5 Things to Know About NIS2

Given increased geopolitical tensions and economic uncertainty in Europe, cyber-attacks are top of mind for legislators. The Russia-Ukraine war has brought attention to the devastating impact malicious threat actors can impose on critical infrastructure.

In response, the new EU-wide cyber law, Directive 2022/2555(NIS2), was enacted on January 16, 2023. We believe this is only the beginning of a wave of new cybersecurity laws worldwide. In the United States, the SEC is currently finalizing two sets of cybersecurity rules proposed last year and issuing a new notice of proposed rule-making (NPRM) on cybersecurity risk disclosures and measures. We will publish more specific supporting information as it becomes available.

There has already been a great deal of literature on NIS2; here, we briefly summarize 5 important things to know about NIS2 and what you can do today to prepare for the new requirements.

5 things to know about NIS2

Firstly, it’s important to note EU member states will have until October 18, 2024, to transpose the new directive into their respective national laws. Once put into law, NIS2 will be more comprehensive than the previous NIS1 laws pertaining to EU entities and impose significant penalties for non-compliance. The directive focuses on strengthening and maintaining cybersecurity posture for essential and important organizations, which are both defined in the ruling.

You may be in scope for NIS2 even if you are a small organization

The directive focuses on improving cybersecurity for organizations that are either essential or important. These two business categories deliver goods and services necessary for social and economic activity. Sole providers of such activity can be placed in these categories even if they do not meet the financial thresholds. You can view the category classification in more detail here. Critical infrastructure owners and operators need to pay attention to NIS2 first and foremost due to the sensitive nature of their business. Interested in learning more about critical infrastructure cybersecurity improvement? Check out our 5-part blog series on cyber risk highlights in critical infrastructure.

The reporting obligations defined in NIS2 are much more detailed and time-sensitive

There are three required tiers of requires reporting if a cybersecurity breach occurs:

• 24 hours: an early warning to build awareness of the incident.
• 72 hours: an incident notification to provide more detail in the incident’s severity and impact.
• 1 month: a final report with a detailed description of the incident and the root cause.

Gaining a faster understanding of what happened means ensuring you have taken time to prepare for incident response. This includes creating established security policies for incident handling, containment, investigation, remediation, and recovery. To quickly measure the strength of your incident response plans, it’s imperative to use a cyber risk assessment framework.

Your executive team is responsible and can be held accountable for non-compliance

Penalties for non-compliance with measures in NIS2 can extend to management bodies. The directive does not define what a management body is, but it’s most likely to include the board of directors. Cybersecurity is not only a business risk but needs to be communicated in business terms to bridge the understanding gap.

Download our Board of Directors guide, now updated with guidance on proposed SEC regulations to create a more effective Board of Directors.

Regulatory bodies have more power and authority over your cyber-organization

Your cybersecurity organization will be under constant scrutiny. The directive permits on-site inspections, security audits, and even access to information to assess cybersecurity risk-management measures. You can’t sweep deficiencies under the rug or have subjective determinations for planning improvements.

The fines are very strict and consequential

NIS2 provides heavy penalties for non-compliance depending on which category your organization falls under:

• Essential entities: 10 million Euros or 2% of global turnover (whichever is higher)
• Important entities: 7 million Euros or 1.4% of global turnover (whichever is higher)

Once NIS2 is transposed into law for EU member states, the impact of a cyber event that may not disrupt your business can still be financially consequential.

Now’s the time to improve cybersecurity maturity and reporting

As EU member states start the process of NIS2 transposition, many details will change. But the goal of improving cybersecurity will stay the same. So, what can you do in the meantime? We suggest ensuring your organization uses an integrated risk management platform like Axio360.

The beauty of Axio360 is its flexibility to adapt and change with new cybersecurity directives. The platform is built to scale with an ever-evolving cybersecurity compliance landscape to allow measurement of your various controls and reporting to executive stakeholders regardless of compliance directives.

Want to learn more? Get started with our free tool.