critical sectors.
- Essential and important entities: Organizations are classified into these two categories based on their criticality and size. Essential entities (such as energy, banking, or healthcare) are subject to stricter ex-ante and ex-post supervision, while important entities are generally subject to reactive supervision.
- Critical sectors: Includes highly critical sectors (energy, transport, banking, healthcare, digital infrastructure) as well as others such as postal services, waste management, and manufacturing.
2. Governance and management accountability
One of the most significant changes is the direct involvement of top management:
- Approval and oversight: Management bodies must approve cybersecurity risk management measures and oversee their implementation.
- Direct accountability: Executives are held accountable for the entity’s non-compliance in risk management.
- Mandatory training: Members of management bodies are required to attend regular training to identify risks and assess management practices.
3. Risk management measures
Entities must implement technical, operational, and organizational measures proportionate to the risks faced. Minimum requirements include:
- Security policies: Risk analysis and information system security.
- Business continuity: Backup management, disaster recovery, and crisis management.
- Supply chain security: Companies must assess the cybersecurity practices of their direct suppliers and incorporate security measures into contracts.
- Encryption and authentication: Use of cryptography and multi-factor authentication solutions.
4. Incident reporting obligations
The directive establishes a multi-stage reporting process for incidents with significant impact:
- Early warning: Within 24 hours of becoming aware of a significant incident.
- Incident notification: Within 72 hours, including an initial assessment of severity and impact.
- Final report: Within one month after the incident notification.
5. Supervision and administrative sanctions
To ensure compliance, the directive grants enforcement powers to national authorities and sets dissuasive fines:
- Fines for essential entities: Up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher.
- Fines for important entities: Up to €7,000,000 or 1.4% of total annual turnover.
- Additional measures: Authorities may temporarily suspend certifications or prohibit individuals from exercising managerial functions in cases of serious violations.
6. Cooperation and national strategy
Each Member State must adopt a national cybersecurity strategy and designate competent authorities, single points of contact, and Computer Security Incident Response Teams (CSIRTs). At the EU level, strategic cooperation is strengthened through the Cooperation Group and the CSIRT Network.